Transposition Of The NIS 2 Directive: Cybersecurity Legal Framework

On 4 December, Decree-Law 125/2025 was published, establishing the new legal framework for cybersecurity (the "Cybersecurity Legal Framework" or "CLF"), following its approval by the Council of Ministers and subsequent promulgation by the President of the Republic.

The decree transposes Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures to ensure a high common level of cybersecurity across the Union ("NIS 2 Directive"), thereby strengthening the national capacity to prevent and respond to cyber threats.

The long-awaited Cybersecurity Legal Framework clarifies the obligations of each covered entity. It also defines the processes for implementing and improving information security management systems, which can now be implemented in compliance with the obligations arising from the transposition.

This practical guide provides information on the most important changes to the new Cybersecurity Legal Framework.

1. What is the NIS 2 Directive?

Directive (EU) 2016/1148 of 6 July 2016 (the NIS Directive) was the EU's first comprehensive law to address new cybersecurity challenges and it represented a significant milestone in the development of the EU's cybersecurity resilience and cooperation. Prior to its introduction, there was no unified approach to improving cybersecurity, leaving it to individual companies to determine their own implementation strategies.

The NIS Directive was implemented in Portugal through the transposition of Law 46/2018 of 13 August (the "Legal Framework for Cyberspace Security"). Law 46/2018 was supplemented by Decree-Law 65/2021 and Regulation 183/2022, which provide technical instructions on communication and information relating to permanent contact points, security officers, asset inventory, annual reports, and incident reporting.

However, the evolving threat landscape and the need to strengthen companies' preventive activities and cooperation between Member States on cybersecurity required an updated version of the original NIS Directive, adapted to the current scenario, hence the NIS2 Directive.

In face of a significant increase in digital threats, the NIS 2 Directive (Directive (EU) 2022/2555) establishes a European legal framework for cybersecurity. It aims to increase the resilience of critical and essential infrastructure against cyber threats. In Portugal, the transposition of this directive:

• Reflects the increasing sophistication of cyber threats, which are becoming more frequent and complex.
• Strengthens national security by protecting strategic and critical sectors.
• Harmonises measures at the European level, ensuring uniformity and collaboration between Member States.

The NIS 2 Directive expands the list of entities covered and introduces stricter requirements to prevent and mitigate cybersecurity incidents.

2. What are the CLF's objectives, and what changes will it bring?

The previous cybersecurity legislation applied to operators of essential services, critical infrastructure operators, digital service providers, and civil servants. The legislation's main objectives were to (i) adopt appropriate security measures to manage risks to networks and information systems, (ii) define clear criteria and deadlines for reporting significant cyber security incidents to national authorities, and (iii) promote information exchange and cooperation between EU member states and between the public and private sectors. While the new Cybersecurity Legal Framework shares certain similarities with its predecessor, it introduces new features and greater rigour for the entities involved.

The following changes stand out in the Cybersecurity Legal Framework:

• The extension of its personal scope of application to both new sectors and sectors existing under the old legislation¹.
• The role of the National Cybersecurity Centre ("CNCS") in regulation and supervision.
• The distinction between obligations and supervision based on entity size, business, and level of risk exposure.

The clarification of a set of minimum information security measures to be adopted by covered entities, although they may opt for stricter measures.

The proposed legal framework is guided by the principle of proportionality, balancing the costs of implementing and maintaining information systems with the associated risk level of the sector, entity, or business type. All entities must implement the same information security and cybersecurity risk management measures, ensure senior management accountability, and report cybersecurity incidents. However, the most visible difference in the application of the principle of proportionality is in the supervision by the CNCS. Essential entities will be subject to both ex ante and ex post supervision (before and after a significant incident). Important entities, on the other hand, will only be subject to ex post supervision. Essential entities will undergo regular, specific, and ad hoc audits, whereas important entities will only undergo specific audits. Additionally, fines resulting from administrative offences established in the Decree-Law vary depending on whether they are applied to essential or important entities. Important entities generally have a smaller size and turnover than essential entities, and are generally exposed to a lower level of risk. Therefore, the proportionality of the fines reflects the legislature's intention to prevent the current Cybersecurity Legal Framework from economically strangling small and medium-sized businesses.

Furthermore, it encourages information sharing and cooperation between public and private entities to promote a coordinated response to cybersecurity incidents, aiming to strengthen the resilience of Portugal's business sector.

3. What entities are covered?

The CLF divides these entities into four main categories:

ESSENTIAL ENTITIES

These correspond to entities that are not SMEs ² and are referred to in Annex I of the Decree-Law (critical sectors), or to entities referred to in Article 6(1):

• Qualified trust service providers, top-level domain name registrars, and domain name system service providers.
• Medium-sized enterprises that offer public electronic communications networks or publicly available electronic communications services.
• Public administration entities whose responsibilities include providing services in the development, maintenance and management of information and communication technology infrastructure. This also includes entities that have a particularly high degree of digital integration in the provision of their services, as well as the public entity responsible for educational assessment.
• Entities identified as critical under Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022.
• Any entity listed in Annexes I or II of the Decree-Law that is classified as essential based on its degree of exposure to risks, size, and the likelihood and severity of incidents occurring, including their social and economic impact:

a) The entity is the sole provider of a service essential for maintaining critical social or economic activities (such as those identified in Annexes I and II).

b) Disruption to the service it provides could significantly affect public safety, security, or health.

c) Disruption to the service it provides could generate significant systemic risks, including disruptions with a cross-border impact.

d) The entity is critical due to its specific importance at a national or regional level for the relevant sector or type of service, or for other interdependent sectors.

Examples of critical sectors include energy, transport (road, rail, air, and sea), health, water (drinking and wastewater), digital infrastructures, financial market infrastructures, credit institutions, ICT management, and space (see Annex I).

IMPORTANT ENTITIES
This residual category comprises entities referred to in Annex I that are not considered essential.

Other critical sectors (See Annex II) include postal services, chemical production and distribution, waste management, food production and distribution, manufacturing (including the production of medical, computer and electrical equipment, as well as automotive and other transport equipment), digital service providers, and research institutions.

To view the full article clickhere

Footnotes

1 See Article 3.

2 Article 2 of Annex III provides that the SME category consists of companies that employ fewer than 250 people, with an annual turnover of no more than €50 million and an annual balance sheet total of no more than €43 million.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.