NIS2 in Portugal
Everything you need to know about the NIS2 directive in Portugal: transposition law, competent authority, fines, deadlines, and how Reglyze helps SMEs become compliant.
Portugal transposed NIS2 through Decreto-Lei n.º 125/2025, the Regime Jurídico da Cibersegurança (RJC), published on 4 December 2025 and in force since 3 April 2026. The Centro Nacional de Cibersegurança (CNCS) is the national cybersecurity authority, single point of contact and national certification authority, and operates the national CSIRT (CERT.PT). Entities identify and register on the CNCS MyCiber platform; the national reference framework is the QNRCS (Quadro Nacional de Referência para a Cibersegurança).
Key facts at a glance
Decreto-Lei n.º 125/2025 (Regime Jurídico da Cibersegurança, RJC)
Adopted / in force: 2026-04-03
Centro Nacional de Cibersegurança (CNCS)
https://www.cncs.gov.ptUp to EUR 10 million or 2% of global annual turnover (RJC sanctions regime)
Up to EUR 7 million or 1.4% of global annual turnover; the RJC also sets graduated coimas (light infractions EUR 875–45,000 for legal persons)
These ceilings come from the directive — see how NIS2 fines are calculated, recent enforcement cases and director personal liability.
Priority sectors for NIS2 in Portugal
NIS2 covers 18 sectors across Annex I (essential) and Annex II (important). These are the sectors where Portugal's transposition and CNCS supervision focus most.
Public administration and municipalities
Central and local public administration is squarely in scope under the RJC. Municípios and public bodies running citizen-facing services register on MyCiber and appoint a cybersecurity officer notified to the CNCS.
Energy, water and critical infrastructure
Operators of essential services — energy, water, transport, health — fall under the RJC's essential-entity tier, often building on the QNRCS certification scheme (Basic / Substantial / Advanced).
Digital services and ICT providers
Cloud providers, data centres, managed service providers and digital-service operators are covered, frequently regardless of size for the special-category services.
Key deadlines
2025-12-04
Decreto-Lei n.º 125/2025 published in the Diário da República.
2026-04-03
RJC enters into force — 120 days after publication. CNCS is the national cybersecurity authority and single point of contact.
2026-05-04
Deadline for already-operating essential/important entities to appoint and notify their cybersecurity officer to the CNCS (20 working days from entry into force).
Is your company in scope? Common Portugal scenarios
Two worked examples of how NIS2 scoping plays out in Portugal. Not sure where you land? Run the free NIS2 scope checker.
Public administration is a covered sector under the RJC. The município registers on MyCiber, appoints a cybersecurity officer notified to the CNCS, and aligns its measures with the QNRCS.
Digital providers are covered and may be in scope regardless of size. It should register on MyCiber and bring its risk-management and incident-reporting processes in line with the RJC.
What Portugal businesses need to know
Portugal transposed NIS2 via Decreto-Lei n.º 125/2025 (the Regime Jurídico da Cibersegurança, RJC), in force since 3 April 2026.
The CNCS is the national cybersecurity authority, single point of contact, national certification authority, and operates the national CSIRT (CERT.PT).
Entities register and self-assess on the CNCS MyCiber platform (myciber.gov.pt).
The national framework is the QNRCS (Quadro Nacional de Referência para a Cibersegurança) — five functions (Identify, Protect, Detect, Respond, Recover) with a Basic / Substantial / Advanced certification scheme.
Already-operating entities must appoint and notify a cybersecurity officer to the CNCS by 4 May 2026.
How CNCS enforces NIS2 in Portugal
The CNCS supervises compliance and operates CERT.PT for incident handling. The RJC sets a graduated coima regime — light infractions from EUR 875 to 45,000 for legal persons, rising to ceilings of EUR 10 million or 2% of worldwide turnover for the most serious breaches — with prescription periods of three years (light) and five years (serious / very serious). The QNRCS certification scheme (Basic / Substantial / Advanced) gives entities a structured, auditable way to demonstrate their cybersecurity posture.
NIS2 in Portugal: frequently asked questions
- What is Portugal's NIS2 law (Decreto-Lei 125/2025)?
- Decreto-Lei n.º 125/2025 is the Regime Jurídico da Cibersegurança (RJC), Portugal's NIS2 transposition. It was published on 4 December 2025 and entered into force on 3 April 2026. The CNCS is the national cybersecurity authority and single point of contact.
- How do entities register (MyCiber)?
- Entities identify and register on the CNCS MyCiber platform (myciber.gov.pt) — within 30 days of starting activity, or within 60 days of the platform becoming available for already-operating entities. Already-operating essential/important entities must also appoint and notify a cybersecurity officer to the CNCS by 4 May 2026.
- What is the QNRCS?
- The QNRCS (Quadro Nacional de Referência para a Cibersegurança) is the CNCS reference framework: five functions — Identify, Protect, Detect, Respond, Recover — with a conformity certification scheme (EC QNRCS) at Basic, Substantial and Advanced levels. It gives Portuguese entities a structured way to implement and demonstrate the RJC's requirements.
- What are the fines (coimas) under the RJC?
- The RJC sets graduated coimas: light infractions from EUR 875 to 45,000 for legal persons, rising to ceilings of EUR 10 million or 2% of worldwide turnover for the most serious breaches. Prescription periods are three years for light infractions and five years for serious and very serious ones.
Official sources
Primary references for NIS2 in Portugal — verify the latest text and deadlines directly with the authority.