The (long-awaited) transposition of NIS2

Decree-Law No. 125/2025, transposing Directive (EU) 2022/2555 (NIS2 Directive) on measures to ensure a high common level of cybersecurity across the Union, was published today, December 4, in the Official Gazette. This law will enter into force 120 days after its publication.

For companies and public or private organizations that are subject to compliance with NIS2/national legislation, we indicate some specific implications:

• Need to map digital assets, networks, information systems, ICT supply chains, external suppliers — identification of risks.
• Establish or strengthen risk management policies: risk analysis, updating response plans, vulnerability assessment, business continuity, etc.
• Implement training practices, high-security authentication, secure software development practices, among others.
• Be ready to report incidents within the deadlines set at the national level and cooperate with the competent authorities.
• Prepare for inspections/audits/supervision by the competent authorities.

The NIS2 Directive aims to strengthen cybersecurity obligations in the European Union at a time when there are increasing threats, security incidents, system vulnerabilities, interdependence, global chains, and vulnerable critical infrastructure.

As a Member State, Portugal had to transpose the NIS2 Directive into national law. This transposition is generally in line with the provisions of NIS2.

However, the success of this transposition will depend heavily not only on the content of the decree-law, but also on its practical application: the availability of resources, regulatory clarity, effective communication with affected entities, realistic and fair enforcement, and continuous monitoring of the evolution of technological threats.

Finally, public and private companies that are subject to the applicability of NIS2 in Portugal should prepare for its entry into force, suggesting, for example, that:

1. Review their security policies;
2. Map vulnerabilities;
3. Draw up complete lists of service providers and apply due diligence processes when hiring service providers;
4. Prepare employees and processes to respond to incidents, with training and the development of clear procedures.