12 March 2026 Update - The transposition of NIS 2 in Portugal
Portugal completed the transposition of Directive (EU) 2022/2555 after a period of political and legislative delay. The Portuguese approach was to adopt a new cybersecurity legal framework through a decree law, replacing and modernising the earlier national cybersecurity regime derived from the first NIS Directive.
Before NIS 2, cybersecurity governance in Portugal was primarily based on Law 46/2018 of 13 August, which established the legal framework for cyberspace security and implemented the original NIS Directive. This framework was later complemented by Decree-Law 65/2021 and additional regulatory instruments that defined operational obligations such as incident reporting and security officer responsibilities.
Under this earlier system, the National Cybersecurity Centre (Centro Nacional de Cibersegurança – CNCS) served as the national authority responsible for cybersecurity coordination, incident response, and supervision of cybersecurity obligations.
The NIS 2 Directive required Member States to adopt national implementing legislation by 17 October 2024. Portugal did not meet this deadline and therefore entered the EU infringement procedure process. The European Commission issued a reasoned opinion on 7 May 2025 to Portugal for failure to notify full transposition measures.
The delay was largely linked to political instability and legislative interruptions that slowed the parliamentary process during 2024 and early 2025.
The decisive milestone occurred when Portugal adopted Decree-Law No. 125/2025. This decree law establishes the new legal framework for cybersecurity in Portugal and formally transposes Directive (EU) 2022/2555 into Portuguese law. It introduces what is often referred to as the Regime Jurídico da Cibersegurança, a comprehensive national cybersecurity regime aligned with the NIS 2 Directive.
The new legal framework introduces the core elements required by the directive. It establishes the classification of essential entities and important entities, both of which must implement cybersecurity risk management measures and comply with incident reporting obligations.
The regime also expands the regulatory perimeter to include a wide range of sectors considered critical for economic and societal functioning, including energy, health, transport, digital infrastructure, and public administration.
The Portuguese case illustrates a broader pattern visible across the EU. Many Member States have technically completed the legislative transposition of the directive but are still in a transitional implementation phase, where operational details, regulatory guidance, and supervisory procedures continue to develop after the primary legislation has been adopted.
EU - Transposition, Member States