On 4th November 2025, Decree-Law No. 125/2025, of 4 December, was published in the Diário da República, approving the Cybersecurity Legal Framework and transposing Directive (EU) 2022/2555 (NIS 2) into Portuguese law. This directive sets out measures intended to ensure a high common level of cybersecurity across the European Union.
The new framework significantly broadens the range of entities subject to cybersecurity obligations and strengthens requirements on risk management, governance by management bodies, and incident reporting, establishing a distinction between “essential” and “important” entities and consolidating the supervisory powers of the National Cybersecurity Centre (CNCS).
At the institutional level, the decree-law incorporates several sectoral supervisory authorities, including ANACOM, which will act as the National Sectoral Cybersecurity Authority for electronic communications and postal services in coordination with the CNCS, as well as the special cybersecurity authorities for the financial sector — the Bank of Portugal, CMVM and ASF. These authorities are responsible for the digital operational resilience of the entities under their supervision and for coordinating the respective security and reporting obligations, within the broader framework of national cybersecurity governance ensured, among other mechanisms, through the High Council for Cyberspace Security.
The Cybersecurity Legal Framework will enter into force on 3rd April 2026.
For more information about our legal support to compliance area connect with our team.
