NIS2 Is Live: What Portuguese Companies Need to Know Right Now

Decreto-Lei 125/2025 became enforceable on April 3, 2026. Twelve days ago. If you run an organisation in one of Portugal's 18 critical sectors and haven't started your NIS2 compliance programme, you're already behind.

This isn't another explainer rehashing what NIS2 means in theory. The directive has been public since December 2022. Portugal's transposition law has been available since June 2025. What matters now is what's actually changing on the ground, and where most organisations are getting caught off guard.

The scope is wider than most expect

NIS2 doesn't just apply to banks and energy companies. The directive covers 18 sectors across two annexes. Annex I includes the obvious: energy, transport, banking, health, digital infrastructure. Annex II adds postal services, food production, manufacturing, waste management, and digital providers like online marketplaces and search engines.

The size threshold is medium and above: 50 or more employees, or annual turnover exceeding 10 million euros. But there are exceptions. Trust service providers, DNS operators, TLD registries, and sole providers of essential services are in scope regardless of size. Article 2(2) of the directive is more expansive than most compliance teams realise.

If you supply goods or services to an entity in scope, you're indirectly affected too. Article 21(2)(d) requires in-scope entities to assess and manage cybersecurity risks across their entire supply chain. That means contractual security requirements, audit clauses, and incident reporting obligations will flow downstream.

Management liability is not theoretical

Article 20 of the directive, transposed into Portuguese law, makes management bodies personally responsible for approving cybersecurity risk-management measures and overseeing their implementation. This isn't a checkbox exercise. Management body members must undergo cybersecurity training. If the organisation fails to comply, individual liability can attach.

Portuguese companies are used to GDPR's data protection officer model. NIS2 is different. There is no designated compliance officer who absorbs the responsibility. The board itself is on the hook.

The 24-hour reporting clock

Under NIS2, significant incidents must be reported to CNCS (Centro Nacional de Ciberseguranc\u0327a) in three stages: an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month. For entities providing trust services, the early warning deadline drops to 24 hours from detection, not from impact assessment.

Most organisations we've assessed can't reliably detect incidents within hours, let alone report them. The reporting pipeline requires tooling, tested runbooks, and pre-established communication channels with CNCS. Building this under pressure, after an incident occurs, is not a viable strategy.

The ten domains nobody's fully covered

Article 21(2) lists ten cybersecurity risk-management measures, from risk analysis and incident handling to supply chain security and multi-factor authentication. Most organisations have partial coverage. They have a security policy, maybe an incident response plan, probably some form of access control.

What's consistently missing:

Supply chain security assessments are rarely formalised. Most companies have never evaluated the cybersecurity posture of their direct suppliers, let alone documented it.

Business continuity plans exist on paper but haven't been tested through actual exercises. Backup restoration procedures are documented but never rehearsed under realistic conditions.

Effectiveness measurement is almost universally absent. Organisations implement security controls but have no structured way to evaluate whether those controls actually work. Article 21(2)(f) requires exactly this.

Cryptography policies default to "we use TLS." That's necessary but insufficient. Key lifecycle management, algorithm governance, and encryption-at-rest policies are expected.

Fines are significant, but the real risk is operational

Essential entities face fines up to 10 million euros or 2% of worldwide annual turnover. Important entities face 7 million euros or 1.4%. These numbers get attention in board presentations, but they're not the primary risk.

The real exposure is operational. CNCS has supervisory powers that include on-site inspections, security audits, and, for essential entities, ad-hoc assessments at any time. Non-compliance can lead to binding instructions, public disclosure, and, in extreme cases, temporary suspension of management functions.

For organisations in multiple EU member states, NIS2 introduces cross-border coordination. Your Portuguese subsidiary's incident could trigger supervisory action in every jurisdiction where you operate.

What to do this week

Stop treating NIS2 as a future problem. The law is in force.

Start with a scoping exercise. Determine whether your organisation is an essential entity, important entity, or indirectly exposed through supply chain obligations. This isn't always straightforward, entities can fall under multiple annexes, and size thresholds have exceptions.

Run a gap assessment against all ten Article 21 domains. Not a high-level maturity checklist, a detailed evaluation of policies, processes, and technical controls against the specific requirements of the directive. We built a free assessment tool that walks through this systematically.

Establish the incident reporting pipeline. Identify who within your organisation can submit early warnings to CNCS. Test the process before you need it.

Brief your management body. They need to understand their personal liability, approve the security measures, and commit to training. This conversation should happen before the next board meeting, not after an incident.

If you're looking for a structured path from assessment to compliance, reach out to our team. We work with organisations across Portugal's critical sectors to build NIS2 compliance programmes that survive contact with reality.