Decree-Law 125/2025 of December 4 (“Decree-Law 125/2025”) transposes Directive (EU) 2022/2555 of the European Parliament and of the Council of December 14, 2022 (“NIS2”)into the Portuguese legal framework and imposes a duty of diligence and oversight with personal liability for intentional misconduct or gross negligence, requiring documented decision-making processes and the integration of cybersecurity into top-level management.
Essential, important and relevant public entities are required to register on the designated platform and meet deadlines for reporting significant-impact incidents, including (i) an alert within 24 hours of verifying the incident, (ii) an update within 72 hours, (iii) an end-of-impact notification within 24 hours, and (iv) a final report within 30 business days of the end-of-impact notification, supported by tested processes, trained teams and clear reporting lines.A risk management system is mandatory, covering risk analysis, incident response, continuity planning, lifecycle management, and supply chain security. This system must include encryption and multifactor or continuous authentication. Also, an annual report is required, along with certification, where applicable, issued by an accredited body or under a scheme recognized by the Portuguese National Cybersecurity Centre (“CNCS”). The CNCS may mandate this certification.
Classification of an entity as essential or important dictates specific obligations and fines of up to €10 million or 2% of the preceding financial year’s annual worldwide turnover for essential entities, and up to €7 million or 1.4% of the preceding financial year’s annual worldwide turnover for important entities. Negligence is also subject to penalties.
Decree-Law 125/2025 enters into force 120 days after its publication. Certain provisions will take effect 24 months after the CNCS approves and publishes applicable regulations that will trigger this transition period.