Public consultation on the Cybersecurity Regulation

The Portuguese National Cybersecurity Center (“CNCS”) has opened a 30-business-day public consultation on a draft regulation implementing the Legal Regime on Cybersecurity (“RJC”), approved by Decree-Law 125/2025 of December 4 (“Decree-Law 125/2025”), which transposes the NIS2 Directive into Portuguese law. For further information on this regime, see our Legal Flash, New Legal Regime on Cybersecurity.

Why and how to participate in the public consultation

The public consultation gives affected entities a critical opportunity to help shape the rules that will govern them. After the consultation period closes, the CNCS will review all submissions and publish a report summarizing the contributions it received. This report will also include CNCS’s overall assessment of the contributions and the reasoning behind its final regulatory choices.

Entities seeking to participate in the public consultation may submit written contributions in Portuguese, preferably by email to cncs@cncs.gov.pt, by April 22, 2026.

Impact of the regulation on target companies

This regulation significantly affects organizations across multiple sectors. Specifically, it requires them to implement cybersecurity policies, incident-response and disaster-recovery plans, asset inventories, and vulnerability-management processes. They must also integrate cybersecurity safeguards throughout their supply chains.

Scope of application and registration

The regulation applies to essential entities, important entities, and relevant public entities, as defined under the RJC. It elaborates on obligations established by Decree-Law 125/2025 and introduces operational rules and specific compliance tools. A key feature of the regulation is the creation of an electronic platform managed by CNCS, functioning as a one-stop shop for registration, classification, and communication between affected entities and cybersecurity authorities.

Entities must self-identify by completing an electronic form that includes their name, tax identification number, activity sector and subsector, number of employees, and turnover. This preliminary record becomes definitive once entities receive notification of their classification from the competent cybersecurity authority. Entities may challenge their classification under the Code of Administrative Procedure and may update their records at any time as their circumstances change.

The platform will also centralize functions such as reporting cybersecurity incidents, submitting annual reports, appointing a cybersecurity officer, designating a permanent contact point, and receiving electronic notifications for acts and decisions issued by cybersecurity authorities.

Compliance levels and the risk matrix

The second pillar of the regulation establishes minimum cybersecurity measures, grouped into three cumulative compliance levels: Basic, Substantial and High. The applicable level is determined using a sector-specific risk matrix (Annex II), which assesses the probability and consequences of predominant risks within each sector and subsector. Specifically, the matrix considers factors such as: entity size (Large, Medium or Small); and the critical importance of each sector, as listed in Annex I or Annex II of the RJC.

As compliance levels are cumulative, entities subject to the High level must also comply with the requirements under the Basic and Substantial levels. Annex III outlines the minimum cybersecurity measures applicable to essential and important entities, while Annex IV sets out the measures for relevant public entities, organized into Group A and Group B. Areas covered include cybersecurity policies, asset inventories, risk and vulnerability management, access control and multifactor authentication, equipment and network protection, backup procedures, incident response, and supply-chain management.

Notably, the National Cybersecurity Reference Framework (QNRCS, Annex I) and the risk matrix (Annex II) are not open for public consultation. Accordingly, entities’ contributions are limited to the provisions in the draft regulation itself and the measures established in Annexes III and IV. The regulation will enter into force on the fifth day following its publication, subject to the transitional rules established in Decree-Law 125/2025.

Structural obligations for corporate groups

For corporate groups classified as essential or important entities, the draft regulation introduces organizational obligations related to risk management, internal governance and technological investment.

These groups must implement and document: cybersecurity policies; incident-response plans; disaster-recovery protocols; ongoing vulnerability assessment processes; asset inventories; data-classification procedures; and robust systems for monitoring, detecting and reporting incidents. The regulation sets specific deadlines and detailed content requirements to ensure compliance.

The combined effect of the risk matrix and the compliance levels requires a thorough review of existing security controls, internal audit procedures, and supplier relationships. Consequently, affected entities will need to incorporate appropriate cybersecurity provisions and due diligence mechanisms throughout their supply chains.

In light of the above, you may contact our Technology and Telecommunications team for assistance with assessing the impact of the new regime, preparing contributions to the public consultation, and planning the necessary compliance measures.