The digital transformation and the increasing reliance on information systems have made cybersecurity a central issue in corporate management. Cyberattacks, operational disruptions and system failures are no longer remote risks but concrete threats to business continuity. Within this context, Directive (EU) 2022/2555, (the NIS2 Directive), was adopted, establishing a new European framework aimed at strengthening the common level of cybersecurity across the European Union.

NIS2 replaces the previous NIS Directive of 2016 and introduces a more demanding framework, in terms of the obligations imposed and the scope of entities covered. In Portugal, the Directive was transposed by the Decree-Law no. 125/2025 of 4 December, which establishes the legal framework for cybersecurity applicable to entities classified as essential and important.

The objective of NIS2 is to enhance the resilience of organisations operating in sectors considered critical or of high relevance to society and the economy. The underlying rationale is straightforward: the disruption of certain services may generate significant impacts, thereby justifying the imposition of common minimum risk management standards at European level. The sectors covered include, inter alia, energy, transport, health, banking, digital infrastructure, public administration, waste management and food production and distribution. The transport and logistics sector, for example, is expressly included as an essential sector.

However, sectoral classification alone is not sufficient. Generally, the Directive applies to medium-sized and large undertakings, within the meaning of the Commission Recommendation of 6 May 2003. For the purposes of this classification, both the number of employees and financial thresholds must be considered. An undertaking exceeding €10 million in annual turnover or total balance sheet ceases to qualify as a small enterprise, even if it employs are fewer than 50 workers. Consequently, it may qualify as a medium-sized enterprise and become subject to the obligations laid down in NIS2.

Where applicable, the regime requires the adoption of appropriate and proportionate technical, operational and organisational measures to manage cybersecurity risks. The focus shifts to a preventive and structured approach, integrated into the company’s governance framework.

Among the main requirements is the implementation of formal internal cybersecurity policies, duly approved by the management body. Responsibility is no longer confined to the technical domain but directly involves senior management, which must supervise and ensure the adequacy of the measures adopted.

Entities within scope must identify and assess the risks relevant to their information systems, establish effective incident detection and response mechanisms, and ensure the capacity to restore operations. Business continuity assumes particular importance, requiring the existence of recovery plans and backup solutions capable of minimising the impact of serious attacks or failures.

The Directive also imposes the obligation to notify significant incidents to the competent authorities within the legally established deadlines. This requirement aims to enable a coordinated response and to strengthen information sharing at both national and European levels.

Another relevant aspect is the attention given to risks associated with the supply chain. Companies must assess the risks arising from the use of suppliers and providers of critical services, particularly in information technologies and digital services. Security thus extends not only to the organisation itself but also to its business ecosystem.

Internal training and awareness-raising likewise constitute an essential element of the new framework, given the decisive role of the human factor in preventing cybersecurity incidents.

Decree-Law no. 125/2025 implements these obligations within the Portuguese legal order, establishing mechanisms for supervision, monitoring and the potential application of sanctions in the event of non-compliance. The entry into force of this new regulatory framework represents a significant shift in how cybersecurity must be approached by corporations. Beyond a regulatory requirement, it constitutes a central component of risk management and business sustainability in an increasingly demanding digital environment. Timely assessment of the applicable legal framework and the implementation of appropriate measures are therefore essential to ensure compliance and strengthen organisational resilience.

The text of the Decree-Law may be consulted at: diariodarepublica.pt/dr/detalhe/decreto-lei/125-2025-962603401