Portugal approves NIS2 transposition

The law is still awaiting presidential promulgation and publication in the Official Gazette, after which the new cybersecurity rules will become mandatory.

What changes in practice:

Expanded scope

The law now covers sectors such as energy, transport, banking, financial infrastructures, health, water supply, public administration, the space sector and digital infrastructures.

Digital service providers

Cloud service providers, data centres, content distribution networks (CDNs), DNS services, online marketplaces, search engines and social media platforms are also included.

Personal liability - Administrators and directors can now be held personally liable for non-compliance - a clear sign that cybersecurity is moving up to C-level.

Mandatory CISO figure - Appointment of a Chief Information Security Officer (or equivalent) as compliance guarantor and responsible for implementing security measures.

Strict deadlines for reporting incidents

• 24 hours: initial alert
• 72 hours: detailed report
• 30 days: final analysis

Penalties for non-compliance

Fines of up to €10M or 2% of global turnover.

Co-ordinated supervision

CNCS leads the way, with specialised support from the Bank of Portugal, CMVM, ASF and ANACOM.

The message is clear:

Cybersecurity is no longer a "nice to have" but a strategic and legal obligation.

For companies in the sectors covered - including many tech companies and digital providers - now is the time to assess the maturity of your cybersecurity programmes.