Abstract
Decree-Law No. 125/2025, published on 4 December and entering into force on 3 April 2026, establishes the new legal framework for cyberspace security in Portugal, transposing Directive (EU) 2022/2555 (NIS2) into national law. This article provides a practical implementation guide for cybersecurity officers, detailing immediate and ongoing obligations, critical compliance deadlines, and the concrete steps required to ensure full conformity with the new regime.
Introduction
The transposition of the NIS2 Directive into the Portuguese legal order through Decree-Law No. 125/2025 represents a substantial transformation of the national cybersecurity regulatory framework. The decree simultaneously revokes Decree-Law No. 65/2021 and Law No. 46/2018, which constituted the previous regime, and introduces significantly more demanding obligations for a broadened universe of entities (MLGTS, 2025).
The new regime enters into force on 3 April 2026, establishing a set of obligations requiring immediate compliance alongside others of a progressive nature. For cybersecurity professionals, a detailed understanding of these obligations and their respective deadlines constitutes an urgent operational priority. As PwC (2025) highlights, the Portuguese transposition introduces specificities relevant to the European text, particularly regarding supervisory mechanisms and the reinforced role of the National Cybersecurity Centre (CNCS).
Scope of Application: Essential and Important Entities
DL 125/2025 significantly broadens the scope of application compared with the previous regime. The classification of entities follows the NIS2 Directive taxonomy, distinguishing between essential entities and important entities, with differentiated obligations based on sectoral criticality and organizational size (European Parliament, 2022).
Essential entities encompass the sectors of energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, and public administration. Important entities include postal services, waste management, manufacturing of critical products, food production and distribution, general manufacturing, and digital service providers (PLMJ, 2025).
The sectoral expansion means that organizations previously outside the regulatory perimeter are now subject to concrete cybersecurity obligations, including companies in the food sector, waste management, and manufacturing that exceed the defined size thresholds.
Implementation Timeline
Figure 1: DL 125/2025 implementation timeline — from regulatory milestones to permanent obligations
The implementation timeline defines three critical milestones. The first corresponds to the entry into force of the decree on 3 April 2026, from which date covered entities must initiate registration on the CNCS MyCiber platform. The second milestone — 4 May 2026 — establishes the deadline for formal appointment of the cybersecurity officer, one of the most urgent obligations under the new regime (CNCS, 2024). The third milestone is continuous in nature, encompassing all permanent obligations regarding risk analysis, reporting, and incident management.
Immediate Obligations
Covered entities must fulfil a set of foundational obligations within the first 30 days following entry into force. The appointment of the cybersecurity officer constitutes the most pressing obligation, with a deadline of 4 May 2026. This professional must possess demonstrable technical competencies and report directly to the management body, ensuring the functional autonomy necessary for the exercise of their duties (PLMJ, 2025).
Registration on the CNCS MyCiber platform is equally of immediate compliance. Entities must provide up-to-date information on their digital infrastructure, security points of contact, and scope of activity. The platform serves as the official communication channel with the competent authority for supervisory purposes, incident notification, and information sharing (CNCS, 2024).
Ongoing Obligations and Applicability Matrix
Figure 2: Obligations matrix — applicability by entity type
Beyond the immediate obligations, DL 125/2025 establishes a set of permanent obligations that structure the cybersecurity programme of covered entities. The documented risk analysis must be conducted at minimum annual frequency, covering all information systems and networks relevant to the provision of covered services. The security plan must reflect the results of this analysis and define the technical and organizational mitigation measures (MLGTS, 2025).
The asset inventory constitutes a cross-cutting obligation, requiring the identification and classification of all information assets, systems, and network infrastructures. The annual report to the CNCS must document the state of compliance, significant incidents, and the evolution of the security posture. The notification of significant incidents must occur within a maximum of 24 hours of detection, followed by a detailed report within 72 hours (PwC, 2025).
Management Body Accountability
One of the most significant innovations of the new regime, transposed directly from Article 20 of the NIS2 Directive, is the personal accountability of management bodies for cybersecurity oversight. Members of boards of directors and executive management must approve risk management measures, supervise their implementation, and undertake adequate training in cybersecurity matters (European Parliament, 2022).
In cases of gross negligence in the supervision of cybersecurity obligations, members of management bodies may be held personally liable, including the possibility of temporary prohibition from exercising management functions. This provision aligns cybersecurity with the corporate governance standards already established in other regulatory domains and reinforces the importance of executive engagement in cyber risk management (PLMJ, 2025).
Implementation Checklist
Figure 3: Compliance checklist with timeline indicators for each obligation
The implementation of DL 125/2025 can be structured in ten concrete steps, organized by temporal urgency. The first three steps — verification of sectoral classification, appointment of the cybersecurity officer, and registration on the MyCiber platform — are of immediate compliance or have a defined 30-day deadline. Steps four through seven, concerning risk analysis, security plan, asset inventory, and incident notification procedure, should be completed within the first 60 days. The final steps, including management body training and assessment of regulatory intersections, complete the initial compliance programme within a 90-day horizon.
Interplay with DORA, GDPR, and Sector-Specific Regulation
DL 125/2025 does not operate in isolation within the regulatory landscape. Entities in the financial sector must articulate the obligations of this decree with the DORA Regulation (Digital Operational Resilience Act), which establishes specific requirements for digital operational resilience. The text of DL 125/2025 itself provides lex specialis mechanisms, recognizing that more demanding sector-specific regulation prevails over the general provisions of the cybersecurity regime (MLGTS, 2025).
The interplay with the GDPR is equally relevant, particularly regarding the notification of incidents involving personal data. The obligation to notify the CNCS within 24 hours coexists with the obligation to notify the CNPD within 72 hours under Article 33 of the GDPR, requiring entities to have coordinated procedures that ensure simultaneous compliance with both regimes (PwC, 2025).
Conclusion
DL 125/2025 represents a qualitative leap in cybersecurity regulation in Portugal, aligning the national regime with the European standards established by the NIS2 Directive. The personal accountability of management bodies, the broadening of sectoral scope, and the strengthening of notification and reporting obligations configure a substantially more demanding regulatory framework. For cybersecurity officers, the timely fulfilment of immediate obligations — in particular the formal appointment and registration on the MyCiber platform — constitutes the most urgent operational priority in the coming weeks. The adoption of a structured approach, based on the implementation checklist presented herein, enables an orderly transition to the new regime and mitigates non-compliance risks.
References
CNCS. (2024). Relatório Cibersegurança em Portugal. Centro Nacional de Cibersegurança.
Decreto-Lei n.º 125/2025, de 4 de dezembro. Diário da República.
European Parliament. (2022). Directive (EU) 2022/2555 (NIS2). Official Journal of the European Union.
MLGTS. (2025). Legal Alert: Novo Regime Jurídico de Cibersegurança. Morais Leitão, Galvão Teles, Soares da Silva & Associados.
PLMJ. (2025). Transposição da Diretiva NIS 2: Regime Jurídico da Segurança do Ciberespaço. PLMJ Advogados.
PwC. (2025). DL 125/2025: Transposição da NIS2 em Portugal. PwC Portugal.
