Abstract
Decree-Law No. 125/2025 of 4 December transposed Directive (EU) 2022/2555 (NIS2) into Portuguese law, fully revoking the previous DL 65/2021 and Law No. 46/2018. The new cybersecurity legal regime introduces significantly more demanding incident notification obligations, with binding deadlines of 24 hours, 72 hours, and 30 days. This article provides a detailed analysis of the notification cycle to the Centro Nacional de Cibersegurança (CNCS), significant incident classification criteria, mandatory reporting content for each phase, the CERT.PT classification taxonomy, and consequences of non-compliance.
Introduction
The entry into force of DL 125/2025 on 3 April 2026 marks a structural transformation in how Portuguese organizations must report cybersecurity incidents. The previous regime, based on DL 65/2021, established generic communication obligations to CNCS without precise binding deadlines for each reporting phase (CNCS, 2022). The NIS2 transposition, through Article 23 of Directive (EU) 2022/2555, introduces a phased system with rigorous timelines and minimum mandatory content for each notification stage (European Parliament, 2022).
The scope of application has expanded significantly. NIS2 is estimated to cover approximately ten times more entities than NIS1, including public administration, digital providers, waste management, and critical product manufacturing (PwC, 2023). Management body accountability is explicitly mandated, with potential personal liability in cases of gross negligence (European Parliament, 2022, Art. 20).
Significant Incident Criteria
The notification obligation applies exclusively to significant incidents, as defined in Article 23(3) of the NIS2 Directive. An incident is considered significant when: (a) it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned; or (b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage (European Parliament, 2022).
For digital service providers, Commission Implementing Regulation (EU) 2024/2690 established additional quantitative thresholds: direct financial loss exceeding EUR 500,000 or 5% of annual turnover (whichever is lower), exfiltration of trade secrets, death of a natural person, or considerable damage to health (European Commission, 2024).
Figure 1: Cumulative and alternative criteria for significant incident qualification under NIS2 Article 23
The moment the reporting clock starts is critical: the timer begins when the organization becomes aware that the incident meets the significance criteria, not at the moment of technical event detection (ENISA, 2024).
Notification Cycle to CNCS
Article 23 of the NIS2 Directive, transposed by DL 125/2025, establishes a four-phase progressive notification cycle, each with distinct deadlines and minimum content requirements.
Figure 2: Phased notification cycle with deadlines, mandatory content, and temporal relationship between phases
Phase 1 — Early Warning (T+24h). The entity must submit to CNCS, without undue delay and within a maximum of 24 hours of becoming aware of the significant incident, an early warning. This alert does not require detailed analysis — it is intended only to inform the competent authority of the occurrence and must indicate whether the incident is suspected of being caused by unlawful or malicious acts and whether it could have cross-border impact (European Parliament, 2022, Art. 23(4)(a)).
Phase 2 — Incident Notification (T+72h). Within 72 hours, the entity must submit a notification updating the early warning with an initial assessment of severity and impact, along with available indicators of compromise (IoCs) including IP addresses, domains, file hashes, YARA rules, and relevant MITRE ATT&CK TTPs (ENISA, 2024).
Phase 3 — Interim Report. At CNCS or CERT.PT request, the entity may be asked to provide interim updates on incident status at any time between notification and final report.
Phase 4 — Final Report (T+30d). Within one month of the incident notification submission, a final report must include: detailed incident description with severity and impact; probable root cause analysis; applied and ongoing mitigation measures; and cross-border impact assessment where applicable (European Parliament, 2022, Art. 23(4)(d)).
Penalty Framework
Non-compliance with notification obligations is subject to differentiated fines based on entity classification. Essential entities face maximum fines of EUR 10,000,000 or 2% of global annual turnover (whichever is higher). Important entities face fines up to EUR 7,000,000 or 1.4% of global annual turnover (European Parliament, 2022, Art. 34). Management bodies may be held personally liable for gross negligence (Art. 20).
Conclusion
The incident notification regime established by DL 125/2025 and the NIS2 Directive represents a qualitative leap from the previous framework. Portuguese organizations classified as essential or important must prepare to meet rigorous deadlines (24h/72h/30d), submit detailed technical content (including IoCs and root cause analysis), and assume management body responsibility for compliance. Non-compliance may result in fines up to EUR 10 million or 2% of global turnover, in addition to supervisory measures and personal liability of directors.
References
European Commission. (2024). Commission Implementing Regulation (EU) 2024/2690 on technical and methodological requirements and significant incidents. Official Journal of the European Union.
CNCS. (2022). Regulation No. 183/2022 — Technical Instruction on communications between entities and the National Cybersecurity Centre. Diário da República.
CNCS. (2024). Cybersecurity in Portugal Report — Risks & Conflicts 2024. Centro Nacional de Cibersegurança.
ENISA. (2024). NIS2 Directive Implementation Guidance. European Union Agency for Cybersecurity.
European Parliament. (2022). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union. Official Journal of the European Union, L 333/80.
PwC. (2023). From NIS to NIS2 — The evolution of European cybersecurity legislation. PricewaterhouseCoopers Portugal.
RNCSIRT. (2024). Common Taxonomy of the National CSIRT Network, version 3.3. Rede Nacional de CSIRT.
