Abstract
The NIS2 Directive, transposed into Portuguese law by Decree-Law no. 125/2025, has substantially raised the governance, risk management, and compliance requirements imposed on organizations. At the same time, the shortage of qualified professionals makes hiring a full-time CISO unfeasible for most covered entities. This article analyzes how an AI-powered Virtual CISO (vCISO) addresses this dual challenge: it applies AI contextualized with the organization’s real data to support management body decision-making, quantify risk with methodologies such as FAIR, and maintain continuous compliance with NIS2, GDPR, and frameworks such as ISO 27001.
Introduction
The entry into force of Decree-Law no. 125/2025 on April 3, 2026 confronted thousands of Portuguese organizations with unprecedented cybersecurity obligations: appointment of a cybersecurity officer, registration on the MyCiber platform, documented risk analysis, incident notification to the CNCS within 24 hours, and personal accountability of management bodies (CNCS, 2024). Article 20 of the NIS2 Directive is explicit: management bodies must approve risk management measures, oversee their implementation, and can be held liable for non-compliance (European Parliament, 2022).
This regulatory demand collides with a structural market reality. ENISA estimates a persistent deficit of hundreds of thousands of cybersecurity professionals in the European Union, with the CISO role among the hardest to fill (ENISA, 2024). For an important entity in the food sector, manufacturing, or waste management, hiring a senior full-time CISO is often unaffordable. It is in this context that the Virtual CISO model gains relevance, and that applying AI to this model transforms it qualitatively.
From the Traditional vCISO to the AI-Powered vCISO
The Virtual CISO concept is not new: external consultants providing part-time security leadership services have existed for over a decade. The traditional model, however, has well-known limitations: availability limited to a few hours per week, organizational context knowledge that degrades between engagements, and costs that grow linearly with scope.
An AI-powered vCISO operates differently. Instead of depending exclusively on a consultant’s memory and availability, the system maintains permanent access to the organization’s real data: asset inventory, active vulnerabilities, ongoing incidents, risk registry, and compliance status. Through Retrieval-Augmented Generation (RAG), every response is contextualized with that data, cites the sources used, and structures recommendations for the appropriate audience: board of directors, technical team, compliance function, or external auditors.
The practical difference is significant. Faced with the question “what is the impact of CVE-2026-1234 on our organization?”, a generic assistant describes the vulnerability in the abstract. A vCISO with RAG checks whether the vulnerability affects assets in the real inventory, cross-references the criticality classification of those assets (CIA triad), assesses exposure on the attack surface, and produces prioritized recommendations with immediate remediation and a long-term roadmap.
Figure 1: Flow of an AI-powered vCISO: the organization’s real data contextualizes every response, structured for the appropriate audience
AI Applied to Governance
Governance is the GRC dimension where NIS2 introduces the deepest change: direct accountability of management bodies. Directors can no longer fully delegate cybersecurity to the technical team; they must approve measures, oversee their execution, and receive adequate training (European Parliament, 2022). The practical problem is a language asymmetry: security data is produced in technical language while management bodies decide in business language.
An AI-powered vCISO operates precisely at this translation layer. Three capabilities are decisive:
Daily executive summary. An automatic report synthesizing critical risks, trends, and action items in language accessible to leadership. Instead of the board receiving a 60-page report quarterly, it receives an actionable synthesis daily, creating the evidence trail of continuous oversight that Article 20 requires.
Multi-audience reports. The same technical fact (for example, a critical vulnerability on an exposed server) is communicated differently to the board (business risk and potential cost), the technical team (remediation steps), and auditors (control status and evidence).
Policy drafting support. Drafting and reviewing security policies aligned with frameworks such as NIST CSF, ISO 27001, and CIS Controls, contextually referenced, reduces weeks of consulting work to hours of internal review.
AI Applied to Risk Management
Article 21 of NIS2 requires an “all-hazards” risk management approach with measures proportional to actual risk. The dominant practice in organizations, qualitative probability-impact matrices, has documented weaknesses: ordinal scales treated as cardinal, range compression, and an illusion of rigor (Hubbard & Seiersen, 2016).
The quantitative alternative is the FAIR methodology (Factor Analysis of Information Risk), which decomposes risk into measurable factors: threat event frequency (TEF), threat capability (TCap), resistance strength of controls, primary loss, and secondary loss, culminating in an annualized loss expectancy (ALE) expressed in euros (FAIR Institute, 2021). The historical obstacle to FAIR adoption is the analytical effort: each scenario requires estimate calibration and simulation.
This is where AI changes the equation. A vCISO integrated with the risk registry and with Monte Carlo simulation allows quantification to stop being an annual consulting exercise and become a continuous process: FAIR factors are fed by real operational data (active vulnerabilities, attack surface exposure, incident history) and loss estimates are updated as context changes. The result for the decision-maker is a concrete answer to questions like “how much financial risk do we reduce if we remediate these ten vulnerabilities?”, instead of a red cell in a matrix.
Figure 2: Mapping of the vCISO’s AI capabilities across the three GRC dimensions and corresponding NIS2 articles
AI Applied to Compliance
The compliance dimension of NIS2 is, in practice, an evidence management problem at scale. Covered entities must demonstrate simultaneous compliance with NIS2 (via DL 125/2025), GDPR, frequently ISO 27001, and, in the financial sector, DORA. Each framework has hundreds of controls, many of them overlapping, and manual evidence collection consumes a disproportionate fraction of security teams’ time.
Three AI applications are particularly relevant in this domain:
Continuous multi-framework compliance. Instead of point-in-time annual audits, the status of each control is assessed continuously from operational data. A vulnerability management control, for example, is assessed against real remediation SLAs, not against a statement of intent.
Incident response with regulatory deadlines. DL 125/2025 requires initial notification to the CNCS within 24 hours, an interim report within 72 hours, and a final report within 30 days. During an incident, the vCISO supports the team in classifying according to the CNCS taxonomy, preparing notifications, and coordinating with the parallel obligation to notify the CNPD within 72 hours when personal data is involved.
Audit preparation. The ability to generate reports adapted to auditors, citing the underlying evidence, drastically reduces preparation effort and improves the quality of the audit trail.
Data Sovereignty: the Precondition
Applying AI to GRC data raises a legitimate question: where is this data processed? The risk registry, vulnerability inventory, and incident history are among the most sensitive information assets of any organization. Sending them to AI services in third-party clouds outside the organization’s control creates precisely the kind of risk that GRC seeks to mitigate, and may compromise GDPR compliance.
Viriatus addresses this problem through controlled infrastructure: the platform runs either on CyberS3C’s infrastructure, in European territory with access via VPN, or on the client’s own infrastructure. In both models, the AI engine operates within that controlled perimeter, data is never used to train models, and is never shared with third parties. For organizations covered by NIS2, this architecture makes it possible to benefit from AI applied to GRC without introducing a new dependency on vendors outside the European regulatory space.
Limits: AI Does Not Replace Accountability
It is important to be rigorous about limits. NIS2 and DL 125/2025 assign responsibilities to people: management bodies and the appointed cybersecurity officer. No AI system assumes legal responsibility, and no automatic recommendation removes the need for human judgment in critical decisions.
The correct role of an AI-powered vCISO is that of a capacity multiplier: it compresses the time between question and well-founded answer, eliminates repetitive analysis and reporting work, and ensures human decisions are made with the full context of the organization’s data. For a security team of two or three people, this means operating at a GRC maturity level that would previously require a team several times larger. For management bodies, it means informed and documented oversight, exactly what the regulator demands.
Conclusion
NIS2 and DL 125/2025 have transformed GRC from a documentation exercise into a continuous operational obligation, with personal accountability of management bodies. In a market with a structural shortage of professionals, the answer cannot be just to hire more: it must include multiplying the capacity of existing teams. An AI-powered Virtual CISO, fed by the organization’s real data and operated on controlled infrastructure, applies that multiplication to the three GRC dimensions: it translates technical security into governance language, quantifies risk in euros with FAIR and Monte Carlo, and maintains continuous compliance with tight regulatory deadlines. Organizations adopting this approach will not merely be complying with NIS2: they will be building a structurally more mature security function.
References
CNCS. (2024). Relatório Cibersegurança em Portugal. Centro Nacional de Cibersegurança.
Decreto-Lei n.º 125/2025, de 4 de dezembro. Diário da República.
ENISA. (2024). NIS Investments Report 2024. European Union Agency for Cybersecurity.
European Parliament. (2022). Directive (EU) 2022/2555 (NIS2). Official Journal of the European Union.
FAIR Institute. (2021). FAIR: Factor Analysis of Information Risk, Standard Documentation. The Open Group.
Hubbard, D. W., & Seiersen, R. (2016). How to Measure Anything in Cybersecurity Risk. Wiley.
NIST. (2024). The NIST Cybersecurity Framework (CSF) 2.0. National Institute of Standards and Technology.
