NIS2 is officially transposed in Portugal

On December 4th, 2025 the NIS2 was officially transposed into a law in Portugal.

What is NIS2?

NIS2 (Directive (EU) 2022/2555) is the European Union’s cybersecurity regulation designed to strengthen cyber resilience, risk management, and incident reporting across organizations that are critical or important to society and the economy.

In Portugal, NIS2 applies to a broad range of public and private entities, covering multiple sectors such as energy, transport, health, digital infrastructure services, highly critical and other critical activities.

For many organizations, the key question is simple — yet crucial:

NIS2 apply to my organization?

NIS2 law

Why is it difficult to know if NIS2 applies?

NIS2 significantly expands the scope of the original NIS Directive and introduces:

  • 'New sector-based and size-based criteria
  • 'A distinction between Essential Entities and Important Entities
  • 'Applicability to organizations that were not previously covered
  • 'Legal and regulatory language that is often complex to interpret

As a result, many organizations:

  • 'Incorrectly assume they are out of scope, or
  • 'Assume they are in scope without confirmation
  • 'Both situations can lead to regulatory, legal, and operational risks.
...

What is this platform?

This website provides a free NIS2 applicability assessment tool, designed specifically for organizations operating in Portugal. By answering a structured set of questions, the tool helps organizations:

  • Assess whether they may fall within the scope of NIS2
  • Understand their likely classification
  • Obtain a clear initial orientation before engaging in deeper legal or technical assessments

The tool is free, fast, and does not require legal or technical expertise.

...

The scope assessment is totally free! No strings attached.

Start Assessment

Frequently Asked Questions

Who should use this tool?

This assessment is suitable for:

  • Small and medium-sized enterprises (SMEs)
  • Large organizations
  • Public and private entities
  • IT and cybersecurity managers
  • Executive management and board members
  • Compliance professionals and consultants
  • Any organization operating or providing services in Portugal
What the tool does — and what it does not do

What it does

  • Evaluates sector, size, and activity criteria
  • Helps identify potential NIS2 applicability
  • Provides clear and understandable guidance
  • Is aligned with the principles of the NIS2 Directive

What it does not do

  • It does not replace legal advice
  • It does not constitute an official decision by competent authorities
  • It does not assess technical or operational compliance levels
Why is this important now?

NIS2 is already implemented in Portugal, and its requirements are no longer theoretical or future-facing. Organizations that fall within scope are already subject to regulatory obligations, including:

  • Enhanced cybersecurity risk management requirements
  • Mandatory technical and organizational security measures
  • Incident reporting and notification obligations
  • Potential administrative sanctions and enforcement actions in case of non-compliance
  • For organizations operating in Portugal, determining whether NIS2 applies is no longer optional

Identifying whether your organization is within scope is the essential first step toward compliance.