What is the NIS2 Directive?
The NIS2 Directive (Network and Information Security 2) is the new European regulatory framework for cybersecurity. In Portugal, it was transposed through Decreto-Lei 125/2025, entering into force on April 3, 2026.
This directive represents a significant evolution from the original NIS, substantially expanding the scope of application and reinforcing security obligations for organizations in essential and important sectors.
Who is affected?
NIS2 applies to a much broader set of organizations than its predecessor:
- Essential sectors: energy, transport, healthcare, water, digital infrastructure, public administration
- Important sectors: postal services, waste management, food production, manufacturing, digital providers
The cascade effect on SMEs
Even if your company is not directly covered, supply chain security requirements mean that suppliers to regulated entities will need to meet minimum cybersecurity standards.
This directly affects thousands of Portuguese SMEs that provide services to large organizations.
Key obligations
1. Risk management
Organizations must implement cybersecurity risk management measures including:
- Risk analysis and assessment
- Information security policies
- Incident management
- Business continuity
- Supply chain security
2. Incident notification
The new regime requires notification within 24 hours for significant incidents, followed by a complete report within 72 hours.
3. Management accountability
Management bodies are personally liable for compliance with cybersecurity obligations, with fines that can reach 125,000 euros for executives.
How to prepare your organization
The deadline is approaching
With the enforcement date set for April 3, 2026, organizations have a limited window to prepare. PFX Titan can help your company meet all NIS2 requirements with our specialized compliance service.