	NIS2 Implementation in the EU
	Portugal
	(Europe) Firm Morais Leitão, Galvão Teles, Soares Da Silva & Associados Contributors Helena Barroso Updated 11 Feb 2026
Status of the legislative process	Enacted
Status of the NIS2 Implementation Act	On 4 December 2025, Decree-law no. 125/2025 was published, implementing the NIS2 Directive.
Significant deviations of the National Implementation Act from the NIS2 Directive, if any	The scope of the application is expanded, including (i) public administration entities (including at local level) and (ii) higher education institutions. The implementation act does not apply to: The General Staff of the Armed Forces and the branches of the Armed Forces, in respect of the networks and information systems directly related to their command and control; Public entities with responsibilities for criminal investigation and the criminal police and public security bodies, in respect of the networks and information systems directly related to their command and control; Public entities with exclusive responsibilities in the area of intelligence production, namely the Intelligence System of the Portuguese Republic, the Strategic Defense Intelligence Service, and the Security Intelligence Service, in respect of the networks and information systems directly related to their command and control; Public entities whose activity focuses on networks and information systems directly related to the production and dissemination of classified information, namely with national marks, the North Atlantic Treaty Organization ("NATO"), and the European Union, or cataloged as State secret, in respect of those networks and information systems; Other public entities that carry out their activities in the fields of national security, public security, including entities with responsibilities for criminal investigation and criminal police bodies, defense, and intelligence services, in respect of the networks and information systems directly related to the activities of information production and prevention, investigation, detection, and repression of criminal offenses; Private entities that provide services exclusively to one or more entities provided in the previous paragraphs and in respect of these activities. The competent authority responsible for cybersecurity strengthens its role as the national cybersecurity authority, and the legislation foresees the designation of “sectoral” and “special” supervisory authorities. The risk management model provided for in the local legislation consists of setting pre-defined risk standards, applicable to each sector and type of sector and type of entity (and application of corresponding preventive measures).
Date of entry into force of the Implementation Act	With the exception of certain provisions that may be subject to special rules, the provisions of the Act transposing the NIS2 Directive will be effective 120 days after official publication: i.e., on 3 March 2026.

NIS2 Implementation in the EU

Back XLS

Status of the legislative process

Enacted

Status of the NIS2 Implementation Act

On 4 December 2025, Decree-law no. 125/2025 was published, implementing the NIS2 Directive.

Significant deviations of the National Implementation Act from the NIS2 Directive, if any

The scope of the application is expanded, including (i) public administration entities (including at local level) and (ii) higher education institutions.

The implementation act does not apply to:

The General Staff of the Armed Forces and the branches of the Armed Forces, in respect of the networks and information systems directly related to their command and control;
Public entities with responsibilities for criminal investigation and the criminal police and public security bodies, in respect of the networks and information systems directly related to their command and control;
Public entities with exclusive responsibilities in the area of intelligence production, namely the Intelligence System of the Portuguese Republic, the Strategic Defense Intelligence Service, and the Security Intelligence Service, in respect of the networks and information systems directly related to their command and control;
Public entities whose activity focuses on networks and information systems directly related to the production and dissemination of classified information, namely with national marks, the North Atlantic Treaty Organization ("NATO"), and the European Union, or cataloged as State secret, in respect of those networks and information systems;
Other public entities that carry out their activities in the fields of national security, public security, including entities with responsibilities for criminal investigation and criminal police bodies, defense, and intelligence services, in respect of the networks and information systems directly related to the activities of information production and prevention, investigation, detection, and repression of criminal offenses;
Private entities that provide services exclusively to one or more entities provided in the previous paragraphs and in respect of these activities.

The competent authority responsible for cybersecurity strengthens its role as the national cybersecurity authority, and the legislation foresees the designation of “sectoral” and “special” supervisory authorities. The risk management model provided for in the local legislation consists of setting pre-defined risk standards, applicable to each sector and type of sector and type of entity (and application of corresponding preventive measures).

Date of entry into force of the Implementation Act

With the exception of certain provisions that may be subject to special rules, the provisions of the Act transposing the NIS2 Directive will be effective 120 days after official publication: i.e., on 3 March 2026.

NIS2 Implementation in the EU

Portugal

NIS2 Implementation in the EU

Portugal