the regime, explained
the Cybersecurity Legal Regime, plainly.
Decree-Law 125/2025 transposed NIS2 and has been in force since 3 April 2026. This guide explains who is in scope, what the obligations are and which deadlines are already running. It is not legal advice.
two instruments, one regime.
Decree-Law 125/2025 of 4 December approved the Cybersecurity Legal Regime and transposed the EU NIS2 directive. It has been in force since 3 April 2026. Regulation 756/2026, published on 22 June 2026 and in force since 23 June 2026, operationalised it: it created the MyCiber platform, the self-identification and registration process, the national cybersecurity reference framework and the minimum measures. The national authority is the CNCS. Read together, the two instruments define, in practice, what each entity must do and by when.
around 6,000 entities, plus the chain.
The regime covers around 6,000 entities in Portugal, classified as essential or important depending on the sector and their relevance. There is a frequently underestimated path: supply-chain security is one of the mandatory minimum measures, so suppliers of in-scope entities are reached by contract, even when not directly in scope.
- Essential entities: typically the largest entities in critical sectors, under tighter supervision.
- Important entities: covered by the same minimum measures, with mainly reactive supervision.
- Supply chain: suppliers of in-scope entities are reached by contract, through their clients' supply-chain security obligation.
- Self-identification: each entity identifies and registers on the MyCiber platform, created by Regulation 756/2026.
essential and important
two classes, different duties.
The regime distinguishes essential and important entities. The class shapes the intensity of supervision and the ceiling on fines.
tighter supervision
Typically the largest entities in critical sectors. They face proactive supervision and the higher sanction ceiling, up to € 10 million or 2% of worldwide annual turnover.
mainly reactive supervision
Covered by the same minimum measures, but with mainly reactive supervision, triggered by incidents or signs of non-compliance, and with lower fine amounts.
the main obligations
what the regime requires, concretely.
Six blocks of duties, to be implemented within the 24-month window for the minimum measures.
the obligation that catches those who were not expecting it.
Supply-chain security is one of the mandatory minimum measures and the one that most widens the regime's reach. Every in-scope entity must assess each direct supplier's vulnerabilities and the cybersecurity maturity of its chain, on a continuous basis. In practice this does not stay in-house: it reaches suppliers by contract. A software, maintenance or logistics supplier to an in-scope entity must now demonstrate equivalent measures, even when not directly in scope. That is why many companies discover the regime not through a letter from the authority, but through a clause in a contract they already had.
the deadlines already running
the clock has started.
Four dates frame the regime. Two have already passed.
the frameworks
where the controls are defined.
The minimum measures take shape through frameworks that authorities and buyers already recognise. Accredited certification is carried out by IPAC.
Frequently asked questions
My company is small. Am I in scope?
Directly, it depends on the sector and the entity's relevance. But if you supply in-scope entities, you can be reached by contract, through your clients' supply-chain security obligation.
How do I confirm whether I am in scope?
Self-identification and registration are done on the MyCiber platform, created by Regulation 756/2026. We recommend confirming the specific position with legal advice.
What is the difference between an essential and an important entity?
Both are subject to the same minimum measures. Essential entities, typically the largest in critical sectors, face tighter supervision and the higher fine ceiling. Important entities face mainly reactive supervision and lower amounts.
What are the fines?
Up to € 10 million or 2% of worldwide annual turnover for essential entities, and lower amounts for important entities. Full sanctions apply from 3 April 2027.
What do I have to do with my suppliers?
Assess each direct supplier's vulnerabilities and the cybersecurity maturity of your chain, on a continuous basis. It is not a one-off exercise: it is a process that must stay up to date over time.
Does foraudits issue compliance certificates?
No. Accredited certification is carried out by IPAC, through bodies it accredits. foraudits prepares, maps and organises evidence and produces readiness reports. For accredited certification we refer to partners.
This content is informational and does not constitute legal advice. Each entity's actual qualification depends on its activity and size and should be confirmed with specialist advice. foraudits is not an accredited certification body.
see where your chain is exposed.
We ask for a few details and return an initial picture of your organisation's third-party risk, with the first steps toward compliance. No commitment.