NIS2 in Portugal: what DL 125/2025 requires from SMEs (and by when)

Quick answer: NIS2 applies to your SME if you have ≥50 employees or ≥€10M turnover AND operate in one of the 18 in-scope sectors. The adaptation deadline is 3 April 2027 — but incident reporting (24h/72h/30d) is already enforceable. Fines reach €10M or 2% of global turnover.

On 4 December 2025, Decree-Law 125/2025 was published in the Diário da República. On 3 April 2026, it entered into force. In just over four months, Portugal moved from approximately 1,000 entities subject to cybersecurity obligations to an estimated 7,000 to 9,000 — a 7-to-9-fold expansion. The majority are SMEs.

This guide explains, in practical terms, what the new law means for your business, what you must do, and where to start without panicking.

The new law is in force: what it means for your SME

Decree-Law 125/2025 transposes EU Directive 2022/2555 — known as NIS2 — into Portuguese law. It replaces Law 46/2018 (which transposed NIS1) and creates a new Cybersecurity Legal Regime. The CNCS (National Cybersecurity Centre) is the national authority, with proactive supervision of Essential Entities and reactive supervision of Important Entities.

Three things change materially for any SME:

1. Scope expanded dramatically. NIS1 covered mostly large critical-infrastructure operators. NIS2 covers 18 sectors and dozens of subsectors, with obligations extending to companies with 50+ employees or €10M+ in turnover.
2. Management is personally liable. Article 25 of DL 125/2025 establishes non-delegable governance-body responsibilities. Individual fines can reach €200,000 for serious breaches. This is new in Portuguese administrative law and materially changes the relationship between leadership, IT, and governance.
3. Fines have escalated. Up to €10M or 2% of global turnover (Essential Entities), up to €7M or 1.4% (Important Entities). For a company with €100M turnover, this can mean up to €2M from a single breach — more than many SMEs invest in IT in a decade.

The good news: there's an adaptation period until 3 April 2027 during which the regulator does not apply fines for good-faith efforts. The bad news: this period does not cover incident reporting obligations — those are immediately enforceable.

Does NIS2 apply to your company? A 60-second decision

Three cumulative criteria. It applies if you meet all three:

Criterion 1 — Size. ≥50 employees or ≥€10M annual turnover (or €10M balance sheet). The criterion is cumulative at parent-company level, not per business unit.

Criterion 2 — Sector. You operate in one of the 18 sectors listed in Annexes I (essential) or II (important) of DL 125/2025: energy, transport, banking, healthcare, water, digital infrastructure, public administration, space, telecoms, postal, waste management, chemical, food, manufacturing, digital providers, research, pharmaceutical manufacturing.

Criterion 3 — Supply-chain pull. Even if you're outside direct scope, you can be pulled in by a larger client's or partner's due diligence. Banks, public hospitals, and critical operators will demand NIS2 compliance evidence from their suppliers — and this includes SaaS, IT services, consultancies, and hardware vendors.

The fastest way to know is the official simulator at myciber.gov.pt. More than 6,000 organisations used it within weeks of launch. Results are non-binding — formal qualification happens through MyCiber registration — but they provide a reliable indication.

Essential vs Important Entities: the practical difference

Both Essential Entities (EE) and Important Entities (EI) have the same technical requirements — the 10 Article 27 controls, 24h/72h/30d reporting, cybersecurity officer designation, MyCiber registration. They diverge in supervisory intensity and penalties.

• Threshold — Essential Entity (EE): ≥250 employees or ≥€50M turnover · Important Entity (EI): 50–249 employees or €10M–€50M turnover
• Sectors — Essential Entity (EE): Annex I (energy, banking, health, water, etc.) · Important Entity (EI): Annex II (postal, chemical, food, etc.)
• Supervision — Essential Entity (EE): Proactive (audits without notice) · Important Entity (EI): Reactive (after incident or report)
• Max fine — Essential Entity (EE): €10M or 2% turnover · Important Entity (EI): €7M or 1.4% turnover
• Personal fine — Essential Entity (EE): Up to €200k · Important Entity (EI): Up to €125k

There's an important trap: certain specialised entities (DNS providers, TLD registries, digital-identity providers, eIDAS providers) are classified as EE regardless of size. You can have 10 employees and still fall under the most demanding regime.

The 10 Article 27 controls you actually have to implement

Article 27 establishes 10 categories of minimum measures. All are risk-proportional — you don't have to implement everything at the same level, but you must document why you chose the level you chose.

1. Security policies and risk analysis. Board-approved document mapping critical assets, threats, and accepted risk levels.
2. Incident management. Procedure defining detection, classification, response, and — critically — escalation to CNCS.
3. Supply-chain security. Supplier risk assessment; contractual clauses; due diligence on critical SaaS.
4. Cryptography and authentication. MFA on critical systems, encryption at rest and in transit, cryptographic key management.
5. Physical and environmental security. Server-room access controls, climate control, electrical redundancy.
6. Network security and monitoring. Segmentation, IDS/IPS, continuous monitoring (which requires a SIEM).
7. Business continuity and recovery. Tested backups, documented recovery plan, annual exercises.
8. Personnel security and training. Background checks, induction, ongoing training for technical staff.
9. Vulnerability management. Regular scanning, risk-prioritised patching, disclosure process.
10. Cyber-hygiene and management training. Specifically called out — leadership must receive periodic training.

Most SMEs already have 4 or 5 of these partially implemented, often without realising. NIS2 forces them to be documented, formalised, and demonstrable.

The 5 deadlines that matter

The timeline every in-scope SME should engrave:

• 20 business days after assuming the role: formally designate a cybersecurity officer and notify CNCS via MyCiber. For companies that existed before 3 April 2026, this deadline expired on 4 May 2026 — if you haven't complied, you are technically in breach.
• 60 days after MyCiber availability: formal company registration, classification (EE/EI/relevant), operational information. The platform launched in phases between April and June 2026.
• 24 hours after detecting a significant incident: initial alert to CNCS via MyCiber. No grace period.
• 72 hours: detailed incident report with preliminary impact assessment.
• 30 days: final report with root cause, actual impact, and remediation measures.

And the macro deadline: 3 April 2027. End of the adaptation period. After this date, fine application becomes automatic for material breaches.

Fines: what non-compliance costs

The fines are the highest ever introduced in Portuguese administrative law for cybersecurity:

• EE: up to €10,000,000 or 2% of global turnover (whichever is greater).
• EI: up to €7,000,000 or 1.4% of global turnover.
• Personal: up to €200,000 for management on serious breaches; €125,000 on significant ones.
• Complementary: licence suspension (in regulated sectors), mandatory publication of the decision, mandatory training, temporary disqualification from management roles.

But the real cost is rarely the fine alone. A significant incident in a non-compliant company typically combines: CNCS fine, CNPD fine if personal data is involved, incident-response costs (€50k–€500k for an SME), revenue loss from downtime, churn from enterprise clients triggering audit clauses, legal costs with affected suppliers, and — in extreme cases — civil personal liability of management.

Where to start (without panicking)

Our recommendation for SMEs starting now:

Week 1 (personal action):

1. Use the simulator at myciber.gov.pt to confirm scope.
2. Read Article 25 (governance) and Article 27 (controls) of DL 125/2025.
3. Internally designate someone as cybersecurity officer — can be an existing person in IT or compliance.

Month 1 (gap analysis):

1. Run (or commission) a gap analysis against the 10 controls. 2 to 4 weeks of effort.
2. Identify the 3 controls with the highest risk vs the lowest remediation effort.

Quarter 1 (implementation):

1. Implement governance (board-approved policy, leadership training, formal designation).
2. Implement the 3 priority controls (typically: universal MFA, tested backups, network segmentation).
3. Establish a CNCS notification procedure and test it internally.

Quarter 2 onwards (continuous operation):

1. Internal SOC or MSSP — for 24/7 monitoring and threat hunting.
2. Annual internal audit + management review.

This path is achievable for an SME with 50–250 employees in 6 to 9 months, with investment between €30k and €150k depending on starting point and choice (in-house vs managed). It's less than a single minimum EI fine.

NIS2 isn't a technical IT reform — it's a governance reform that changes what it means to run a business in regulated sectors in Portugal. The adaptation period until April 2027 is generous, but short for those who wait. Start now.

Next steps:

• The 10 NIS2 Article 27 controls explained
• MyCiber registration: step-by-step
• Book a NIS2 Assessment (2 weeks, no commitment)