WHAT COMPANIES NEED TO DO NOW
18 March 2026
Published on December 4, 2025, the transposition of the NIS2 Directive into Portuguese law through Decree-Law No. 125/2025 marks a turning point in national cybersecurity. The new Cybersecurity Legal Regime will enter into force 120 days after publication, i.e., on April 3, 2026 – in a few weeks.
Until then, the previous regime (Law No. 46/2018 and related laws) remains in force, but the adaptation period is short. Essential and important entities (sectors such as energy, transport, banking, health, water, digital infrastructure, critical manufacturing, among others) face reinforced obligations for risk management, incident reporting, and cybersecurity governance – with personal responsibility for the management bodies.
Main New Features of Decree-Law No. 125/2025
-
NIS2 significantly expands the number of entities covered. In addition to the "essential" entities (e.g., critical infrastructure operators), it now includes "important" entities such as medical device manufacturers, logistics companies, food production, waste management, and digital services (e.g., search engines, marketplaces, DNS). In Portugal, the CNCS (National Cybersecurity Center) will identify and notify these entities.
-
- Adopt technical and organizational measures proportionate to the risk (layered defense, Zero Trust recommended).
- Implement supply chain policies (third-party risk assessment).
- Mandatory and regular employee training.
- Incident response and business continuity plan tested periodically.
- Designation of a Cybersecurity Officer and permanent point of contact (deadline: 20 working days after entry into force).
-
- Initial notification to the CNCS within 24 hours of detection of a significant incident.
- Interim update within 72 hours.
- Final report within 1 month (or longer if necessary).
- "Significant" incident = impact on services, availability, integrity, or confidentiality.
-
- Fines up to €10 million or 2% of annual turnover (whichever is greater).
- Direct liability of senior directors/managers for serious non-compliance.
- Grace period for fines up to 12 months after entry into force (if adaptation efforts are demonstrated).
NIS2 and DORA: Synergies in the Financial Sector and Beyond
While NIS2 is now fully in effect (April 2026), the DORA Regulation (EU 2022/2554) has been in place since January 2025, with national implementation via Law No. 73/2025 of December 23. For financial institutions (banks, insurance companies, payment entities), the obligations overlap:
- ICT resilience testing (including threat-led penetration testing – TIBER-PT).
- Third-party risk management (resilient contracts with ICT providers).
- Centralized reporting to the Bank of Portugal.
ALLBS supports clients in both regimes: integrated risk assessments, Zero Trust implementation, MDR Total WatchGuard for detection/response, CISO as a Service, and NIS2/DORA audit support.
Immediate Steps to Prepare Your Organization (Checklist March 2026)
With less than 1 month until April 3rd, prioritize:
- Verify if your entity is covered (consult the CNCS or perform a self-assessment based on the NIS2 annexes).
- Conduct an initial NIS2 maturity assessment (gap analysis).
- Designate a Cybersecurity Manager and report to the CNCS (tight deadline post-April).
- Update risk management, supply chain, and incident reporting policies.
- Test backups and recovery plans (essential against ransomware, which continues to rise in 2026).
- Initiate awareness training (phishing, deepfakes, mandatory 2FA).
- Evaluate tools: MDR, endpoint protection (e.g., WatchGuard), 24/7 monitoring.
Document everything – evidence is crucial for audits and defense in case of sanctions.
How can ALLBS help?
At ALLBS, with over 15 years of experience in critical sectors, we offer:
- Free initial NIS2/DORA assessment – We identify priority gaps.
- Integrated solutions implementation: Zero Trust, MDR Total WatchGuard, pentesting, Acronis Cyber Cloud backups.
- CISO as a Service and ongoing compliance support.
- Training and incident simulations tailored to your industry.