Portugal has shown a consistent commitment to strengthening national cybersecurity. In recent years, the government adopted the National Cybersecurity Strategy for 2019–2023; however, no updated version has lately been issued.

Given the increasingly complex geopolitical environment and the rapid pace of technological development, the law transposing the NIS2 Directive is pushing the government to design a new National Cybersecurity Strategy. This updated strategy will set out the framework, priorities, strategic objectives and governance model, clarifying the roles and responsibilities of national stakeholders. According to the National Digital Strategy Action Plan for 2026–2027, this instrument will be prepared and implemented by the National Cybersecurity Centre (hereafter, CNCS) and the National Security Office by the second half of 2027.

On another note, the CNCS Cybersecurity Report 2025 – Risks & Conflicts noted a clear rise in both the volume and sophistication of cybersecurity incidents throughout 2024, driven by extensive phishing and smishing campaigns, diverse social-engineering tactics, and the exploitation of system vulnerabilities. The Report concluded with the need for operators to strengthen both technical and human capabilities and to develop cyber-resilience strategies that take the entire value chain into account.

The Portuguese cybersecurity legal framework heavily derives from EU legislation, which has played a prominent role in harmonising and ensuring a high standard for cybersecurity in the EU. Accordingly, for each principal statute pertaining to cybersecurity in Portugal, a summary follows which outlines the respective subject matter, scope of application, and (extra)territorial reach.

Regulation (EU) 2016/679 of 27 April 2016 on the Protection of Natural Persons With Regard to the Processing of Personal Data and on the Free Movement of Such Data (the “General Data Protection Regulation” – GDPR)

This was implemented by Law No 58/2019 of August 8th.

Subject matter

Controllers and processors must assess the inherent risk of data processing operations and adopt appropriate technical and organisational security measures in order to safeguard the processing of personal data and data subjects’ fundamental rights.

Scope

The GDPR applies to any natural or legal person, public authority, agency or other entity acting as a controller, processor or recipient of personal data under its provisions. As for Portuguese law, it applies to all personal data processing carried out within national territory, irrespective of whether the controller or processor is public or private.

(Extra)territorial reach

The GDPR may apply to processing outside the European Economic Area (EEA) where Article 3 conditions are met (eg, the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union).

Regulation (EU) 2019/881 of 17 April 2019 on ENISA and on Information and Communications Technology Cybersecurity Certification (the “Cybersecurity Act”)

This was implemented by Commission Implementing Regulation (EU) 2024/482 of 31 January 2024.

Subject matter

The Cybersecurity Act lays down the objectives, tasks and organisational matters relating to ENISA and a framework for the establishment of European cybersecurity certification schemes.

Scope

The Cybersecurity Act applies to all natural or legal persons involved in the development, provision or use of ICT products, services or processes that may fall under a European cybersecurity certification scheme.

(Extra)territorial reach

The Cybersecurity Act may apply extraterritorially when ICT products, services or processes are placed on the EU market or used within the EU.

Regulation (EU) 2022/2554 of 14 December 2022 (DORA) and Directive (EU) 2022/2556 of 14 December 2022 Regarding Digital Operational Resilience for the Financial Sector

The DORA framework was implemented by Law No 73/2025 of December 23rd.

Subject matter

The DORA framework places the onus on financial entities to exercise comprehensive oversight over ICT risks. It requires institutions to establish robust capabilities for effective ICT risk management, and to implement mechanisms and policies for addressing all ICT-related incidents.

Scope

The DORA Framework and Law No 73/2025 apply to the following entities:

• insurance and reinsurance companies with headquarters in Portugal;
• pension fund management entities authorised in Portugal; and
• other financial institutions falling within the scope of the DORA Regulation.

Note that savings banks existing as of 1 January 1985 are excluded, except those operating as corporations.

(Extra)territorial reach

On an EU level, DORA applies to all the above-mentioned entities that provide services in the EU and are located therein. Its territorial scope is broad and extends to organisations based outside the EU, where, for example, they offer certain financial services in the EU market or contract with financial entities that are in-scope of DORA.

Directive (EU) 2022/2555 of 14 December 2022 (the “NIS2 Directive”)

This was transposed by Decree-Law No 125/2025 of December 4th.

Subject matter

The NIS2 Directive is the cornerstone of cybersecurity in the EU, establishing a framework that ensures a high, common level of cybersecurity across the EU.

Scope

The Directive applies to both essential and important entities that verify a set of:

• formal requirements (ie, size of the undertaking or the nature of the public entity);
• material requirements typically associated with the criticality of the sector in which the entity operates; and
• the territorial scope of application of the Directive.

(Extra)territorial reach

Decree-Law No 125/2025 applies to entities that have an establishment in Portugal or, where they are providers of public electronic communications networks or electronic communications services accessible to the public, that make them available on national territory.

Furthermore, the Decree-Law is applicable to in-scope domain name system (DNS) service providers, top-level domain name registries, domain name registrars, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, and providers of online marketplaces, online search engines or social media service platforms that have their main establishment in Portugal or, alternatively, that have a representative established in Portugal.

Concerning extraterritoriality, the CNCS may, after consulting the High Council for Cyberspace Security, adopt corrective or restrictive enforcement measures directed at a service provider without an establishment or representation in the national territory that does not provide adequate cybersecurity measures.

Directive (EU) 2022/2557 of 14 December 2022 (Resilience of Critical Entities – CER)

This was transposed by Decree-Law No 22/2025 of March 19th.

Subject matter

Decree-Law No 22/2025 aims to establish a robust framework for the resilience of critical entities in Portugal, by defining procedures for identifying, designating and strengthening the resilience of national critical entities and those of particular European relevance.

Scope

The enterprise must be designated as critical by the National Civil Emergency Planning Council. The process for identification of critical entities must consider several criteria, inter alia:

• the results of the national risk evaluation;
• the results of the national strategy for the resilience of critical entities; and
• the provision of services that are considered essential.

(Extra)territorial reach

Decree-Law No 22/2025 also applies to critical entities of particular European relevance, namely those that have been designated as critical entities and that provide identical or comparable essential services in six or more member states.

Regulation (EU) 2024/2847 of 23 October 2024 (the “Cyber-Resilience Act” – CRA) and Commission Implementing Regulation (EU) 2025/2392 of 28 November 2025

Subject matter

The CRA aims to establish the framework conditions necessary for the development of secure products with digital components, ensuring that hardware and software are placed on the market with reduced vulnerabilities and that manufacturers address security throughout the entire life cycle of their products.

Scope

The CRA covers products with digital components that are placed on the EU market and whose intended purpose or reasonably foreseeable use involves a direct or indirect logical or physical data connection to a device or network. The Regulation also limits its scope of application negatively, providing for the exclusion of, inter alia, medical devices with digital elements.

(Extra)territorial reach

As this Regulation applies to all in-scope products with digital elements, the requirements laid down thereof apply to all economic operators involved in the manufacturing, importation, distribution and making available of products with digital elements on the market, regardless of whether they are based in the EU.

Regulation (EU) 2025/38 of 19 December 2024 (the “Cyber Solidarity Act”)

Subject matter and scope

The Cyber Solidarity Act aims to strengthen the EU’s solidarity and capabilities in detecting, preparing for and responding to cyber-threats and cybersecurity incidents. To achieve these objectives, the Regulation establishes the European Cybersecurity Alert System to enhance capabilities for detecting, preventing and managing data related to cyber-threats. The Regulation also establishes a Cybersecurity Emergency Mechanism to support member states in preparing for, responding to, mitigating the impact of and initiating recovery from significant cybersecurity incidents and large-scale cybersecurity incidents, and to support other users. Finally, a European mechanism for analysing cybersecurity incidents is also being established.

(Extra)territorial reach

The Regulation is directed at member states, EU bodies and entities participating in EU cybersecurity mechanisms, having only a reflexive application to legal entities not established in the EU.

Law No 16/2022 of August 16th  Transposing the European Electronic Communications Code (the “ECS Portuguese Law”)

The ECS Portuguese Law is implemented by Regulation No 303/2019 of April 1st on the security and integrity of electronic communications networks and services.

Subject matter

The ECS Portuguese Law provides that entities offering public electronic communications networks or publicly available electronic communications services must take proportionate technical and organisational measures to adequately manage risks to the security of networks and services.

Scope

Regulation No 303/2019 applies to enterprises that offer public communications networks or publicly available electronic communications services, as defined in the ECS Portuguese Law.

(Extra)territorial reach

The criteria for the registration as an electronic communication services provider in Portugal relates to the offer and/or operation of electronic communication services or networks in Portugal, regardless of whether the provider has an establishment in Portugal.

The transposition of the NIS2 Directive has strengthened the role of the CNCS as the national cybersecurity authority. Beyond this mandate, the CNCS also performs the following functions:

• it operates within the framework of the National Security Office, and its mission is to ensure the safe and free use of cyberspace in Portugal;
• it is responsible for developing national capacity to prevent and detect cybersecurity incidents;
• it is responsible for ensuring the security of government information and communication systems and critical national infrastructures;
• it is the national single point of contact for international co-ordination, and plays a central role in liaising with other national actors in the field of cybersecurity;
• it assumes the role of the National Cybersecurity Certification Authority; and
• it is part of the national Cybersecurity Incident Response Team.

From a regulatory standpoint, the CNCS has powers to (among others) adopt regulations and issue guidelines, recommendations and technical instructions relating to cybersecurity, including the prerogative to physically access the premises of in-scope entities.

In this regard, it should be noted that the Cybersecurity Incident Response Team, “CERT.PT”, is integrated into the CNCS and has technical and operational autonomy.

In addition, the Portuguese Law transposing the NIS2 Directive created a complex institutional framework, including the creation of the following authorities.

• National sectoral cybersecurity authorities:
1. the National Security Office (GNS), with regard to trust services in electronic transactions in the internal market; and
2. the National Communications Authority (ANACOM), with regard to electronic communications and the postal service.
• Special national cybersecurity authorities on digital operational resilience in the financial sector:
1. the Insurance and Pensions Authority (ASF);
2. the Portuguese Securities Market Commission (CMVM); and
3. the Bank of Portugal.

It is important to highlight that the transposition of the NIS2 Directive into Portuguese law grants the competent authorities new supervisory and enforcement powers. With respect to essential entities, these authorities may, as a measure of last resort, request that the competent bodies or courts temporarily prohibit any natural person with executive-level management responsibilities or acting as a legal representative from exercising management functions within that entity.

In addition, beyond its role as a sectoral cybersecurity authority under the NIS2 framework, ANACOM also acts as the competent authority for enforcing Regulation No 303/2019.

Similarly, the Portuguese legislation transposing the DORA framework assigns supervisory responsibilities and regulatory and sanctioning powers to the ASF, the CMVM and the Bank of Portugal. Under Law No 73/2025, these authorities are granted broad regulatory powers, including the ability to define specific operational channels and procedures for reporting severe ICT incidents as well as for the voluntary notification of significant cyber-threats. In addition, the competent authorities hold significant supervisory and sanctioning powers, enabling them to oversee compliance and enforce the obligations set out in the DORA framework.

Regarding critical entities and infrastructures, Decree-Law No 22/2025 indicates the National Civil Emergency Planning Council and the Secretary-General of the Internal Security System as the competent authorities. The Decree-Law also provides that sectoral entities (such as the Portuguese Space Agency) are entrusted with specific responsibilities, particularly regarding the designation of national and European critical entities and infrastructures.

Finally, with respect to data breach notifications, the CNPD (Comissão Nacional de Proteção de Dados) must also be identified as a competent authority in matters relating to cybersecurity.

The NIS2 Directive has substantially reshaped the EU’s cybersecurity regulatory landscape, prompting the adoption of a new Cybersecurity Legal Framework in Portugal (Decree-Law No 125/2025 of December 4th). This framework significantly broadens both the range of critical sectors and the categories of entities subject to its obligations.

Its scope of application refers to an exhaustive list of entities (Annexes I and II) that operate in critical sectors (eg, digital infrastructures and providers of digital services), and which are deemed medium-sized pursuant to Recommendation (2003/361/EC) or which exceed those thresholds, and which provide their services or carry out their activities in the Union and have an establishment in national territory.

In addition, the Cybersecurity Legal Framework also applies to:

• qualified trust service providers and top-level domain name registries as well as DNS service providers;
• providers of public electronic communications networks or of publicly available electronic communications services;
• public administration entities, which may be classified as Group A or Group B public relevant entities;
• higher education institutions;
• entities qualified by the competent authority as having a relevant role for society at the national level; and
• entities identified by national authorities as critical pursuant to Decree-Law No 22/2025.

As there are four potential qualifications of in-scope entities, the Portuguese Cybersecurity Legal Framework establishes a hierarchy to determine the applicable category. Where an entity simultaneously meets the criteria for more than one category, the most stringent classification prevails, following the order set out below:

• essential entities;
• important entities;
• Group A public relevant entities; and
• Group B public relevant entities.

Furthermore, Decree-Law No 125/2025 is complemented by Decree-Law No 22/2025 of March 19th, which transposes into Portuguese law the CER Directive. To be considered a critical entity, the enterprise must be designated as such by the National Civil Emergency Planning Council (by 17 July 2026, the deadline for this identification), which is competent to approve the criteria and methodology applicable to the identification of critical entities and their respective critical infrastructure.

Although the CER framework applies without prejudice to the NIS2 regime, Decree-Law No 22/2025 expressly excludes certain categories of critical entities, namely those operating in the banking sector, infrastructures of the financial, insurance or pension fund markets, and digital infrastructures, from the resilience and supervisory obligations set out therein.

Essential and important entities are required to adopt appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems based on a systemic approach, which shall be developed considering the protection of all assets that ensure the continuity of the network and services that support the essential services.

As such, the adopted measures must safeguard an appropriate level of security considering the risks involved, taking into account the latest technical developments and, where applicable, relevant European and international standards (eg, standards included in the ISO/IEC 27000 series), as well as the costs of implementation and the financial viability thereof. The Portuguese Cybersecurity Legal Framework also accounts for the entity’s size and the likelihood and severity of incidents, including their social and economic impact, according to technical criteria to be defined by the CNCS.

Moreover, at least the following points should be included in the measures:

• incident handling;
• business continuity, such as back-up management and disaster recovery, and crisis management;
• supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
• security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
• policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
• basic cyber hygiene practices and cybersecurity training, including the heads of senior management bodies and employees;
• policies and procedures regarding the use of cryptography and, where appropriate, encryption;
• human resources security, access control policies and asset management; and
• the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity, where appropriate.

Additionally, the CNCS is mandated to approve sector-specific regulations that define the minimum and specific cybersecurity measures and conformity levels to be adopted by essential and important entities.

On another note, entities are required to prepare an annual report under the supervision of the designated cybersecurity officer. This officer has legally established functions and must be a member of the management, executive or administrative bodies, or must otherwise report to them directly and formally. By contrast, the permanent point(s) of contact to be appointed by important or essential entities are responsible for ensuring the operational and technical flow of information with the competent cybersecurity authority, including sharing information when specific emergency, security or resilience plans are activated, and receiving any guidelines, recommendations, technical instructions or orders issued by that authority.

With respect to critical entities and critical infrastructure designated under Decree-Law No 22/2025, there is a requirement to carry out a comprehensive risk evaluation within nine months following notification of designation as a critical entity, as well as the development of the corresponding resilience plan.

Pursuant to the new Cybersecurity Legal Framework, essential and important entities must notify the competent cybersecurity authority of any significant incident via the CNCS electronic platform.

Accordingly, the relevant Decree-Law stipulates that the classification of an incident as significantly impactful shall be guided by the parameters outlined below:

• number of users affected by the service disruption;
• total number of users of the disrupted service;
• duration of the incident;
• level of severity of the disruption to the functioning of the service; and
• extent of the impact on economic and social activities.

Notification

For each incident subject to mandatory notification, the following must be submitted to the competent cybersecurity authority by in-scope entities.

Initial notification – within 24 hours (except when the incident is resolved within two hours of its detection, in which case only notification of the end of the significant impact is required)

This notification must contain at least the following information.

• Name, telephone number and email address of a representative of the entity, when different from the permanent point of contact, for the purpose of possible contact by the competent cybersecurity authority.
• Date and time of the start – or, if this cannot be determined, of the detection – of the incident.
• Brief description of the incident, including an indication of the category of the cause and the effects produced.
• Possible estimate of the impact, considering:
1. the number of users affected by the service disruption;
2. duration of the incident;
3. geographical distribution, with regard to the area affected by the incident, including an indication of the cross-border impact; and
4. other information that the entity considers relevant.
• Where necessary, an update within 72 hours of the verification of the significant incident.

The competent cybersecurity authority should respond to the notifying entity without undue delay and, if possible, within 24 hours of receiving the initial notification. In situations of serious and proven risk of impact from the notified incident, the competent cybersecurity authority may also impose, as an immediate enforcement measure, the interruption of service provision to the entity concerned, or the cessation of conduct that infringes the Cybersecurity Legal Framework, if the entity does not do so voluntarily.

Notification of the end of the significant impact – within 24 hours after the end of the significant impact

This notification must contain at least the following information.

• Update of the information provided in the initial notification, if any.
• Description of the measures taken to resolve the incident.
• Description of the impact situation at the time of the loss of significant impact, namely:
1. number of users affected by the service disruption;
2. duration of the incident;
3. geographical distribution of the area affected by the incident, including an indication of any cross-border impact; and
4. estimated time for full recovery of services.

The final report – within 30 working days of the date of notification of the end of the significant impact of the incident

This notification should include at least the following information.

• Date and time when the incident had a significant impact.
• Date and time when the incident ceased to have a significant impact.
• Impact of the incident, considering:
1. number of users affected by the service disruption;
2. duration of the incident;
3. geographical distribution, with regard to the area affected by the incident, including an indication of cross-border impact; and
4. description of the incident, indicating the category of cause and the effects produced.
• Indication of the measures taken to mitigate the incident.
• Description of the residual situation of the impact existing at the date of the final notification, namely:
1. number of users affected by the service disruption;
2. geographical distribution, with regard to the area affected by the incident, including an indication of cross-border impact;
3. estimated time for full recovery of services still affected;
4. indication, where applicable, of the submission of notification of the incident in question to the competent authorities, namely the Public Prosecutor’s Office or the CNPD and other sectoral authorities; and
5. other information that the essential and important entity considers relevant.

Entities may also be required to submit one (or more) interim report(s) on a weekly basis if, after the deadline for submitting the final report, the incident is still ongoing.

Without prejudice to mandatory notifications, any natural or legal person may voluntarily report incidents, cyber-threats or vulnerabilities that they detect. Such voluntary notifications do not trigger any additional obligation for the notifying entity.

Lastly, essential, important and relevant public entities must inform the recipients of their services, without undue delay, of any incidents with a significant impact (and significant cyber-threats) that are likely to affect them negatively.

The format and process for the aforementioned notifications will be further defined by the CNCS through the issuance of a technical instruction.

The Cybersecurity Legal Framework is grounded in a strong institutional architecture designed to operate through close co-operation with the private sector. This co-operation may be achieved through public-private partnerships that facilitate the exchange of knowledge, dissemination of best practices, and the utilisation of private sector expertise in support of the competent cybersecurity authority. Decree-Law No 125/2025 also governs the establishment of agreements for sharing cybersecurity information among the entities that form the institutional framework of the Portuguese NIS2 Law and, where appropriate, their suppliers or service providers, for purposes of the following.

• Prevention, detection, response to and recovery from incidents or mitigation of their impact.
• Strengthening the level of cybersecurity, in particular by:
1. raising awareness of cyber-threats;
2. limiting or preventing their ability to spread;
3. supporting a range of defensive capabilities;
4. the correction and disclosure of vulnerabilities;
5. threat detection, containment and prevention techniques;
6. mitigation strategies;
7. response and recovery phases; or
8. promoting collaborative research on cyber-threats between public and private entities.

Additionally, the role of the CERT.PT should be emphasised. This team is responsible for (inter alia) monitoring and analysing cyber-threats, vulnerabilities and incidents at the national level and for activating early-warning mechanisms, sending alert messages, and communicating and disseminating information to relevant essential, important and public entities, competent authorities and other interested parties about cyber-threats, vulnerabilities and incidents, including in real time. The CERT.PT is the national co-ordinating body for the disclosure of vulnerabilities affecting networks and information systems, products, components, and information and communication technology (ICT) services. In this context, it acts as a trusted intermediary, facilitating interaction between the reporting individual/entity and the manufacturer or supplier of potentially vulnerable ICT products or the ICT service provider, at the request of either party.

Finally, within the public policy sphere, the Cybersecurity Legal Framework reinforces three key initiatives:

• the National Cyberspace Security Strategy, which sets national priorities and strategic goals for cybersecurity;
• the National Plan for Responding to Large-Scale Cybersecurity Crises and Incidents, which governs and strengthens the management of major incidents; and
• the National Reference Framework for Cybersecurity, designed to consolidate and promote norms, standards and best practices for effective cybersecurity management.

Please refer to 1.2 Cybersecurity Laws.

ICT services are defined as “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services” (Article 3(21) of DORA). As such, an ICT service provider is defined as “an undertaking providing ICT services” (Article 3(19) of DORA).

In turn, critical ICT third-party service providers shall be designated in line with Article 31 of the Regulation, which considers a series of criteria laid out in said article such as systemic impact on stability, continuity or quality of the service, or the systemic character or importance of the financial entities that rely on the relevant ICT third-party service provider.

When engaging ICT service providers, in-scope entities are required to have due regard to the mandatory contractual requirements laid down in Articles 28 and 30. Financial institutions, in particular, need to determine whether subcontracting ICT services that underpin critical or important functions is allowed and under which conditions. Any negotiation involving subcontractors should reflect the requirements of Commission Delegated Regulation (EU) 2025/532, which outlines the factors that financial entities must evaluate when outsourcing ICT services that support such functions. They should also consider the European Central Bank’s (ECB) guidance on cloud outsourcing and the upcoming supervisory guidelines issued under DORA.

For contracts involving ICT providers that support critical or important functions, financial entities must ensure that the agreement grants them full rights to monitor the provider’s performance. This includes unrestricted rights of access, inspection and audit by the financial entity or an appointed third party, and by the competent authority. Contracts must also include clear exit strategies and provider assistance obligations, as required under Article 30 of DORA.

Financial entities subject to DORA must establish an ICT governance and risk-management framework that includes documented strategies, policies, procedures and technical measures to ensure the protection, monitoring and resilience of all ICT systems and information assets. These measures must be kept current and continuously supervised.

Entities must be able to promptly detect anomalous activities, ICT performance issues and incidents, and identify potential single points of failure. They must also maintain effective back-up, restoration and recovery arrangements to minimise downtime, disruption and data loss.

In addition, Article 17 requires financial entities to implement an ICT-related incident management process. DORA sets out the criteria for classifying ICT incidents and cyber-threats and establishes mandatory reporting obligations. These requirements must be read together with:

• Commission Delegated Regulation (EU) 2024/1772, which defines incident-classification criteria, materiality thresholds and reporting content for major incidents;
• Commission Delegated Regulation (EU) 2025/301, which specifies the content and deadlines for initial, intermediate and final reports on major ICT incidents, as well as voluntary notifications of significant cyber-threats; and
• Commission Implementing Regulation (EU) 2025/302, which provides the standard forms, templates and procedures for reporting major ICT incidents and notifying significant cyber-threats.

Under DORA’s institutional framework, the Lead Overseer is granted extensive supervisory powers over critical ICT third-party service providers. These include the ability to:

• request all relevant information and documentation pursuant to Article 37;
• conduct investigations and on-site inspections under Articles 38 and 39; and
• require post-oversight reports detailing the actions or remedial measures implemented in response to issued recommendations.

Article 50 further empowers competent authorities to:

• access any documents or data, in any form, deemed necessary for the performance of their duties and obtain copies thereof;
• carry out on-site inspections and investigations; and
• require corrective or remedial measures in cases of non-compliance with the Regulation.

At national level, Law No 73/2025 identifies several administrative offences, including:

• the provision of information to the competent authority or to customers that is not complete, true, current, clear, objective and lawful, or the omission of such provision;
• failure to co-operate with the competent authorities in crisis and contingency management exercises involving cyber-attack scenarios; and
• the violation of a set of duties, without prejudice to others established in the DORA Regulation, listed illustratively in Law No 73/2025.

Under this law, the competent authorities referred to in 1.3 Cybersecurity Regulators may investigate administrative offences and impose fines and ancillary sanctions. Fines range from:

• EUR2,500 to EUR5 million for legal entities; and
• EUR400 to EUR2.5 million for individuals.

The maximum fine may be increased to:

• three times the economic benefit obtained (including avoided losses); or
• 10% of annual turnover for certain legal entities.

DORA requires financial institutions to ensure that third-party ICT service providers meet spe¬cific requirements in their contractual relation¬ships. These include incorporating certain con¬tractual provisions (Article 30) and assessing whether conditions for supervisory oversight – such as those related to subcontracting – are satisfied (Article 28(4)(b)).

In particular, financial entities must ensure that outsourcing and ICT service contracts specify the locations where functions are performed and where data is stored or processed, and must be notified in advance of any intended changes. When outsourcing involves personal data processed outside the EEA, GDPR transfer rules apply. Transfers to third countries must rely on a lawful transfer mechanism such as adequacy decision, standard contractual clauses or binding corporate rules.

In practice, regulators typically expect that financial entities assess third-country risks as part of their operational-resilience and outsourcing due-diligence obligations. This includes evaluating the legal and regulatory environment of the destination country, ensuring enforceability of audit and access rights, and confirming that data-transfer arrangements do not compromise continuity of critical or important functions.

Financial entities subject to DORA are required to conduct threat-led penetration testing (TLPT) at least once every three years. These advanced tests must be carried out on live production systems and must encompass several (or, where appropriate, all) critical or important functions of the entity.

Once the exercise is completed, and after the testing reports and remediation measures have been agreed, the financial entity (together with any external testers involved) must submit to the competent authority a summary of key findings, the corresponding remediation plans, and evidence demonstrating that the TLPT was performed in full compliance with DORA’s requirements.

Further details are provided in Commission Delegated Regulation (EU) 2025/1190, which sets out the regulatory technical standards governing TLPT. These standards define:

• the criteria for identifying which financial entities must perform TLPT;
• the conditions for relying on internal testers;
• the required scope and methodology for each phase of the testing process;
• the stages for reporting, closure and remediation; and
• the framework for supervisory co-operation and mutual recognition.

The CRA is directly applicable in Portugal and shall begin its phased application in September 2026. Despite the approaching application date, Portugal has not yet adopted a national implementation law designating the market surveillance authorities or consolidating the provisions on penalties.

Regarding the CRA’s scope of application, note that a product with digital elements amounts to a software or hardware product and its remote data-processing solutions, including software or hardware components being placed on the market separately. In other words, this Regulation covers products such as baby monitors, smart washing machines, and products that include artificial intelligence (AI) systems.

Conversely, cloud solutions and digital services such as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) are, in principle, outside the scope of the CRA. Instead, these services may fall under the Portuguese NIS2 Law, in line with the categories listed in Annex II.

Additionally, due to its limited material scope, other legislation (such as Regulation (EU) 2023/988 on general product safety requirements) applies to products with digital elements that pose safety risks not covered by the CRA. This Regulation also does not affect the health and safety requirements established in Regulation (EU) 2023/1230, when applicable.

The Regulation also sets out different obligations for the different actors in the supply chain (ie, manufacturers, importers and distributors) to ensure that the essential requirements for cybersecurity are met from the manufacturing stage onwards. This aligns with the primary aim of the CRA, which is to establish essential cybersecurity requirements for the design, development and manufacture of products with digital elements, as well as their monitoring once they are available on the market.

The CRA provides a robust level of cybersecurity for products with digital elements to be placed on the internal market. At the outset, it is essential to clarify that the Regulation identifies three categories of products with digital elements:

• products with digital elements not classified as important or critical;
• important products with digital elements, which possess the core functionality of a product category outlined in Annex III, further subclassified into Class I and Class II; and
• critical products with digital elements, which possess the core functionality of a product category outlined in Annex IV.

Key Obligations

Although the level of compliance varies, products with digital elements that are subject to this Regulation must comply with the following key obligations.

Presentation of the CE marking

It is mandatory for products with digital elements covered by this Regulation to bear the CE marking as the visible proof for users of conformity with the essential cybersecurity requirements set out in Annex I. The application of the CE marking on the products is anticipated by a conformity assessment procedure, harmonised by the Regulation.

Conformity assessment procedure

The conformity assessment of products with digital elements, which are not listed as important or critical products with digital elements in this Regulation, can be carried out by the manufacturer under its own responsibility, according to the procedure laid down in Decision No 768/2008/EC.

By contrast, due to the high impact of products with digital elements classified as “important”, they are subject to different procedures.

• For important Class I products, the product may be assessed by the manufacturer on its own responsibility, provided that it applies harmonised standards or common specifications, or complies with a European cybersecurity certification. If the manufacturer chooses not to apply the above security measures, it must undergo a third-party conformity assessment.
• For important Class II products, the conformity assessment must always involve a third party.

For critical products with digital elements, and in accordance with their importance for society, it is mandatory that they have a certification under the European Cybersecurity Certification Scheme with a minimum level of “substantial”. If this condition is not met, critical products are subject to the conformity assessment defined for Class II important products.

Assessment of the cybersecurity risks

Manufacturers of products with digital elements must carry out and document an assessment of the cybersecurity risks of the product, and demonstrate that it complies with the essential cybersecurity requirements listed in Annex I. This assessment should be integrated into the technical documentation of the product.

Reporting obligations

The Regulation mandates that manufacturers of products with digital elements must report to both the designated Computer Security Incident Response Team (CSIRT) and ENISA, via a single platform to be established by the latter authority. The reporting comprises a notification on:

• actively exploited vulnerabilities in their products; and
• serious incidents impacting the security of these products.

Vulnerability handling

Manufacturers must ensure that, from the moment a product with digital elements is placed on the market and throughout its entire support period, any vulnerabilities in that product are properly managed. This handling must comply with the essential cybersecurity requirements established in Part II of Annex I.

Upon identifying a vulnerability in a component, manufacturers must notify such vulnerability to the person or entity manufacturing or maintaining the component. Then, they are required to address and remediate the vulnerability in accordance with the vulnerability-handling requirements set out in Part II of Annex I. In this regard, special attention should be given to Article 14 of the CRA, which delineates the reporting obligations of manufacturers whenever they become aware of an actively exploited vulnerability.

Conversely, importers and distributors are not subject to such stringent obligations. Upon becoming aware of a vulnerability, they should inform the manufacturer without undue delay about that vulnerability. Where the product presents a significant cybersecurity risk, they should immediately inform the competent market surveillance authorities.

Portugal has designated the CNCS as the National Cybersecurity Certification Authority, responsible for implementing a national cybersecurity certification framework. In this context, the CNCS has developed the EC QNRCS certification, based on European schemes.

The EC QNRCS certification scheme has been designed for central and local administration organisations, operators of critical infrastructure, essential and important service providers, digital service providers, and other private and non-governmental organisations, whether for profit or not. This certification provides three levels of assurance: basic, substantial and elevated. The CNCS manages and supervises this national certification scheme in co-operation with the Portuguese Quality Institute (IPQ) and the Portuguese Accreditation Institute (IPAC).

The CNCS has also created a voluntary Cybersecurity Services Certification Scheme (EC SCS), applicable to all organisations established in Portugal that provide cybersecurity services. Under this scheme, the certification authority evaluates the following cybersecurity service areas:

• incident monitoring and response;
• vulnerability management;
• threat intelligence; and
• penetration testing (“pentesting”).

The EC SCS establishes two certification levels:

• Basic, which requires compliance with general requirements and service-specific criteria; and
• Substantial, which includes all Basic requirements and additionally requires Security Accreditation for cybersecurity service providers, issued by the National Security Office.

In addition, a Digital Maturity Certification has been introduced. This certification is based on the QNRCS and sets out national criteria and guidelines that, once met, allow organisations to obtain the National Digital Maturity Seal in Cybersecurity. It is available to organisations across all sectors, with particular emphasis on micro, small and medium-sized enterprises. The seal is awarded at three progressive levels (Bronze, Silver and Gold) and the criteria for obtaining it are defined in Standard DNP TS 4477-1.

Finally, under the new Cybersecurity Legal Framework, the CNCS may require in-scope entities to obtain cybersecurity certification – whether national, European or international. This provision will likely stimulate growth in the cybersecurity market and promote the ongoing development of national certification schemes.

The cornerstone of data protection in the EU, and consequently in Portugal, is the GDPR.

One of the main principles of the GDPR is the integrity and confidentiality principle, established in Article 5(1)(f). This principle is enshrined by Article 32 (security of processing) and Articles 33 and 34, which relate to notification and communication obligations in the event of a personal data breach.

In light of this legal framework, controllers and processors are required to adopt “appropriate” technical and organisational measures to ensure a level of security that is “appropriate” to the potential risks. The adjective “appropriate” allows for a risk-based approach regarding the controls that should be implemented, considering the state of the art. For this purpose, the Article lists some controls that represent the professional consensus on security controls for processing, such as encryption and pseudonimisation. When assessing the adequacy of the technical and operational measures to be implemented, the controller or processor concerned may take into consideration the cost of implementation, the risks associated with the processing activities, and their severity for the rights and freedoms of data subjects.

However, it is mandatory that it has in place adequate mechanisms for detecting personal data breaches. When the controller becomes aware of such a breach, it must consider the obligation to notify the supervisory authority without undue delay where there is a foreseeable risk to the rights and freedoms of natural persons. If the controller or the supervisory authority subsequently conclude that there is a high risk to the rights of data subjects, it is obliged to communicate the personal data breach to the data subjects without undue delay.

Law No 58/2019 does not provide any further specifications regarding the security of processing. Nevertheless, it is worth noting that the CNPD has issued guidelines (Diretriz/2023/1, CNPD, available only in Portuguese here) proposing indicative security measures to be implemented by data controllers. In terms of organisational measures, the CNPD suggests that controllers and processors consider implementing analysis procedures for monitoring network flows and carrying out periodic IT security audits and vulnerability assessments. With regard to technical measures, the CNPD suggests, inter alia, increasing the robustness of servers.

Given the synergies between cybersecurity and the protection of personal data, the CNCS acts in collaboration with the CNPD whenever a cybersecurity incident involves a breach of personal data.

AI is elevating cybersecurity threats by enabling the easy generation of malware, deepfakes and other cyber-threats. On the other side of the coin, AI systems are particularly vulnerable to cyber-attacks and cybersecurity incidents. These incidents can impact not only the AI system’s performance but also its end users. For instance, a cybersecurity breach affecting the algorithm or training data of a credit-scoring AI system could affect decisions on a user’s access to credit.

Therefore, the AI Act (Regulation (EU) 2024/1689) emphasises the necessity for high-risk AI systems to maintain a high level of accuracy, robustness and cybersecurity (see Article 15). AI systems with a high risk to fundamental rights and freedoms must be resistant to unauthorised access and equipped with adequate measures for detecting, preventing and responding to cybersecurity incidents.

For this purpose, providers of high-risk AI systems can seek cybersecurity certification under Regulation (EU) 2019/881. In such a case, Article 43 of the AI Act established a presumption of compliance with the cybersecurity requirements outlined in Article 15. Additionally, the cybersecurity measures implemented by the provider must be included in the technical documentation accompanying the system.

When the AI Act was approved, there was not yet a final agreement from European legislative bodies on the CRA. Nonetheless, the AI Act’s recitals mention the co-ordination between the two laws. Recitals 77 and following of the AI Act are mirrored in Recital 51 and Article 12 of the CRA, which presumes compliance with Article 15 of the AI Act when the high-risk AI system meets the essential cybersecurity requirements in Annex I of the CRA.

Furthermore, the procedure for assessing compliance with the essential cybersecurity requirements for a product with digital elements that is simultaneously classified as a high-risk AI system will follow the provisions of Article 43 of the AI Act. However, in the event that the application of this provision would lead to a reduction in the level of security required for critical or important products with digital elements, the conformity assessment procedure provided for in the CRA with regard to the essential cybersecurity requirements should apply by way of derogation from this rule.

Entities operating in the healthcare sector will, in principle, be qualified as essential under the new Cybersecurity Legal Framework, provided they meet the formal and territorial criteria laid down in such Decree-Law. Additionally, healthcare providers may also be classified as critical entities under the CER framework, thereby becoming subject to comprehensive requirements relating to cybersecurity, cyber-resilience and physical security.

These entities’ value and impact on basic societal functions make them prime targets for cyber-attacks, often aimed at compromising health data and the safety of individuals. As such, Regulations (EU) 745/2017 and 746/2017 on medical devices and in vitro diagnostic medical devices have introduced cybersecurity concerns. These regulations ensure that devices placed on the EU market are equipped to address new technological challenges related to cybersecurity risks.

The Medical Devices Regulation (MDR) requires medical devices with electronic programmable systems and software to meet minimum cybersecurity requirements. This includes devices such as pacemakers and insulin pumps. Consequently, these requirements cover hardware, IT network characteristics and IT security measures, including protection against unauthorised access, to ensure that the software works as intended. In light of Commission Implementing Regulation (EU) 2021/2226, manufacturers of specific medical devices must perform and document a risk assessment covering the safety and back-up mechanisms in the event of a hardware or software fault, particularly if the instructions for use are provided in electronic form and integrated within the device.

According to the guidance on cybersecurity for medical devices (MDCG 2019-16 Rev 1, December 2019), manufacturers must implement state-of-the art cybersecurity measures. This guidance is intended to help manufacturers comply with the essential cybersecurity requirements outlined in Annex I of the MDR and the In Vitro Diagnostic Medical Devices Regulation.

The MDR does not define “IT security”, so the Medical Device Coordination Group document refers to the definition provided by ENISA. IT security is thus defined as the protection against threats to the technical infrastructure of a cyber system that could change its characteristics to perform unintended activities (Definition of Cybersecurity – Gaps and Overlaps in Standardisation, December 2015). The same applies to the definitions of operational security and information security.

In Portugal, Decree-Law No 29/2024 ensures the national implementation of the MDR and provides that healthcare entities deploying a medical device must report all security measures implemented and their performance to the competent authority (ie, INFARMED, I.P).

Also at the national level, Order No 8877/2017 establishes the governance model to be followed by the Shared Services of the Ministry of Health, in conjunction with the National Security Office and the CNCS. The same Order requires all health entities of the national health service to adopt a cybersecurity policy and a contingency plan for cybersecurity incidents.

Finally, it is important to highlight that the European Health Data Space, governed by Regulation (EU) 2025/327 of February 11th, complements the CRA. This is achieved by revising certain provisions and introducing new numbers that address cybersecurity requirements for products with digital elements classified as electronic health record systems.