Today, 22 June 2026, Regulation No. 756/2026 was published, approving the Implementing Regulation of the Cybersecurity Legal Framework established by Decree-Law No. 125/2025 of 4 December, which transposed Directive (EU) 2022/2555 (NIS 2).
The Regulation sets out the practical implementation of the new Cybersecurity Legal Framework by establishing the rules governing the electronic platform, the procedures for the registration and classification of entities, incident notification obligations, the National Cybersecurity Reference Framework ("QNRCS"), and the minimum cybersecurity measures to be adopted by the entities within its scope.
The Regulation applies to essential entities, important entities, and relevant public entities, under the terms and within the limits established by the Cybersecurity Legal Framework.
Among its key provisions, the following should be highlighted:
- Centralised electronic platform: Developed and managed by the National Cybersecurity Centre ("CNCS"), the platform will be available in both Portuguese and English and is intended to streamline and simplify entity registration procedures and communications with the competent cybersecurity authority. Entities will access the platform through secure authentication (Citizen Card, Digital Mobile Key or equivalent), with a single account and dedicated private area being created for each entity.
- Platform-related obligations: All communications with the competent authority required under the Cybersecurity Legal Framework must be submitted through the electronic platform, including:
- self-identification and classification of entities;
- notification of the designated cybersecurity officer and permanent point of contact;
- submission of the annual report;
- mandatory incident notifications and voluntary notifications; and
- submission of the list of publicly accessible assets.
- Self-identification and classification: Entities must complete an electronic self-identification form on the platform, following which a provisional registration will be created. The competent authority will then assess the entity's classification, after which the registration will be confirmed as definitive.
- Compliance levels and minimum cybersecurity measures: The Regulation establishes three compliance levels (i.e., basic, substantial and high), determined on the basis of a risk matrix that takes into account the entity's sector of activity and size. Entities must implement the minimum cybersecurity measures corresponding to the compliance level applicable to them.
- Risk management: Essential and important entities are required to carry out periodic risk assessments and risk management activities, including the assessment of residual risks.
- Incident notification: In the event of an incident having a significant impact, entities must submit to the competent authority, through the electronic platform, an initial notification, a notification of the end of the significant impact, and a final or intermediate report, as applicable.
- Electronic notifications: The competent authority will notify entities electronically through the platform. Notifications will be deemed served on the date the entity accesses its private area or, if no access occurs, on the third day following receipt.
The Regulation therefore constitutes a key instrument for the operational implementation of the Cybersecurity Legal Framework in Portugal, establishing the practical rules that entities within its scope must comply with in order to ensure a high level of cybersecurity of their network and information systems.
The Regulation enters into force on the day following its publication, namely on 23 June 2026.
For further information, the full text of the Regulation may be consulted here.
