Please note, your browser is out of date.
 For a good browsing experience we recommend using the latest version of Chrome, Firefox, Safari, Opera or Internet Explorer.
Advanced Search

New Legal Framework for Cybersecurity: NIS 2 Directive

SÉRVULO PUBLICATIONS 12 Dec 2025

On December 4, Decree-Law No. 125/2025 was published, approving the new legal framework for cybersecurity and transposing into national law Directive (EU) 2022/2555, commonly known as the NIS 2 Directive. This legislation replaces the previous regime and establishes a comprehensive regulatory framework to ensure a high and common level of cybersecurity across the European Union.

The new framework is based on strategic instruments such as:

  • National Cybersecurity Strategy;
  • National Plan for Crisis and Cybersecurity Incident Response;
  • National Cybersecurity Reference Framework.

It applies to public and private entities operating in critical or relevant sectors, including essential service operators, digital service providers, and critical infrastructures, as well as Public Administration. Entities related to defense, national security, criminal investigation, and intelligence services are excluded.

Entities are classified as essential, important, or relevant public entities:

  • Essential entities operate in critical sectors (Annex I), including Energy, Transport, Banking, Financial Market Infrastructure, Health, Drinking Water, Wastewater, Digital Infrastructure, ICT Service Management, and Space. Other critical sectors include postal and courier services, waste management, production and distribution of chemicals, food production and processing, manufacturing industry, digital services, and research.
  • Important entities are those listed in Annexes I and II that do not qualify as essential but may be identified as important based on risk level, size, and potential impact of incidents.
  • Relevant public entities are public bodies not classified as essential or important, divided into two groups: Group A (more than 250 employees or above SME thresholds) and Group B (between 50 and 249 employees or medium-sized companies).

The new regime imposes a demanding set of measures, including the implementation of risk management systems, periodic assessments and annual reports, adoption of appropriate technical and organizational measures and appointment of a cybersecurity officer.

The law also requires mandatory notification of significant incidents via an electronic platform, with an initial report within 24 hours, an update on impact, and a final report within 30 days.

The National Cybersecurity Center (CNCS) is strengthened as the national authority, alongside the creation of “sectoral” and “special” supervisory authorities for specific economic sectors.

The sanctioning regime is strict, with very serious offenses subject to fines of up to €10 million.

The Decree-Law enters into force 120 days after publication, i.e., in April 2026, with some exceptions.

This new legal framework represents a decisive step toward strengthening digital resilience and promoting a preventive and effective response culture. To prepare, entities covered by this legislation should start by identifying the applicable regulatory framework and assessing the measures needed to ensure compliance.

Sara Ti | sct@servulo.com

download PDF
Expertise Relacionadas
TMT
Related Lawyers
Sara Ti