Regulation for the Legal Framework for Cybersecurity

SÉRVULO PUBLICATIONS 24 Jun 2026

Regulation No. 756/2026 of 22 June, issued by the National Cybersecurity Centre (CNCS), has been published, approving the Regulation for the Legal Framework for Cybersecurity. The Legal Framework for Cybersecurity was approved as an annex to Decree-Law No. 125/2025 of 4 December (RJC), which transposed Directive (EU) 2022/2555 (NIS 2) and applies to essential, important and relevant public entities, within the scope and limits set out in the framework itself.

This is the step that was missing for the framework to operate in practice. The RJC referred the implementation of several of its provisions to regulation, and to that end the CNCS chose, "in a logic of regulatory simplification", to consolidate them into a single normative instrument.

From framework to implementation: what the Regulation approves

• Rules governing the electronic platform, including entity self-identification and classification;
• National Cybersecurity Reference Framework;
• Risk Matrix (defines the conformity levels);
• Conformity levels and minimum cybersecurity measures for essential and important entities, with the relevant verification criteria;
• Cybersecurity measures for relevant public entities;
• Residual-risk management;
• Communication of the annual report, the Cybersecurity Officer and the Permanent Point of Contact;
• Mandatory incident notifications and voluntary notifications of relevant information;
• Electronic notifications by the authorities to registered entities.

The point to keep in mind: the deadlines

The Regulation enters into force the day after publication and produces effects immediately, albeit with certain expressly provided exceptions.

In particular, the obligations relating to cybersecurity measures, the supply chain, residual-risk management, the annual report and the measures for relevant public entities, as well as the associated very serious administrative offences, only produce effects 24 months after publication of the Regulation.

In other words, the publication of Regulation No. 756/2026 on 22 June 2026 is the event that starts the 24-month transitional period for this core set of obligations. By contrast, what is operational from now is the on-ramp into the system — namely, registration and classification on the platform, designation of the Cybersecurity Officer and the Permanent Point of Contact, and the incident-notification channels.

What to do

Do not wait for the transitional period to end. We recommend: (i) assessing your status (essential, important or relevant public entity) and completing self-identification on the platform; (ii) designating and communicating the Cybersecurity Officer and the Permanent Point of Contact; (iii) preparing processes for any incident notifications; and (iv) starting an internal assessment against the minimum measures and conformity levels.

• The Regulation is available here: Regulation of the Legal Framework for Cybersecurity
• The MyCiber platform will be available here: https://myciber.gov.pt/