NIS2 compliance within your SME's reach
The first gap-analysis platform designed for Portuguese SMEs, aligned with the new National Cybersecurity Reference Framework. Guided assessment, controls tailored to your organisation and reports ready to present. No consultants, no costs.
The challenge
NIS2 has reached SMEs. Consultancies haven't.
Decree-Law 125/2025 extends cybersecurity obligations to thousands of Portuguese small and medium-sized enterprises, companies without the budget for specialised consulting or dedicated security teams.
Complex regulation
A European directive, a decree-law, a national reference framework: just understanding what applies to your company is a project in itself.
Real fines
Non-compliance can cost up to millions of euros and make management bodies directly accountable. Ignoring it is no longer an option.
Limited resources
No CISO, no security team, no consulting budget. SMEs need a clear, affordable path, not another 200-page report.
The solution
From uncertainty to an action plan, in one place
NIS2PME turns the regulatory framework into a concrete journey: assessment, controls, evidence and reports, all in language management understands.
Guided self-assessment
A 10-question, plain-language questionnaire mapped to the most common vulnerabilities in SMEs. At the end, you receive a priority action plan: the controls to address first.
Controls tailored to your level
You only see the controls the regulatory framework requires of your organisation, from the Basic to the High level, with statuses, priorities and progress per domain.
Evidence management
Attach documents and proof to each implemented control. When supervision comes knocking, everything is organised and ready to present.
Compliance reports
Track maturity per domain, identify priority actions and export reports for management, auditors or the competent authorities.
Document templates
Pre-filled policies, plans and procedures: your incident response plan no longer starts from a blank page.
Multi-user and audit trail
Multiple users with distinct roles and a complete audit log of every action on the platform.
Proportional by law
The right level for your organisation, no more and no less
It is Decree-Law 125/2025, through the QNRCS, that determines the compliance level applicable to each entity, based on its size, risk and criticality. The platform applies the regulatory framework: the assessment classifies your organisation and presents only the required controls.
Basic
The QNRCS entry level: the fundamental cybersecurity hygiene practices.
Substantial
Reinforced requirements for entities with greater risk exposure and impact.
High
The most demanding level, for the largest and most critical entities.
Beyond the minimum
Additional controls for those who want to go further: up to 107 controls in total.
The 6 QNRCS domains
Transparency note: the platform is based on the public consultation draft of the QNRCS 2026. As soon as the final version is published, the framework will be updated, and your answers and progress are preserved.
How it works
Four steps to demonstrable compliance
Answer the assessment questionnaire
10 simple questions, mapped to the most common vulnerabilities in SMEs. No technical knowledge required.
Receive your priority action plan
Each answer is linked to QNRCS controls. At the end, you know exactly which ones to review and implement first.
Implement the controls with guidance
Each control explains the what, the why and the how, with document templates and built-in evidence management.
Track, demonstrate and improve
Progress dashboards and exportable reports that demonstrate your compliance to management and authorities.
Verifiable trust
In a cybersecurity platform, seeing the code is the argument
NIS2PME is open-source under the AGPL-3.0 licence. No black boxes, no vendor lock-in, no pricing surprises, because there is no pricing.
Auditable code
All the code is published on GitHub. Anyone, including your IT staff, can verify exactly what the platform does with your data.
On-premises with Docker
Deploy on your own infrastructure with a simple docker compose up. Your company's data never leaves your control.
Actively developed
Continuous updates, including alignment with the final version of the QNRCS 2026 as soon as it is published. Follow and contribute on GitHub.
Frequently asked questions
Questions? That's natural: the regulation is new for everyone
Is my company covered by NIS2?
NIS2 covers entities across 18 sectors, including many medium-sized companies (and some small ones in specific cases). Our guide on NIS2 and Decree-Law 125/2025 helps you understand how the law applies to your organisation.
How much does the platform cost?
Zero. NIS2PME is open-source (AGPL-3.0) and free. You can deploy it on your own infrastructure with Docker and keep it fully under your control.
What is the QNRCS 2026?
The Portuguese National Cybersecurity Reference Framework is the technical reference that operationalises the requirements of Decree-Law 125/2025, organised into 6 domains and 3 compliance levels. The platform is based on the public consultation draft and will be updated once the final version is published.
Is my data safe?
With the on-premises deployment, your data never leaves your infrastructure. Demo accounts on our hosting are for evaluation only: we recommend representative data, not real sensitive data.
Start your path to compliance today
Find out in minutes where your company stands and what is left to do. Free, open-source, available in Portuguese and English.
The online platform (hosted service with demo accounts) is in final preparation. Leave your email and we will let you know as soon as you can try it.
Used exclusively for the launch announcement. No newsletters, no third-party sharing.
Don't want to wait? The on-premises version is already available: deploy via Docker from GitHub