Frequently asked questions

It depends on your sector and size. NIS2 covers 18 sectors, from energy to digital services and transport to manufacturing of critical products, and applies mostly to medium and large companies, although some small companies are also covered in specific cases. Our guide on NIS2 and Decree-Law 125/2025 helps you understand how the law applies to your organisation.

Zero. The platform is open-source under the AGPL-3.0 licence and free. You can deploy it on your own infrastructure with no licensing costs, now and in the future.

There is no catch: the project was born in an academic context, a master’s degree in Information Security, with the mission of democratising access to NIS2 compliance for Portuguese SMEs. The code is public and auditable; you can verify exactly what the platform does.

The National Cybersecurity Reference Framework is the Portuguese technical reference that translates the legal requirements into concrete controls, organised into 6 domains and 3 compliance levels (Basic, Substantial and High). Important: the final version of the QNRCS 2026 has not yet been published. The platform is based on the public consultation draft and will be updated as soon as the final version is released, preserving your work.

It depends on the compliance level that Decree-Law 125/2025, through the QNRCS, requires of your organisation: Basic (39 controls), Substantial (72) or High (91), plus 16 optional controls. The platform does not decide your level: the regulatory framework does, based on the entity’s size, risk and criticality. You indicate your classification at registration and the platform shows only the controls that apply.

It is 10 questions, each mapped to one of the most common vulnerabilities in SMEs and, in turn, to several QNRCS controls. Based on your answers, the platform generates a priority action plan: the controls that should be reviewed and implemented first. You can redo the questionnaire whenever your company’s reality changes.

With the on-premises deployment, your data never leaves your infrastructure: it is the scenario we recommend for real use. Demo accounts on our hosting are exclusively for evaluating the platform: they are automatically deleted after 14 days and should not be used with sensitive or confidential company data.

Full access to the platform for 14 days, with no credit card and no commitment. At the end of the period, the account and all its data are automatically deleted. If you like it, deploy the full version on your own infrastructure with Docker, for free.

The GitHub repository includes everything you need for the on-premises deployment with Docker, including step-by-step documentation. If your company has someone capable of managing a server, you can run NIS2PME.

The platform structures, guides and documents the compliance process, which for many SMEs is enough to move forward with confidence. It does not provide legal advice: for legal interpretation questions specific to your situation, seek specialised support. Platform and consultancy are also not mutually exclusive: many consultants use tools like this with their clients.

No. The platform helps you implement and demonstrate compliance (gap analysis, controls, evidence and reports), but it does not replace formal audits or certifications where required. What it does is make preparing for those moments much simpler.

Both the platform and this website are available in Portuguese and English.

The project is open-source and contributions are welcome: code, translations, content review, bug reports or simply usage feedback. Everything happens on GitHub.