NIS2, Decree-Law 125/2025 and QNRCS 2026, explained without legalese

What is the NIS2 directive?

NIS2 (Directive (EU) 2022/2555) is the European cybersecurity legislation that replaced the original NIS directive. The legislator's diagnosis was simple: cybersecurity incidents multiplied, supply chains became an attack vector, and the first directive covered too few organisations, with rules that varied between countries.

NIS2 responds by dramatically widening the scope to 18 sectors, from transport to energy, healthcare to digital services, manufacturing of critical products to postal services, and by hardening both obligations and penalties. For the first time, thousands of medium-sized companies (and some small ones, in specific situations) have legal cybersecurity obligations.

What changes with Decree-Law 125/2025 in Portugal?

European directives must be transposed into national law. In Portugal, this is done through Decree-Law no. 125/2025, which establishes the legal framework for cyberspace security and gives concrete form to the NIS2 requirements: who is covered, which measures must be adopted, which incidents must be reported, and what the consequences of non-compliance are.

Decree-Law 125/2025 classifies covered organisations into two categories:

• Essential entities — organisations in highly critical sectors (energy, transport, healthcare, digital infrastructure, among others), subject to the most demanding supervision regime;
• Important entities — organisations in the remaining covered sectors, with substantial obligations but a less intrusive supervision regime.

Classification depends on the sector of activity, company size and, in some cases, specific criteria. In NIS2PME, you indicate this classification when creating your account, and the platform presents the QNRCS controls corresponding to your entity's level.

What is the QNRCS 2026?

Knowing you are covered is the first step; knowing what to do is the second. The National Cybersecurity Reference Framework (QNRCS) is the Portuguese technical reference that operationalises the legal requirements into concrete security controls, organised into 6 domains: Govern, Identify, Protect, Detect, Respond and Recover.

The 2026 version of the QNRCS defines 3 compliance levels, proportional to each entity's size, risk and criticality:

• Basic — 39 controls: the fundamental cybersecurity hygiene practices;
• Substantial — 72 controls: reinforced requirements for greater risk exposure;
• High — 91 controls: the most demanding tier, for the most critical entities;
• plus 16 optional controls, for a total of 107.

What are my company's obligations?

Broadly, covered entities must:

• Manage risk — adopt appropriate technical and organisational measures: security policies, asset management, access control, backups, supply chain security, among others;
• Report incidents — notify significant incidents to the competent authorities within tight deadlines (early warning within 24 hours, detailed notification within 72 hours and a final report afterwards);
• Hold management accountable — management bodies must approve risk management measures, oversee their implementation and receive cybersecurity training. This responsibility cannot be delegated to "the IT person";
• Register with the national competent authority and keep that information up to date.

And if I don't comply?

The sanctions regime is one of the aspects that most distinguishes NIS2 from the previous generation. The directive provides for fines of up to €10 million or 2% of worldwide turnover (whichever is higher) for essential entities, and €7 million or 1.4% for important entities. On top of this come supervisory powers that include audits, binding instructions and, in extreme cases, suspension of certifications or of management functions.

But the right motivation is not the fine: most of the required controls are practices that actually protect the business from ransomware, fraud and operational downtime. Compliance is the by-product of a more resilient company.