NIS 2: Transforming Cybersecurity in Portugal – Turning Regulation into Resilience

The transposition of Directive (EU) 2022/2555 (NIS 2) into Portuguese law, formalised by Decree-Law No. 125/2025 of 4 December, marks a defining moment for national digital security. As a data centre provider operating in the Digital Infrastructure sector, and classified as an Essential Entity, we see this new legal framework not as a regulatory burden, but as a strategic opportunity to strengthen collective resilience across companies and society.

The digital threat landscape is increasingly severe, with cyberattacks growing in both volume and sophistication, carrying disruptive potential for critical assets. NIS 2 is the European Union’s robust response, designed to ensure a high common level of cybersecurity across Member States, reinforce public trust, and enhance the resilience of essential services.

A Collaborative Approach to Security

This transformation calls for a positive, cooperative mindset. The new regime explicitly promotes collaboration between public and private sectors, aiming to build an architecture of convergence, interoperability, and shared responsibility. Institutions such as the National Cybersecurity Centre (CNCS) in Portugal and similar ones across Europe will play a pivotal role in prevention, detection, response, and recovery, acting as allies in this national and regional security effort. This collaborative approach strengthens our ability to anticipate and mitigate threats before they materialise.

Aligning with Global Best Practices

The legislation requires a systematic approach to risk management, supported by technical, operational, and organisational measures. Importantly, the framework aligns with international standards, introducing the National Cybersecurity Reference Framework (QNRCS) as a benchmark for good practices. Compliance efforts will naturally converge with globally recognised standards such as ISO 27001, SOC 2, and NIST CSF.

For organisations that embrace security-by-design principles, such as Start Campus, which prioritises integrated security, NIS 2 validates a fundamental truth: anticipation and proactive defence are our strongest safeguards.

Guidance: Preparing for NIS 2 Compliance

For organisations beginning their compliance journey, the key is to view this as an investment in operational excellence, not a cost burden. Here are five essential steps:

1. Assess and Prioritise Maturity Gaps
   Conduct a thorough self-assessment against NIS 2’s minimum requirements, including risk analysis, incident handling, supply chain security, and cyber hygiene. Focus on areas with the lowest maturity to prepare intelligently.
2. Ensure Management Oversight
   Cybersecurity is now a board-level responsibility. Management must approve and supervise risk management measures and ensure regular training to foster a culture of security. Non-compliance can lead to personal accountability in cases of gross negligence.
3. Appoint Key Roles and Define Accountability
   Essential and Important Entities must designate a Cybersecurity Responsible (a senior leader or direct report to the board) and a Permanent Contact Point (PCP) for 24/7 availability during activation periods. Notify CNCS within 20 working days of appointment.
4. Implement Risk Management and Documentation
   Adopt a systemic approach to protect all assets supporting essential services, including physical environments. Analyse residual risks beyond minimum measures and document all processes and outcomes.
5. Plan for Incidents Proactively
   Establish robust incident response and business continuity policies. Note strict reporting timelines:
   • Preliminary notification within 24 hours of verification
   • Update within 72 hours
   • Final report within 30 working days

Beyond Compliance: Building Resilience

By embracing NIS 2 proactively, we strengthen Portugal’s digital defences, not only avoiding penalties, but more importantly, mitigating operational disruptions caused by increasingly severe cyber threats.

NIS 2 is not just regulation, it is an opportunity to build a safer, more resilient digital future for all.

Written by Fernando Fainzilber

Head of Security, has a deep understanding of security in data center newbuilds and launches, having worked internationally for Amazon Web Services, most recently as Cluster Security Manager in Israel.

Get in touch with Fernando Fainzilber