NIS2 is the new European cybersecurity framework that establishes mandatory rules for organisations in critical and relevant sectors, requiring technical, organisational, and governance measures to protect systems, networks, and digital services.
We support the definition and implementation of the controls required to achieve compliance and protect critical systems.
We identify vulnerabilities, assess impact, and build mitigation plans aligned with NIS2 requirements.
We prepare your organisation to respond quickly and meet mandatory deadlines for communicating with authorities.
We help integrate cybersecurity into governance, assigning responsibilities and decision-making processes at executive level.
We implement policies, processes, and evidence that support inspections and help avoid fines for non-compliance.
NIS2 elevates cybersecurity to a legal and strategic level, requiring organisations to plan, document, implement, and continuously demonstrate the processes, controls, and evidence that prove they are protected.
We provide end-to-end support to help your organisation assess, improve, and maintain the cybersecurity measures required by NIS2.
Ensure that services essential to society continue to operate even when attacks occur.
Require organisations to prevent, block, and respond to attacks instead of reacting too late.
Create a common minimum level of cybersecurity across EU member states, reducing differences between countries.
Place senior management in charge of cybersecurity alongside broader risk management responsibilities.
Ensure fast, coordinated communication with authorities and internal teams.
Ensure that suppliers and external services do not become security weak points.
The new framework introduces significant penalties according to the type of entity and the severity of non-compliance.
The directive distinguishes two major groups of entities: Essential Entities and Important Entities, covering organisations from critical and strategic sectors for the economy and society, in both the public and private sectors.
If your organisation operates in one of the sectors below, it is very likely to fall within the scope of NIS2.
Large organisations, critical providers, and public administration entities with a high level of digital integration.
Organisations from strategic sectors that, while not classified as critical infrastructure, still have relevant impact, including:
Public Administration
The new legislation establishes clear and unavoidable responsibilities for the management, leadership, and administration bodies of essential and important entities.
NIS2 requires organisations to implement a structured cybersecurity risk management system. This system protects critical assets, reduces the impact of incidents, and supports alignment with guidance issued by the National Authority, in proportion to the size and risk exposure of the entity.
Definition of responsibilities and implementation of technical, operational, and organisational measures to protect critical networks and systems, manage risk, and mitigate incident impact.
Cybersecurity measures adjusted to the size of the organisation, its exposure level, and the potential impact of incidents, protecting all critical assets and the physical environment without being excessive or insufficient.
Implementation of the guidance, risk matrices, and minimum requirements defined by the National Authority, with cybersecurity measures and compliance levels suited to each sector and entity size.
NIS2 requires effective cybersecurity measures adapted to the risk profile of each organisation.
We help your organisation define, implement, and maintain these measures in a practical way aligned with the law.
These entities must adopt a comprehensive set of cybersecurity measures designed to prevent incidents, ensure business continuity, and reduce the impact of security failures.
We support your organisation in implementing the required measures, ensuring alignment with NIS2.
Effective management of cybersecurity incidents.
Includes backup management, disaster recovery, and crisis management.
Focus on security in relationships with suppliers and direct service providers.
From acquisition and development to maintenance, including vulnerability management.
Policies and procedures to assess the performance of risk management measures.
Basic practices and continuous cybersecurity training for all staff, including management bodies.
Policies and procedures for the use of cryptography and encryption.
Access control policies and asset management practices.
Implementation of multi-factor or continuous authentication, secure communications, and emergency systems.
Public entities must comply with the cybersecurity measures defined by the National Authority and are subject to supervisory and enforcement action with requirements specific to sector and size.
We help implement the requirements, prepare for audits, and respond to supervisory action.
Mandatory compliance with the cybersecurity measures established by the National Authority.
The National Authority defines cybersecurity measures adapted to the proportionality of each entity.
Entities are subject to the supervisory and enforcement measures provided for in the new legislation.
Members of management, leadership, and administration bodies may be held personally accountable if the organisation fails to comply with its legal obligations under NIS2.
Responsibility for compliance cannot be passed to third parties. Management must ensure that measures are applied and monitored.
Non-compliance can have direct consequences for both the organisation and its management, including:
NIS2 requires cybersecurity to be understood and applied throughout the organisation. Training must therefore cover management, technical teams, and all employees, ensuring knowledge, preparedness, and good day-to-day practice.
Training focused on legal responsibilities and decision-making in cybersecurity, helping leadership understand its role in risk management and compliance.
Specialised training in information security, incident response, and threat analysis so teams can prevent, detect, and respond effectively.
Awareness actions on good cybersecurity practices, including phishing, social engineering, and cyber hygiene, reducing the risk of human error.
To comply with NIS2, your organisation must have designated people responsible for cybersecurity and for communication with the competent authority.
These roles help guarantee a quick response and fulfilment of legal obligations.
This role must be available 24/7 during activation periods and may be assigned to an individual or team responsible for communication with the cybersecurity authority.
Certification helps demonstrate that your organisation follows good practices and legal requirements. Within the scope of NIS2, it may be required to reinforce security and prove compliance to the competent authority.
Helps demonstrate that the cybersecurity measures implemented by your organisation are appropriate and follow recognised good practice.
Ensures that ICT products and services meet cybersecurity requirements, whether developed internally or supplied by third parties.
Certifications can be used as evidence of compliance with NIS2 and simplify audits, inspections, and supervisory processes.
Essential, important, and relevant public entities must notify significant incidents to the competent cybersecurity authority.
The act of notifying an incident does not in itself create additional liability for the notifying entity, encouraging transparency and cooperation.
Notifications must be submitted through the National Authority electronic platform, enabling simultaneous communication with multiple relevant authorities.
Notification does not remove the need to comply with other specific incident reporting obligations, such as those involving the Public Prosecutor, CNPD, PJ, and other relevant authorities.
Supervisory measures explain how your organisation will be monitored for compliance with NIS2.
The objective is to identify risks, assess cybersecurity practices, and ensure the organisation remains on the right path.
Essential Entities: on-site inspections and random controls.
Important Entities: on-site inspections and remote ex post supervision.
Essential Entities: regular, targeted, or ad hoc audits.
Important Entities: targeted or ad hoc audits.
Based on objective, non-discriminatory, and transparent risk criteria.
Access to data, documents, and evidence proving the application of cybersecurity policies and procedures.
When improvement needs or non-compliance are identified, enforcement measures may be applied.
These measures allow situations to be corrected in a structured way, with a focus on support and effective fulfilment of obligations.
Issuance of a warning about the identified infringement, clearly indicating the legal or regulatory obligations involved.
Issuance of mandatory instructions, including a deadline to adopt corrective or preventive measures to address deficiencies or infringements.
A situation where required measures are not corrected within the deadline set by the competent authority.
Suspension of certifications, authorisations, or licences, or an order directed to certification bodies to suspend them when applicable.
Imposition of financial penalties according to the applicable sanctioning regime, based on the seriousness and persistence of the infringement.
Available globally with direct access to our cybersecurity experts anytime.
We’re here to help with anything from partnerships to project support or general inquiries.
From Portugal to the World
+351 964 579 823
Call to national mobile network
Available 24/7/365
Reach out and we’ll get back to you as soon as possible with clear answers.
