NIS2 Compliance in Portugal: Evidence Over Documentation
Decree-Law 125/2025 entered into force on 3 April 2026. Portugal now has one of the most comprehensive cybersecurity frameworks in the EU, and most organisations in scope are not ready for what CNCS auditors will actually ask for.
The gap is not between organisations that know about NIS2 and those that do not. The gap is between organisations that have documentation and those that have evidence that their controls work under adversarial conditions.
What Article 27 Actually Requires
Article 27 of Decree-Law 125/2025 requires essential and important entities to implement cybersecurity risk management measures appropriate to their size, nature, and risk profile.
The critical phrase is "assessing the effectiveness of their cybersecurity controls." A risk register built from interviews and questionnaires does not satisfy this. These routinely miss lateral movement paths that a structured security engagement finds in the first two hours. A policy stating that privileged accounts require approval means nothing if Active Directory has service accounts with excessive permissions that were never reviewed. Incident response plans that have never been tested against a realistic scenario fail when they are needed.
What Article 27 is asking for is evidence that controls hold under realistic attack conditions, not documentation that they exist.
What Auditors Check
NIS2 auditors expect organisations to demonstrate that they test external attack scenarios as a real attacker would, and internal risks: what someone can do once inside.
In practice, CNCS auditors will look for:
- A scoped assessment report covering the systems relevant to your essential or important functions. External perimeter only is insufficient. Internal network, Active Directory, cloud identity, and supply chain access are where most real attack paths exist.
- Remediation evidence: documented proof that findings were addressed after the assessment. A report without a remediation record is audit-insufficient.
- Retesting: evidence that remediated controls were validated after fixes were applied, not just marked as resolved.
- Testing frequency appropriate to the organisation's risk profile. Annual testing for a static infrastructure in a low-risk sector may be sufficient. More frequent for high-risk sectors with frequent change.
Where Organisations in Portugal Are Failing
The most common gaps in NIS2-covered organisations are not missing firewalls or unpatched systems. They are:
- Internal attack paths that no one has mapped. External assessments pass. The internal network has never been tested. Active Directory misconfigurations accumulated over years create paths to privileged access that require no vulnerability exploitation, only an understanding of how permissions work.
- Excluded systems. Security controls never deployed on legacy servers because of compatibility concerns. Clinical systems, industrial control interfaces, and financial processing environments excluded from testing scope for operational reasons. These are precisely the systems that matter most and that attackers target first.
- Supply chain blind spots. Article 28 extends security obligations to ICT third-party providers. Most organisations have not assessed the access their managed service providers have to their environments.
- Management accountability gaps. NIS2 makes management directly responsible for approving and overseeing cybersecurity risk management measures. When a breach occurs and the CNCS investigation reveals no structured testing was conducted, the liability sits at board level.
NIS2 vs DORA: Different Requirements
For financial entities (banks, insurers, payment institutions, investment firms, crypto-asset service providers), DORA adds requirements that go beyond NIS2.
DORA requires financial entities to conduct Threat-Led Penetration Testing every three years at minimum, scoped by the regulator, conducted on live production systems, and reported to the competent authority. A standard assessment satisfies DORA's basic ICT testing tier but does not satisfy TLPT requirements.
TLPT is a full intelligence-led red team engagement. The scope is defined externally. The methodology is based on current threat intelligence specific to the financial sector. The findings go to the supervisor. Planning should begin now. The scoping, threat intelligence gathering, and regulator coordination alone take months.
| Requirement | NIS2 | DORA |
|---|---|---|
| Security testing | Risk-appropriate assessments | TLPT every 3 years minimum |
| Scope definition | Organisation-defined | Regulator-defined |
| Testing environment | Not specified | Live production systems |
| Reporting | Internal and to CNCS on request | To competent authority |
| Threat intelligence basis | Recommended | Mandatory (TIBER-EU methodology) |
| Supply chain | Article 28 obligations | ICT third-party risk framework |
What Compliance-Grade Testing Looks Like
Regulators and national competent authorities increasingly treat security assessment reports as key evidence of NIS2 compliance readiness. The baseline is clear: organisations must test, document, and remediate.
An assessment that satisfies Article 27 requirements has the following characteristics:
- Operator-led methodology. Automated scanners produce CVE lists. They do not find the Active Directory attack paths, the misconfigured IAM roles, or the access control issues that represent real business risk.
- Relevant scope. Internal network and identity infrastructure, not just external perimeter. Cloud environments if applicable. Supply chain access points.
- Business impact prioritisation. Findings mapped to actual impact on operations, not just severity score. A critical finding on an isolated development server is less urgent than a medium-severity issue that provides a path to privileged access on production systems.
- Remediation tracking. A record that an auditor can review. Findings addressed, retested, and closed before the next assessment cycle.
Key Deadlines
| Deadline | Obligation |
|---|---|
| 3 April 2026 | Law in force |
| 4 May 2026 | Cybersecurity officer appointed and notified to CNCS |
| 4 May 2026 | 24/7 permanent point of contact notified to CNCS |
| 60 days after CNCS platform launch | Self-qualification and registration |
| Up to 24 months post-entry | Full Article 27 risk management measures |
The 24-month window does not mean organisations have two years before acting. CNCS supervision is active now. The penalty regime (fines up to €10 million or 2% of global annual turnover) applies from the date of entry into force.
OFFCEPT conducts penetration tests and red team operations for organisations in NIS2-covered sectors across Portugal and Europe. Our engagements produce compliance-grade reporting structured for CNCS audits: scoped findings, business impact mapping, and remediation evidence in a format auditors recognise.
Contact us at contact@offcept.com.
This post is for informational purposes only and does not constitute legal advice. For guidance specific to your organisation's legal obligations, consult a qualified legal professional.
Sources: Decree-Law No. 125/2025, CNCS (cncs.gov.pt), Directive (EU) 2022/2555, ENISA Technical Implementation Guidance v1.0.