NIS2 in Portugal: how an SME should respond without falling into compliance theatre
NIS2 in Portugal: how an SME should respond without falling into compliance theatre
Portugal’s new cybersecurity legal framework will force many businesses to revisit assumptions they’ve rarely had to question. With Decree-Law No. 125/2025, transposing NIS2 and entering into force on 3 April 2026, the range of potentially covered entities expands significantly. Estimates point to 7,000 to 9,000 entities.
For many SMEs, the first read will be predictable: another obligation designed for large groups, heavily regulated sectors, or organisations with internal compliance teams. That read could be costly. The new framework isn’t limited to large organisations, and its effect goes well beyond the formally covered entities. In many cases, pressure will arrive through contracts, through clients, suppliers, or partners who start requiring minimum controls, evidence, and response capability.
The most important point here isn’t legal. It’s management. The relevant question for an SME isn’t just “what does the law say?” but: are we in scope, who owns this topic internally, and how do we avoid turning this into an expensive documentation exercise with no real impact?
NIS2 isn’t only for large companies
One of the most persistent misconceptions around NIS2 is that it’s a framework designed exclusively for large operators. It isn’t.
The new regime covers critical sectors and other covered sectors including energy, transport, banking, health, digital infrastructure, and managed ICT services, but also waste, food, chemicals, parts of manufacturing, digital services, and research. In many cases, scope depends on a combination of sector and size.
That means companies with 50 or more employees or €10 million or more in turnover, depending on the activity, may qualify as important entities. And even where there’s no direct scope, there’s an indirect effect worth paying attention to: the supply chain. Many companies will feel this pressure because they serve organisations that will start requiring MFA, minimum policies, access control, activity logs, incident response processes, and additional supplier guarantees.
Being “outside” legal scope doesn’t mean being outside the problem.
The main risk is responding with compliance theatre
Whenever a new regulatory framework arrives, the market reacts predictably. Checklists, templates, standard policies, and offers promising to “handle the topic” quickly multiply. The problem is that in areas like this, documentation is just the visible part. And often it isn’t even the most important part.
NIS2 doesn’t only expose documentation gaps. It exposes organisational fragility: no clear owners, poorly controlled access, excessive dependency on suppliers, backups that have never been tested, incident processes that exist only on paper, and no evidence of what the organisation actually does.
This is exactly where many responses fail. Policies, reports, and audit folders get produced, but the operation stays the same. When an incident happens, or a client asks for concrete proof of controls, the difference between real governance and a cosmetic exercise becomes obvious fast.
For an SME, this distinction is decisive. The goal shouldn’t be “appear compliant.” It should be organising what matters, with clear ownership, routine, and the ability to demonstrate what’s actually being done.
What an SME should organise first
The new regime covers areas like incident management, business continuity, supply chain security, access control, multi-factor authentication, training, security policies, and evaluation of measures taken. All of this is relevant. From a management perspective, though, it’s worth translating these obligations into clear operational priorities.
The first is ownership. The law requires the appointment of a Cybersecurity Officer, internal or external, with a real connection to the management body. This sounds administrative, but it isn’t. Without assigned ownership, there’s no decision. And without decisions, every critical topic gets lost between management, the IT supplier, and the urgency of the day-to-day.
The second is the minimum set of controls that can no longer be treated as technical detail: MFA on critical accounts, access management, backups with tested restoration, a minimum of logging, and a clear incident response process.
There’s one particularly sensitive point: the notification regime. In the event of a significant incident, there’s an initial alert within 24 hours of detection. This requires the organisation to have a functioning internal circuit. Who detects it? Who evaluates it? Who decides? Who communicates? Who coordinates with suppliers and, where applicable, with the CNPD? Without this foundation, the obligation exists on paper but not in practice.
Finally, there’s the topic of suppliers and external dependencies. Many SMEs operate on a mix of cloud, critical software, remote access, managed service providers, and legacy systems. Ignoring that layer leaves a material part of the risk outside the analysis.
This is also a data governance and AI governance topic
This is where, in my view, the conversation tends to stop too early.
Most approaches to NIS2 treat it as an isolated cybersecurity project. For some companies that’s enough. For many others, it isn’t. When an organisation is forced to review access, ownership, records, suppliers, evidence, and decision processes, it’s already touching areas that directly intersect with data governance and, increasingly, with AI governance.
In practice, the same companies that can’t clearly answer basic questions about critical access also rarely have a mature view of:
- where sensitive data lives;
- which AI tools are already being used internally;
- who approves the use of those tools;
- how decisions get documented;
- and how they demonstrate consistency to a client, auditor, or partner.
Addressing these topics in isolation tends to create duplication, friction, and unnecessary cost. It makes sense to treat this moment as an opportunity to build a more coherent governance foundation, rather than accumulating disconnected solutions.
How to approach this as an SME
The most useful approach, in my view, starts with a scope and governance assessment, not a rushed implementation.
The first step is understanding whether the company is in direct scope, exposed through contracts, or whether, even sitting formally outside, it already faces demands that justify early organisation. In parallel, it’s worth clarifying who takes internal ownership, which systems and suppliers are critical, and where the most relevant gaps are.
The second step is a short, pragmatic diagnostic focused on the essentials: access, MFA, backups, restoration tests, logging, incident response, supplier management, minimum documentation, and evidence.
The third step is often the most neglected: building a layer of routine and evidence that holds over time. Audit trails, change logs, alerts, living documentation, and periodic reviews have more value than a large set of policies nobody updates. This is also where automation can add real utility, by reducing reliance on manual tasks and organisational memory.
Where the situation requires deeper technical work, on controls, infrastructure, or managed operations, execution should involve the right partners. For many SMEs, this model is more realistic and more effective than buying a vague promise of “full compliance.”
What makes sense to review in the next 30 days
For a Portuguese SME, the next steps don’t need to start with a heavy project. They should start with simple, concrete questions:
- Does the company operate in a covered sector, or does it serve organisations that may require these controls?
- Is there clear ownership of cybersecurity and governance?
- Is MFA active on email, cloud, and administrative access?
- Do backups exist, and have they been tested?
- Is there a serious list of critical suppliers and the access those suppliers hold?
- Is there an incident process that works within the 24-hour window?
If these questions don’t have clear answers, the topic already warrants executive attention. And the earlier that clarity is established, the lower the likelihood of responding under pressure, with higher costs and worse decisions.
Need to understand if your SME is covered?
If your company needs to understand whether it may be covered by NIS2, or whether it makes sense to prepare a phased response without falling into compliance theatre, the right starting point is a scope and governance assessment.
The goal of that first step is simple: clarify exposure, identify the most relevant gaps, and build a realistic plan that can integrate cybersecurity, data governance, and AI governance, with technical execution supported by the right partners when needed.