The new framework aims to enhance prevention capabilities for businesses and public entities, ensuring they can recover quickly from cybersecurity incidents.

The government is focused on increasing security levels without creating a complex regulatory environment, which aligns with efforts to reduce bureaucracy.

On July 3, 2025, the Portuguese government approved a new legal framework for cybersecurity, which aligns with the European NIS 2 directive aimed at enhancing security rules for networks and information systems.

The proposal was announced during a press conference by the Minister of the Presidency following a Council of Ministers meeting and will be submitted to the Assembly of the Republic for ratification.

Minister António Leitão Amaro highlighted that while Portugal is not facing physical warfare, the country is experiencing a rise in cyberattacks that threaten both public and private infrastructures.

These cyberattacks have the potential to cause significant disruptions in daily life, underscoring the urgent need for improved cybersecurity measures.

To achieve this, the regime proposes a risk-based approach that evaluates the size and criticality of companies and institutions instead of imposing complex approval and licensing requirements.

A risk matrix will be developed to help companies assess their level of danger and determine appropriate cybersecurity measures and reporting obligations.

Additionally, the framework encourages collaboration between the public and private sectors, including the establishment of a cybersecurity certification market.

Importantly, the new framework also legally protects ethical hackers who report vulnerabilities without seeking financial gain, exempting them from criminal liability.

Targeted sectors under this new regime include finance, telecommunications, media, health services, and critical infrastructure.

Despite the government's approval, the new regime must still be ratified by the Assembly of the Republic, following a missed transposition deadline due to political crises, which has led to a process initiated by Brussels against Portugal.