Introduction
The new Portuguese Cybersecurity Legal Framework, approved by Decree-Law No. 125/2025 of 4 December (Regime Jurídico da Cibersegurança – RJC), entered into force on 3 April 2026, marking a significant step in the transposition of Directive (EU) 2022/2555 of 14 December 2022 (NIS 2 Directive) into Portuguese law.
This framework is complemented by the draft implementing regulation of the RJC, which was submitted for public consultation by the National Cybersecurity Centre (Centro Nacional de Cibersegurança – CNCS) on 10 March 2026, with the consultation period running until 22 April 2026.
In this context, determining the personal scope of the RJC is particularly important, as it identifies which entities are subject to the new regime and on what legal basis.
At European Union level, the NIS 2 Directive lays down the objectives and outcomes that Member States must ensure in order to achieve a high common level of cybersecurity across the Union. The RJC transposes the NIS 2 Directive into Portuguese law by defining, inter alia, the entities falling within its scope, the relevant institutional architecture, the categories of entities subject to the regime, and the obligations relating to identification, registration, notification and compliance. The draft implementing regulation of the RJC further specifies the practical application of the regime, in particular as regards the operation of the electronic platform, the minimum cybersecurity measures, the compliance levels and the notification procedures.
Whether an entity is subject to the regime does not depend solely on its sector of activity or place of establishment but rather requires an integrated assessment of the legal criteria applicable to private and public entities, including the relevant sectoral or organisational framework, the territorial connecting factors, the entity’s size, its criticality and its final classification as an essential entity, an important entity or a relevant public entity.
This study analyses the personal scope of the new regime and the qualification framework applicable to private and public entities potentially falling within the scope of the RJC.
WHICH ENTITIES FALL WITHIN THE SCOPE OF THE RJC?
Private entities
1.does the entity fall within a type listed in annex i or annex ii to the rjc?
If not
→ in principle, outside the personal scope
If yes
→ proceed to the territoriality assessment
2. Is there a territorial connection to Portugal?
If not
→ it is not subject to the Portuguese legal framework
If yes
→ proceed to the substantive assessment
3. Does it provide services or carry out activities in the European Union?
If not
→ it is not covered under the default rule
If yes
→ proceed to the size assessment
4. Is it a medium-sized enterprise or does it exceed the thresholds for a medium-sized enterprise?
If not
→ assess the special criteria
If yes
→ entity falls within scope
If not
→ in principle, outside the personal scope
6. If within scope, is it an essential entity or an important entity?
Is there a territorial connection to Portugal?
Main criteria
The entity:
- Has an establishment in Portugal
- Provides services in Portugal, where applicable
- Has its main establishment in Portugal or
- If not established in the EU, has its representative in Portugal
EXTRATERRITORIAL SCOPE
- The CNCS may adopt corrective or restrictive measures, including suspension of the service in Portugal, in relation to providers without an establishment or representation in the national territory that fail to adopt appropriate cybersecurity measures
- As a rule, there must be a preliminary statement of reasons and a response period of not less than 10 days
- Mutual assistance with other Member States is also envisaged in relation to entities with a relevant connection to Portugal
How is “main establishment” determined?
An entity’s subjection to the regime does not depend solely on having a registered office in Portugal. It may also result from the way in which the service is provided, the place where cybersecurity risk-management measures are decided, and, in certain cases, the need to protect national territory.
Is any special criterion met even if the size criterion is not?
Even if the size criterion is not met, an entity of a type listed in Annex I or II may still fall within scope if it:
- Provides particularly sensitive services (e.g., DNS service providers, TLD name registries, or qualified trust service providers)
- Is the sole provider of an essential service (e.g., local critical infrastructure)
- Failure of its service could have an impact on public security or public health
- Failure could create systemic risks (e.g., operator with critical customers or cross-border effects) or
- It has critical national or regional importance (e.g., a key player in an essential sector)
If the entity falls within scope, is it an essential or important entity?
Essential entities
Entities of a type listed in Annex I that exceed the thresholds for a medium-sized enterprise (e.g., large operators in energy, transport, or health sectors)
Certain particularly sensitive providers, regardless of size (e.g., qualified trust service providers, TLD name registries, DNS service providers)
Providers of public electronic communications networks or publicly available electronic communications services (in specific cases)
Certain public administration entities
Critical entities under Directive (EU) 2022/2557 (CER Directive), where justified
Other entities listed in Annex I or II under Article 3(2)(b) to (e), where justified by risk exposure, size, and potential impact of incidents
Important entities
Entities of a type listed in Annexes I and II that fall within the scope of the regime and are not classified as essential entities
Entities referred to in Article 3(2)(b) to (e) may also be classified as important, where justified, by risk exposure, size, likelihood of incidents, and severity of social/economic impact
Public entities
1. Does the entity fall within any of the categories set out in Article 3(3) to (6) of the RJC?
If not
→ in principle, outside the personal scope
If yes
→ check for exclusions
2. Does any of the exclusions set out in Article 3(7) of the RJC apply?
If not
→ entity within scope
If yes
→ outside the scope of the regime in that respect
3. If it is within scope, is it an essential entity, an important entity or a relevant public entity?
4. If it is a relevant public entity, does it belong to Group A or Group B?
If the entity falls within scope, is it an essential, important or relevant entity?
Essential entities
Entities of a type listed in Annex I that exceed the thresholds for a medium-sized enterprise (e.g., large operators in energy, transport, or health sectors)
Certain particularly sensitive providers, regardless of size (e.g., qualified trust service providers, TLD name registries, DNS service providers)
Providers of public electronic communications networks or publicly available electronic communications services (in specific cases)
Certain public administration entities
Critical entities under Directive (EU) 2022/2557 (CER Directive), where justified
Other entities listed in Annex I or II under Article 3(2)(b) to (e), where justified by risk exposure, size, and potential impact of incidents
Important entities
Entities of a type listed in Annexes I and II that fall within the scope of the regime and are not classified as essential entities
Entities referred to in Article 3(2)(b) to (e) may also be classified as important, where justified, by risk exposure, size, likelihood of incidents, and severity of social/economic impact
Relevant public entities
A distinct category for certain public entities within scope that are not classified as essential or important entities
If it is a relevant public entity, does it belong to Group A or B?
Group A
Public entities of greater size or institutional significance
Direct State administration bodies with ≥ 250 employees, indirect State administration and autonomous administration bodies with >250 employees, public undertakings that exceed the thresholds for a medium-sized enterprise
Independent administrative entities, the Economic and Social Council, the Ombudsman, and certain services of the President of the Republic, the Assembly of the Republic, the courts and the higher councils
Group B
Public entities of intermediate size
Direct State administration bodies with 75 to 249 employees
Indirect State administration and autonomous administration bodies with 75 to 249 employees
Public undertakings classified as medium-sized enterprises