Blog
10-03-2026
.PT prepares the implementation of the new Cybersecurity Legal Framework: a collaborative effort
Cybersecurity is now one of the greatest challenges facing organizations that deliver critical digital services. The increasing sophistication of threats and the importance of digital infrastructures require a structured, rigorous response aligned with the highest European standards.
In this context, on December 4, 2025, Decree-Law no. 125/2025 was published, approving the new Cybersecurity Legal Framework (RJC) and transposing into Portuguese law Directive (EU) 2022/2555 (NIS 2).
.PT, as the entity responsible for managing the national top-level domain, embraces this new framework as an opportunity to further strengthen, in a structured way, practices that are already part of its organizational culture: rigor, resilience and a continuous commitment to compliance.
This has been a process underway for several months, with .PT having actively participated in the public consultation launched in November 2024 regarding the proposed legislation.
The implementation of the RJC represents a significant challenge for all entities within its scope, particularly for those that, such as .PT, are classified as essential entities in the digital infrastructure sector.
However, this is a process that .PT has been preparing for several months through a participatory and collaborative effort, involving its stakeholders and, in particular, its registrars. The sharing of information, alignment of procedures and joint reflection have been fundamental pillars of this preparation.
The commitment is clear: to ensure a solid, responsible transition fully aligned with the new framework.
What changes with the new Cybersecurity Legal Framework (RJC)?
The RJC establishes a strengthened framework of rules aimed at ensuring a high level of cybersecurity. Its main objectives include:
- Strengthening risk management and governance requirements;
- More stringent incident notification rules;
- More robust supervision and enforcement mechanisms;
- A clear distinction between essential entities (such as .PT) and important entities.
The decree also clarifies the role of the competent authorities, assigning the National Cybersecurity Centre (CNCS) the role of national cybersecurity authority, in coordination with sectoral regulators such as ANACOM, the Bank of Portugal, the CMVM, and the ASF, among other entities with specific competencies.
The framework established under the RJC will also be complemented by key strategic instruments such as:
- The National Strategy for Cyberspace Security;
- The National Plan for Response to Large-Scale Cybersecurity Crises and Incidents;
- The National Cybersecurity Reference Framework (QNRCS).
The RJC enters into force on April 3, 2026, with certain provisions subject to specific implementing regulations.
Key responsibilities of .PT as an essential entity
1. Strengthening cybersecurity requirements
.PT shall, among other aspects:
- Formally register as an essential entity with the CNCS;
- Appoint and communicate the person responsible for cybersecurity and a permanent point of contact;
- Implement and maintain a cybersecurity risk management system;
- Adopt appropriate technical and organizational measures to prevent and mitigate incidents;
- Ensure supply chain security;
- Conduct regular risk assessments of its critical assets;
- Develop security policies and incident response plans;
- Maintain an up-to-date database related to domain name registrations and ensure lawful access to that information within the legally established deadlines;
- Submit an annual report to the CNCS containing information on the activities carried out and incident statistics.
These measures consolidate an approach that is already structured within .PT, reinforcing monitoring, prevention and continuous improvement practices.
2. More stringent incident notification requirements
The new framework establishes clear and demanding deadlines for the notification of significant cybersecurity incidents, including:
- An initial notification within 24 hours of detection;
- Communication of the end of the significant impact;
- A detailed final report (and, where applicable, an interim report).
Additionally, notification to other competent authorities may be required, including the CNPD in the event of a personal data breach.
.PT must also inform the recipients of its services, without undue delay, of any incidents with significant impact, indicating mitigation measures and, where applicable, the nature of the cyber threat.
3. Supervision and enforcement measures
As an essential entity, .PT will be subject to supervision and enforcement mechanisms by the CNCS, including inspections, audits, requests for information and, very specifically with regard to .PT’s activity:
- Complying with orders or instructions issued by the CNCS aimed at neutralizing a cyber threat, cyberattack, or incident affecting networks and information systems resulting from the abusive use of domain names;
- Complying with orders to block or redirect domain names to a secure CNCS server.
The RJC establishes a stringent sanctions regime for non-compliance with its obligations, with fines that may reach significant amounts, such as €10,000,000 or up to 2% of the total annual turnover, whichever is higher.
At .PT, cybersecurity is not merely a legal obligation, it is a structural commitment to the stability, trust and resilience of the Portuguese digital ecosystem.
Preparation for this new framework has been marked by commitment, dedication and a clear focus on compliance and continuous improvement. In close coordination with partners and registrars, .PT will continue to work to ensure a rigorous, transparent implementation aligned with national and European best practices.
In an increasingly demanding digital environment, trust is built every day through responsibility, cooperation and a forward-looking vision.
Please note: the articles on this blog may not convey the opinion of .PT, but of its author.
Back to Posts