MWSolutionsOT Security
Home / Portugal Cybersecurity
Portugal market capability

Portuguese cybersecurity requirements, translated into an implementable OT programme.

MWSolutions supports organisations across the Portuguese market with RJC and NIS2 applicability, QNRCS implementation, MyCiber preparation, evidence, incident readiness and sector-aware OT controls.

Discuss Portugal readiness →View the delivery roadmap
The current national framework

A new legal and operational baseline for cybersecurity in Portugal.

Decree-Law No. 125/2025 established Portugal's new Cybersecurity Legal Regime and transposed NIS2. Regulation No. 756/2026 provides the implementation structure, including MyCiber, QNRCS v2, risk matrices, conformity levels, communications and evidence criteria.

Coverage depends on sector, entity type, size and criticality. Our work begins with a documented applicability and qualification assessment rather than assuming every organisation has identical obligations.

Portugal delivery baseline
03 April 2026New RJC entered into force
22 June 2026Implementing Regulation published
QNRCS v2National reference structure
MyCiberRegistration and communication platform
What organisations need to address

Governance, controls, reporting and evidence.

The exact scope varies, but the implementation programme commonly needs to cover the following areas.

01

Applicability & qualification

Sector and activity mapping, size and group analysis, essential or important entity support, and retained scope evidence.

02

MyCiber readiness

Registration inputs, entity information, contact details, responsible officer, permanent contact point and submission records.

03

Management governance

Approval of measures, oversight, responsibilities, training, risk acceptance and management reporting.

04

QNRCS controls

Risk-based technical, operational and organisational measures aligned to the applicable conformity level.

05

Incident notification

Decision criteria, escalation, required information, reporting workflow, exercises and coordination with other authorities.

06

Annual reporting & evidence

Registers, records, technical proof, statistics, management approvals, corrective actions and audit-ready traceability.

MWSolutions implementation roadmap

Five practical packages from scope to assurance.

Each package can stand alone or form part of a phased programme, allowing the client to control budget, sequence and operational impact.

01

Scope & Qualification

  • RJC/NIS2 applicability
  • Essential or important classification
  • SME and group analysis
  • MyCiber preparation
02

Governance Foundation

  • Policies and accountability
  • Cybersecurity officer role
  • Permanent contact procedure
  • Management and workforce training
03

Risk & Technical Controls

  • OT asset inventory
  • Risk and architecture review
  • Access, backup and vulnerability controls
  • Supplier and remote-access risk
04

Procedures & Evidence

  • Incident notification procedure
  • Risk and incident registers
  • Evidence index and trackers
  • Annual-report preparation
05

Readiness & Assurance

  • QNRCS gap assessment
  • Internal audit and management review
  • Exercise and recovery testing
  • ISO/IEC 27001 certification readiness
OT-specific implementation

National requirements must work inside real industrial environments.

We adapt implementation to safety, availability, process integrity, legacy technology, maintenance windows and vendor dependencies.

  • PLC, DCS, SCADA, SIS and engineering-workstation environments
  • Zones, conduits, remote access and industrial data flows
  • Patch constraints, compensating controls and lifecycle risk
  • Backup, restoration and recovery of industrial processes
  • Operations, maintenance, IT, HSE and management coordination
BasicFoundation controls and evidence proportional to the calculated risk level.
SubstantialExpanded governance, control depth, testing and traceability.
HighThe most demanding applicable level, including lower-level measures.
Sector-specificAdditional rules may apply through sector authorities and other legislation.
Standards and related regimes

One control programme, mapped across the frameworks that apply.

MWSolutions does not issue certification. We provide implementation, gap assessment, internal assurance and certification-readiness support.

Portugal

National requirements

  • Decree-Law No. 125/2025
  • Regulation No. 756/2026
  • QNRCS version 2
  • CNCS instructions and MyCiber procedures
  • Applicable sector regulations
European Union

Related legal regimes

  • NIS2 Directive
  • DORA for applicable financial entities
  • Cyber Resilience Act for applicable digital products
  • GDPR security and breach obligations
  • Critical-entity resilience interfaces
Technical assurance

Recognised practices

  • IEC 62443 series
  • ISO/IEC 27001 and 27002
  • NIST Cybersecurity Framework 2.0
  • CIS Controls
  • Client and sector engineering standards
All-industry coverage

Portuguese readiness across industrial, digital and essential services.

We tailor obligations and controls to the services, systems and operational consequences of each sector.

Energy & UtilitiesOil & GasChemicalsManufacturingWater & EnvironmentTransport & LogisticsCritical InfrastructureDefence & AerospaceMaritime & PortsMining & MetalsHealthcare & PharmaAutomotive
Transition planning

Use the transition period to build evidence, not to delay implementation.

Some technical-control and annual-reporting provisions have deferred effects, but organisations still need time to determine scope, assign responsibilities, discover assets, treat risk and generate reliable records.

Current CNCS instructions and sector requirements should be checked before any client submission or formal legal conclusion.

Portugal readiness workshop

Start with scope, qualification and the evidence already available.

We can define the likely obligations, gaps, priority actions and a commercially phased implementation plan.

Request a workshop →