New Cybersecurity Legal Framework: 60 business-day deadline to register on the MyCiber platform

Portugal's National Cybersecurity Centre (CNCS) has warned that entities covered by the new Cybersecurity Legal Framework have 60 business days to complete their registration and self-identification on the MyCiber electronic platform (myciber.gov.pt). Once that deadline expires, a 24-month period begins during which entities must implement the minimum security measures assigned to them based on their classification.

The first implementing regulation under the new Cybersecurity Legal Framework — which transposes the NIS 2 Directive — has been published by the CNCS. It establishes the features of the MyCiber platform, the official communication mechanism between the competent authorities and the entities subject to the framework. The regulation also introduces the National Cybersecurity Reference Framework (QNRCS), which sets out the cybersecurity best practices applicable in Portugal.

Immediate obligations: registration and self-identification

Over the next 60 business days, in-scope entities must self-declare on MyCiber and identify themselves as (i) essential entities, (ii) important entities or (iii) relevant public administration entities. The assigned classification will determine the minimum security measures to be implemented within the following 24 months.

Scope and scale

According to CNCS coordinator Lino Santos, approximately 6,000 entities are expected to fall within the scope of the new framework — a dramatic increase from the 450 entities covered under the previous regime. The universe includes providers of essential and critical services across sectors deemed to carry higher levels of risk.

Key features: prescriptive model and compliance certification

The new framework moves away from the previous model — under which entities were free to conduct their own risk assessments and define appropriate measures — towards a more prescriptive and proportionate approachcalibrated by entity size and sectoral risk level. A notable innovation is the possibility for entities to obtain a compliance certificate with the QNRCS — or a digital maturity seal in the cybersecurity component — providing meaningful legal comfort for governing bodies and third parties.

CNCS support measures

To assist entities — particularly those new to compliance obligations of this nature — the CNCS has announced a range of support measures: information sessions and workshops; a free risk analysis tool; guides and templates on the applicable minimum measures; and an updated Cybersecurity Academy curriculum aligned to the new regime. The CNCS is also working with cybersecurity competence centres, with PRR funding support.

TOL NOTE: TOL Legal Team clients operating in sectors potentially covered by the Cybersecurity Legal Framework should urgently assess whether they are subject to the MyCiber registration obligation and ensure their self-identification is completed within the 60 business-day window. TOL is available to assist with classification analysis, assessment of applicable minimum measures, and compliance monitoring throughout the subsequent 24-month implementation period.