Lisbon, June 24, 2026 (Lusa) - The coordinator of the National Cybersecurity Centre (CNCS) told Lusa on Wednesday that organisations have 60 working days to register and self-identify on the MyCiber (cybersecurity) platform, and that support tools are available to assist them.

This is the first regulation “arising from the new Legal Framework for Cybersecurity (...), and it sets out in greater detail a series of aspects that are fundamental to implementation not only by organisations but also by the competent cybersecurity authorities under that legal framework”, explained Lino Santos.

It sets out the operation of the “communication platform with the entities covered” – myciber.gov.pt – and this phase” of self-identification, classification and registration will take place over the next 60 working days”, whilst also marking the start of “a deadline” for implementing the minimum measures “assigned to them upon classification, for which they have 24 months to adapt and comply”, explained the CNCS coordinator.

At this stage, “entities are required to self-declare, via this platform, to the competent authorities, that they meet a series of requirements to be classified either as essential entities, important entities or relevant public administration entities”, said Lino Santos.

These classification types determine the level of requirement or a series of minimum security measures they must implement over the next 24 months.

“We expect around 6,000 organisations to be covered by this new legal framework, compared with the 450 we had under the previous one,” he said.

This is “the first step on a journey” towards complying with the Cybersecurity Legal Framework, the aim of which is to ensure that the essential and critical services provided by organisations “have a high level of cybersecurity”.

Not least because “we face a complex threat landscape ranging from state-sponsored threat actors, cybercriminals and even activists in cyberspace, to challenges posed by disruptive technologies”, such as generative artificial intelligence (AI).

The aim is for a series of measures that the various organisations must implement to “reduce the risk to which they are exposed to an acceptable level”.

Meanwhile, the CNCS has been preparing a series of tools to support them in this process.

In addition to this 60-working-day phase, there is “a series of information sessions and workshops” as well as “a series of tools we are developing, still within the scope of the RRP, to help organisations for which this process is completely new”, he emphasised.

For example, the provision of a free tool to enable organisations to carry out risk analysis.

“We are adapting our offering at the cybersecurity academy to this new legal framework for cybersecurity”, as well as working with cybersecurity centres of excellence, stated Lino Santos.

“We are producing guides and ‘templates’” on the minimum required measures, “to support organisations over the next 24 months”, he said.

The new regulation sets out the features of the MyCiber electronic platform and a series of structural tools, including the National Cybersecurity Reference Framework (QNRCS).

“One of the new features introduced by this framework is the possibility for organisations to obtain a certificate of compliance” with the QNRCS “or the digital maturity seal in the area of cybersecurity”, he noted.

This is an “important tool because it allows the organisation, and, above all, the person responsible for cybersecurity within the company’s management, to have some assurance that they are complying with their legal obligations” in this area.

“This framework is extremely important because it defines what constitutes good cybersecurity practices” in Portugal.

Another important tool is “the minimum measures that organisations are required to implement; in other words, this represents a substantial difference compared to the previous legal framework”.

Previously, the obligation “was for them to carry out a risk analysis and then implement the measures they deemed sufficient and appropriate to mitigate the identified risks”, which “was an extremely vague process”, offering little predictability.

This model is “more prescriptive”, taking into account “the size of the organisation and the level of risk we have defined for that sector of economic activity”, and therefore “prevents the success of a large proportion of these attacks”, he said.

Lino Santos highlighted that this work was carried out over the past year through “close collaboration” involving academia and the various sectoral communities.

ALU/ADB // ADB.

Lusa