Question 1

Why is cybersecurity no longer just an IT responsibility?

Accepted Answer

Cybersecurity is no longer just an IT responsibility because digital incidents can affect operational continuity, customers, data, suppliers, contracts, reputation, legal obligations and management decisions. Technical teams remain essential, but they need to be aligned with management, risk, compliance, legal, privacy, human resources, communication and operations.

Question 2

What has changed in cybersecurity in 2026?

Accepted Answer

In 2026, cybersecurity is more closely linked to governance, risk management, operational resilience and regulatory compliance. In Portugal, the new Cybersecurity Legal Framework, which transposes the NIS2 Directive, entered into force on 3 April 2026. In the financial sector, DORA has applied since 17 January 2025, strengthening requirements relating to digital operational resilience.

Question 3

What role do NIS2 and DORA play in digital risk management?

Accepted Answer

NIS2 and DORA reinforce the need to demonstrate that digital risks are known, governed, treated, monitored and documented. NIS2 focuses on cybersecurity and entities covered by the applicable legal framework. DORA focuses on the digital operational resilience of financial entities, including ICT risk, incidents, testing, third parties and recovery capability.

Question 4

Why is evidence so important in cybersecurity?

Accepted Answer

Evidence is essential because it is no longer enough to state that policies, controls or procedures exist. The organisation must be able to demonstrate that risks have been assessed, responsibilities assigned, controls implemented and monitored, incidents reported and handled, teams prepared and decisions documented.

Question 5

Why do people remain a critical risk surface?

Accepted Answer

People remain a critical risk surface because many incidents begin with simple actions, such as clicking a link, opening an attachment, reusing a password, approving a transfer in haste, accepting an IBAN change without sufficient confirmation or sharing internal information through the wrong channel. Technology reduces exposure, but it does not replace prepared teams.

Question 6

What training can support cybersecurity and operational resilience readiness?

Accepted Answer

Training should be adapted to the organisation’s different profiles, including management bodies, middle management, IT, security, risk, compliance, audit, human resources, finance, operations and users. It should support understanding of responsibilities, incident identification and reporting, risk management, evidence, continuity, response and recovery.

Select your language

Ciber resilience

Cybersecurity in 2026: why digital risk is no longer just an IT responsibility

NIS2 and ISO/IEC 27001: the same obligation or two different requirements?