Regulation 756/2026: what changes in cybersecurity in Portugal and how to prepare your organisation

Cybersecurity Regulation 256_2026

Regulation 756/2026: what is changing in cybersecurity in Portugal and how to prepare your company

Regulation No. 756/2026 implements the new Legal Framework for Cybersecurity in Portugal and turns cybersecurity into a demonstrable responsibility of governance, risk, evidence, incident response and operational resilience.

⏱️ Estimated reading time: 4 minutes

Regulation No. 756/2026, of 22 June, has been published, implementing the new Legal Framework for Cybersecurity in Portugal. This regulation operationalises several obligations provided for in Decree-Law No. 125/2025, the legal instrument that transposed the NIS2 Directive into Portuguese law.

For companies, the message is clear: cybersecurity is no longer only a technical topic. It is becoming a demonstrable responsibility of governance, risk, evidence, incident response and operational resilience.

NIS2 and ISO/IEC 27001: the same obligation or two different requirements?

Cybersecurity obligations and requirements

NIS2 and ISO/IEC 27001: the same obligation or two different requirements?

NIS2 and ISO/IEC 27001 share a common vocabulary: risk, controls, incidents, responsibilities. But they do not have the same nature or the same purpose. Treating one as a substitute for the other is one of the most frequent misunderstandings, with practical consequences for organisations and professionals.

⏱️ Estimated reading time: 6 minutes

The entry into force of NIS2 reinforced an idea that many organisations already knew, but did not always treat with the necessary priority: cybersecurity is no longer merely a technical concern and has become a requirement of governance, risk management, operational continuity and management accountability.At the same time, many entities already had, or are preparing, information security management systems based on ISO/IEC 27001. This raises a frequent question:Is complying with ISO/IEC 27001 the same as complying with NIS2?The answer is clear: no. NIS2 and ISO/IEC 27001 are not the same obligation. But they are deeply related.

Change management in information systems: a business continuity risk that cannot be ignored

Managing_Changes

Change management in information systems: a business continuity risk that cannot be ignored

Change management in information systems is not just a technical issue. When a change may affect critical processes, services, data, suppliers or operational capacity, it must also be analysed as a business continuity risk.

⏱️ Estimated reading time: 6 minutes

Some questions seem technical, but reveal a much broader concern.
One of them is this: “Is there any training course on change management in information systems?” The answer is yes. But the most important part of the answer is not only the name of the training course. It lies in understanding what this question really means.

Frameworks vs Regulations: what do you really need to implement?

Frameworks vs Regulations_eng

Frameworks & Regulations • Article

Frameworks vs Regulations: what to implement and why

⏱️ Estimated reading time: 8 minutes

Frameworks vs regulations is one of the most common questions for organisations that need to improve maturity, meet legal obligations and avoid duplicated compliance work.

Frameworks vs regulations: comparison between best practices and legal requirements

In a world saturated with standards, frameworks, directives and regulations, many organisations face the same question:
After all, what should we implement? ISO/IEC 27001? NIST? NIS 2? DORA? Everything?