Question 1

What is NIS2 and who does it apply to in Portugal?

Accepted Answer

NIS2 is Directive (EU) 2022/2555, transposed into Portuguese law by Decree-Law no. 125/2025 of 4 December, which approved the new Legal Framework for Cybersecurity. It applies to essential and important entities in sectors considered critical or relevant, including energy, transport, healthcare, banking, digital infrastructures, public administration, among others. The framework entered into force on 3 April 2026.

Question 2

Are ISO/IEC 27001 and NIS2 the same thing?

Accepted Answer

No. ISO/IEC 27001 is an international standard for information security management systems, whereas NIS2 is a European cybersecurity directive transposed into national law. Although they address related topics — such as risk, controls, incidents and responsibilities — they have different natures, scopes and purposes.

Question 3

Is complying with ISO/IEC 27001 the same as complying with NIS2?

Accepted Answer

No. NIS2 and ISO/IEC 27001 do not represent the same obligation. ISO/IEC 27001 provides a management structure for organising information security. NIS2 establishes a legal framework with its own legal obligations for the entities covered. Having a certified ISMS is a highly relevant foundation, but it does not replace the analysis of the specific legal obligations applicable to the organisation.

Question 4

Does ISO/IEC 27001 certification help address NIS2?

Accepted Answer

Yes, it can help significantly. A well-implemented Information Security Management System — focused on risk management, controls, documentation, internal audit and continual improvement — supports a relevant part of the response to NIS2 and facilitates the demonstration of maturity. Even so, NIS2 includes its own regulatory requirements that require specific analysis, such as legal scope, entity classification, reporting obligations and interaction with the competent authorities.

Question 5

What should professionals know about NIS2 and ISO/IEC 27001?

Accepted Answer

Information security, compliance, audit, risk and governance professionals need to understand both dimensions: the normative dimension, structured by ISO/IEC 27001, and the regulatory dimension, introduced by NIS2. Knowing how to articulate an Information Security Management System with the requirements of a cybersecurity legal framework — identifying overlaps, gaps and priorities — is an increasingly valued competence in the market.

Question 6

What training covers NIS2 and ISO/IEC 27001?

Accepted Answer

Behaviour develops training in the areas of information security, cybersecurity and regulatory compliance. The learning paths cover both the normative dimension — implementation and auditing of Information Security Management Systems according to ISO/IEC 27001 — and the regulatory dimension, including the European cybersecurity framework and its practical application for different profiles and levels of responsibility.

Select your language

Articles tagged with: Decree-Law 125/2025

NIS2 and ISO/IEC 27001: the same obligation or two different requirements?