NIS2: a new framework for resilience and governance

April 3 marked the deadline for full compliance with Decree-Law No. 125/2025, which transposes the European NIS2 Directive into national legislation.

More than a legal obligation, however, this legislation represents a structural shift in the way organizations must approach cybersecurity.

For most entities, this is no longer simply an Information Systems issue; it is now a matter of operational continuity, resilience, and governance.

NIS2 significantly broadens the scope of covered entities, distinguishing between two main groups:

Essential Entities – Large companies and public bodies in highly critical sectors such as Energy, Transport, Banking, Health, Water, Space, and Public Administration.

Important Entities – Medium-sized and large companies in sectors such as Postal Services, Waste Management, Food, Manufacturing, and Digital Service Providers.

This new framework is based on three key pillars:

1. Risk management and security – Having a firewall and antivirus is no longer enough. The implementation of concrete measures is mandatory, including:

• Risk analysis and management policies;

• Business continuity and recovery plans;

• Supply chain security;

• Encryption, access control, and strict identity management.

2. Incident notification – Organizations are now required to comply with strict reporting deadlines to the National Cybersecurity Centre (CNCS):

• 24 hours for an early warning;

• 72 hours for a detailed incident notification.

3. Management accountability – One of the most relevant changes is the strengthening of accountability for governing bodies. Cybersecurity is no longer exclusively an IT matter: boards of directors and senior management may be held personally and financially liable for failures in implementing the required measures, and specific training in this area is also mandatory.

NIS2 therefore establishes cybersecurity as a legal governance requirement, placing digital risk on the same level as financial and operational risks.

At Timestamp, our experience in critical business solutions, IT infrastructure management, application development, testing, cybersecurity, and risk management enables us to support organizations at every stage of this journey — from assessment and alignment to the implementation of processes, policies, and technological solutions.

More than ensuring compliance, we help strengthen operational resilience and the trust of customers, users, and citizens.

Learn more about our services: 🔗Timestamp - We act in the Digital Transformation of Businesses