At the final roundtable of the IT Security Summit, experts discussed the challenges and opportunities of adopting NIS2 in Portugal. Key issues include the lack of a unified national legal framework and the urgent need for organizational cybersecurity maturity.
Hélio Sousa (Municipality of Felgueiras) reported significant progress since 2020, raising cybersecurity maturity from 1–2 to 8–9 out of 10. An inter-municipal working group was formed, but incident sharing remains weak due to the absence of a unified platform and harmonized protocols.
Leadership and security culture
Fernando Amorim (CIIWA Norte) stressed that cybersecurity responsibility must reach all organizational levels, especially boards. Organizations now operate in a “conflictual environment,” making security integral to strategy, budgeting, and training essential.
Luís Correia (Divultec) highlighted difficulties translating NIS2’s broad legal language into concrete controls and meeting strict incident reporting deadlines. Lack of centralized logs and unstructured detection processes hamper incident response. NIS2 shifts responsibility beyond IT to the whole organization—a true game changer.
Public sector progress is uneven, with many entities still in early stages due to technical and budget constraints. Larger private companies are more prepared, but SMEs lag behind, worsened by delays in directive transposition.
All agreed the threat is real and evolving. Investments in NIS2 must improve maturity; otherwise, it’s a “Pyrrhic victory.” Embedding cybersecurity in organizational culture and leadership vision is crucial.
Training, automation, and AI: the way forward
A shortage of skilled professionals demands investment in training for both technical teams and decision-makers. Automation and AI can free analysts from routine tasks, accelerating responses. Retraining professionals from related fields is promising.
Cybersecurity is everyone’s mission, not just IT’s. Collective effort and a mature approach to NIS2 are essential for Portugal to boost its digital resilience.