Table of Content
- The General Rule: Size Thresholds Exclude Most SMEs
- Exceptions: When Small Entities Are In Scope
- Exception 1: Formally Identified as Critical Infrastructure
- Exception 2: DNS Service Providers
- Exception 3: TLD Name Registries
- Exception 4: Trust Service Providers
- Exception 5: Providers of Public Electronic Communications Networks or Services
- Exception 6: Public Administration Entities
- The "Sole Provider" Rule
- Indirect Impact: NIS2 Through the Supply Chain
- What Should Out-of-Scope SMEs Do?
- Free Resources for Portuguese SMEs
The General Rule: Size Thresholds Exclude Most SMEs
NIS2 uses the standard EU SME definition to determine size. To fall within NIS2 scope, an entity generally must be at least medium-sized:
| Size Category | FTE | Turnover | Balance Sheet |
|---|---|---|---|
| Large | ≥250 | >€50M | >€43M |
| Medium | ≥50 | >€10M | >€10M |
| Small (generally excluded) | <50 | ≤€10M | ≤€10M |
| Micro (generally excluded) | <10 | ≤€2M | ≤€2M |
If your organization falls below the medium threshold — fewer than 50 employees, turnover at or below €10M, and balance sheet at or below €10M — you are generally outside the scope of NIS2.
This means the vast majority of Portuguese SMEs are not directly subject to NIS2's compliance obligations.
Exceptions: When Small Entities Are In Scope
NIS2 carves out several important exceptions where small and even micro entities can fall within scope:
Exception 1: Formally Identified as Critical Infrastructure
If your organization has been formally designated by Portuguese authorities as an operator of critical infrastructure, NIS2 applies regardless of size. This designation may come from CNCS, sector regulators (ERSE, Banco de Portugal, etc.), or through EU-level identification processes.
If you've received such a designation, you already know about it — this is a formal regulatory process, not something that happens passively.
Exception 2: DNS Service Providers
Providers of Domain Name System (DNS) services (excluding root name servers) are subject to NIS2 regardless of size. If your company manages DNS resolution services, even as a small provider, you may be in scope.
Exception 3: TLD Name Registries
Operators of Top-Level Domain (TLD) name registries (such as the .pt registry) are covered by NIS2 regardless of size.
Exception 4: Trust Service Providers
Qualified and non-qualified trust service providers under eIDAS (electronic identification and authentication services, digital signature providers, etc.) are subject to NIS2 from the small entity tier upwards. Even small providers of these specialized digital services are in scope.
Exception 5: Providers of Public Electronic Communications Networks or Services
Small providers of publicly available electronic communications networks or services (telecoms providers, ISPs) may be in scope under NIS2, particularly under the service jurisdiction rules that apply based on where services are provided rather than where the entity is established.
Exception 6: Public Administration Entities
Public administration entities designated under Portuguese implementation of NIS2 are covered regardless of size.
The "Sole Provider" Rule
Another important exception applies where a small entity is the sole provider of a service essential to the maintenance of critical societal or economic activities in Portugal. In such cases, national authorities may designate the entity as in scope despite its size.
This primarily affects niche infrastructure providers, specialist utilities, and unique regional service providers.
Indirect Impact: NIS2 Through the Supply Chain
Even if your SME is formally out of scope for NIS2, you may face de facto NIS2 requirements through your supply chain relationships.
If you supply products or services to an organization that is covered by NIS2, that organization is required to assess and manage the cybersecurity risks in their supply chain — including your security posture. As a result, you may receive requests for:
- Completion of security questionnaires
- Evidence of cybersecurity certifications (e.g., ISO 27001)
- Contractual commitments to specific security standards
- Right-to-audit clauses allowing your client to assess your security
For many Portuguese SMEs, the practical impact of NIS2 will come through customer requirements rather than direct regulatory obligation. Businesses that can demonstrate robust cybersecurity practices will have a competitive advantage — and those that cannot may find themselves excluded from contracts with regulated sector clients.
What Should Out-of-Scope SMEs Do?
Even if NIS2 doesn't directly apply to your organization today, there are good reasons to take cybersecurity seriously:
- Prepare for Future Scope Changes
NIS2 is a living directive. The European Commission will periodically review sector classifications and thresholds. Your organization could fall into scope in the future. - Meet Customer Expectations
As noted above, supply chain security requirements will cascade down to suppliers of all sizes. Getting ahead of this now avoids a scramble later. - Reduce Your Own Risk
The cybersecurity measures NIS2 mandates (risk assessments, incident response plans, MFA, backups, access controls) are best practices that protect any organization — regardless of regulatory obligation. - Qualify for Public Sector Contracts
Portuguese public procurement processes are increasingly incorporating cybersecurity requirements. Organizations with demonstrated security maturity will have an advantage in bidding for public contracts. - Cyber Insurance
Cyber insurance providers are aligning their requirements more closely with frameworks like NIS2. Organizations with mature security postures qualify for better coverage at lower premiums.
Free Resources for Portuguese SMEs
Even without a direct NIS2 obligation, Portuguese SMEs can benefit from:
- CNCS's SME cybersecurity resources — The national cybersecurity center publishes guidance tailored to smaller organizations
- ENISA's cybersecurity guidelines for SMEs — Practical, proportionate cybersecurity measures for organizations with limited resources
- Our free NIS2 scope assessment — Use SobreSRI2.pt to quickly determine whether your organization falls under NIS2, and understand your specific situation
Summary: Key Questions for Portuguese SMEs
Ask yourself:
- Do we have 50+ employees, or turnover/balance sheet above €10M? → If yes, check sector scope carefully.
- Have we been formally designated as critical infrastructure? → If yes, you're in scope regardless of size.
- Do we provide DNS, TLD, trust services, or public communications networks? → These have special rules.
- Do we supply to NIS2-covered organizations? → Prepare for supply chain security requirements from your customers.
- Could cybersecurity improvements benefit our business regardless of NIS2? → Almost certainly yes.
Not Sure If NIS2 Applies to Your Organization?
Take our free 5-minute assessment to determine your NIS2 classification and get personalized recommendations for compliance.
Start Free Assessment