RJC (DL 125/2025) Copilot
Navigate Portugal's cybersecurity legal framework with confidence
What the RJC (DL 125/2025) Copilot Can Do
Identify whether your organisation qualifies as essential or important under the RJC annexes
Understand the ten risk management areas required by the RJC
Navigate the RJC incident notification timeline to CNCS and CERT.PT
Map governance and training obligations for management bodies under the RJC
Track which RJC provisions depend on CNCS regulations under Art. 10.º n.º 2
Compare RJC obligations with RGPD, DORA, and eIDAS where regimes overlap
About RJC (DL 125/2025) Copilot
The Regime Jurídico da Cibersegurança (RJC), approved by Decreto-Lei n.º 125/2025 of 4 December, transposes the NIS 2 Directive into Portuguese law and establishes obligations for essential and important entities operating in Portugal. ISMS Copilot helps you work through the RJC's requirements, from entity classification to incident notification and risk management measures.
Frequently Asked Questions
What is the RJC (DL 125/2025)?
The Regime Jurídico da Cibersegurança is the substantive cybersecurity law approved in the annex to Decreto-Lei n.º 125/2025, published in the Diário da República n.º 234, Série I, of 4 December 2025, which transposes Directive (EU) 2022/2555 (NIS 2) into Portuguese law. It replaces Lei n.º 46/2018 and Decreto-Lei n.º 65/2021, which transposed NIS 1, with effect from the date the RJC enters into force.
How does the RJC (DL 125/2025) Copilot help?
The Copilot helps you interpret the RJC's specific requirements — including entity classification, the ten risk management areas, incident notification prazos to CNCS and CERT.PT, sanction thresholds under Arts. 61.º and 62.º, and the deferred provisions tied to CNCS regulations under Art. 10.º n.º 2. It also helps you identify where the RJC interacts with the RGPD, DORA, and eIDAS obligations.
What are the incident notification deadlines under the RJC?
For significant incidents, the RJC (Arts. 40.º to 44.º) requires an early warning to CNCS/CERT.PT within 24 hours of verification, a 72-hour update only where necessary, a notification within 24 hours of the end of significant impact, and a final report within 30 business days of that notification. These prazos differ from the generic NIS 2 timeline; where an entity is also subject to eIDAS as a qualified trust service provider, both sets of notification requirements may apply concurrently.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.