CNCS Logs 3,864 Cybersecurity Incidents in Portugal in 2025, Up 40% Year-on-Year — Half Are Human-Factor Exploits, Internet Safety Line Calls Climb 39% and 13% of Victims Are Children or Young People

The Centro Nacional de Cibersegurança published its annual incident register on Tuesday, 28 April, and the data confirms what compliance officers across Portuguese banks, hospitals and SME advisory firms have been saying for two quarters: the volume curve is bending sharply upwards. Cert.pt — the national CSIRT housed inside the CNCS — registered 3,864 incidents in 2025, a 40% increase on the 2024 total. Coordinator Lino Santos, presenting the numbers, framed the trend as 'continuous growth since 2016' and 'no longer a story about isolated targeted attacks — this is now a steady noise floor that every Portuguese organisation has to budget for'.

The most consequential breakdown sits inside the typology section. Roughly half of the 3,864 incidents in 2025 were vulnerabilities exploited through what the report classifies as the human factor: phishing emails, smishing via SMS, link-based fraud through messaging platforms, and credential harvesting via convincing fake landing pages. The remaining incident volume is split between technical compromises (unpatched systems, exposed services, supply-chain entry points), denial-of-service activity, and the rapidly expanding category Lino Santos summarised as 'digital-environment harms' — online harassment, exposure to harmful content, persecution, and disinformation operations targeted at Portuguese users.

The Linha Internet Segura signal

The CNCS data is paired with the activity report from the Linha Internet Segura (LIS), the citizen-facing helpline for online harm. LIS handled 949 victim contacts in 2025, a 39% jump on 2024. About 13% of those callers — 119 individual cases — were children or young people, the demographic in which exposure-to-harmful-content reports have grown fastest. Burlas (online fraud), perseguição (cyberstalking), assédio (harassment) and disinformation are the four LIS reporting categories that have all grown above the headline trend.

For Portuguese SMEs the practical takeaway from the CNCS register is the dominance of human-factor exploits. The CNCS's own awareness campaigns and the EU NIS2 directive — which Portugal transposed in late 2024 — both push the same operational answer: multi-factor authentication on everything that touches the email or banking channel, mandatory phishing-simulation cycles for staff, and a written incident-response playbook held outside the affected systems. The CNCS has been publishing free playbook templates for companies under the 250-employee threshold; uptake has been visibly slower in the construction, hospitality and small-retail segments than in financial services and professional advisory.

The international context

Portugal's 40% increase is in line with — though slightly above — the European mean. ENISA's preliminary 2025 threat-landscape figures, due in full in June, point to roughly 30-35% incident growth across EU member states, with the heaviest increases in countries that are running active digital-public-services rollouts (which describes Portugal precisely, given the AIMA portal, the Portal das Finanças interactions and the Portal das Matrículas activity). The CNCS's argument inside government is that the cybersecurity budget line needs to scale with the digital-services rollout, not lag it by twelve to eighteen months as has been the historical pattern. Whether that argument lands inside the OE 2026 supplementary discussions over the summer is the policy question to watch.

The full 2025 CNCS Cybersecurity Risks and Conflicts Report — the seventh annual edition — is expected in September, with sectoral and incident-pattern detail not contained in the April register.