The Centre's Mission
The Centre of Excellence in Organisational Cyberhygiene was established with a clear and resolute purpose: to position organisational cyberhygiene as an autonomous discipline, endowed with its own methodology, validated metrics and institutional recognition. This mission arises from the conviction that cybersecurity cannot be addressed exclusively through technology — it demands a parallel, sustained investment in the behavioural and procedural dimensions of organisations and their people.
Our vision is to become the European reference on organisational cyberhygiene, contributing to ensuring that every organisation — regardless of its size, sector or digital maturity — possesses the instruments needed to measure, improve and demonstrate its behavioural maturity in cybersecurity. We aspire to a landscape where cyberhygiene is not a supplementary concern but a core governance discipline.
The Centre operates within a robust regulatory framework. Article 21(2)(g) of the NIS2 Directive and Article 27 of Decree-Law 125/2025 enshrine "basic cyberhygiene practices and cybersecurity training" as a legal obligation for essential and important entities. This is not merely a recommendation — it is the law. The Centre exists to help organisations meet this obligation with rigour, method and measurable outcomes.
Every assessment, metric and certification is grounded in documented, reproducible methodology.
The Centre operates without commercial ties to technology vendors, ensuring objective guidance.
Making cyberhygiene compliance achievable for organisations of all sizes and maturity levels.
Orientation towards quantifiable outcomes that demonstrate genuine behavioural transformation.
Cyberhygiene Observatory
The pulse of organisational cyberhygiene in Portugal and Europe.
The Observatory monitors, analyses and publishes data on the state of organisational cyberhygiene across Portuguese and European organisations. It functions as a reference source for decision-makers, regulators and cybersecurity professionals, providing evidence-based insights that inform policy, investment and operational decisions.
Its activities encompass the publication of annual reports on the state of cyberhygiene in Portugal, sectoral analyses segmented by industry — municipalities, healthcare, education, financial services — the monitoring of key behavioural maturity indicators, comparative analysis with European data from the Eurobarometer, ENISA and Eurostat, and the mapping of emerging threats with a human component.
Cyberhygiene Maturity Index (CMI)
The metric that enables you to measure, compare and demonstrate your organisation's behavioural maturity.
The Cyberhygiene Maturity Index is a proprietary instrument developed by the Centre of Excellence that objectively and quantifiably assesses an organisation's cyberhygiene level. It enables organisations to track their evolution over time and demonstrate progress to auditors, supervisory authorities and commercial partners through a structured, reproducible framework.
The Five Dimensions of Assessment
Phishing and Social Engineering Resilience
Click rates in simulations, threat identification capability, average reporting time and response quality to social engineering attempts.
Credential Management Maturity
Compliance with password policies, multi-factor authentication adoption rates and privileged access management practices.
Email Security Procedures
Implementation of external email warnings, sender verification protocols and suspicious attachment handling procedures.
Incident Reporting Culture
Internal reporting rate, average notification time, quality of reported information and integration with response workflows.
Cyberhygiene Policy Adoption
Documented awareness of policies, verifiable compliance levels and integration of cyberhygiene practices into daily operations.
The Five Maturity Levels
A progression framework from non-existent practices to fully integrated cyberhygiene governance.
Non-existent
No documented cyberhygiene practices, no training programmes, no formal policies in place.
Initial
Basic password requirements, antivirus installed, some individual awareness but no formal, structured programme.
Basic
Documented best practices manual, at least one training session per year, regular backups, partial multi-factor authentication.
Intermediate
Differentiated annual training programme, phishing simulations, asset inventory, regular patching and maturity assessment cycle.
Advanced
Behavioural maturity dashboard, continuous metrics, complete NIS2 Art. 21(2)(g) compliance pack, cyberhygiene culture integrated into governance.
Our goal: elevate client organisations from Level 0–1 to Level 2–3 within 12 months.
Request CMI AssessmentCyberhygiene Maturity Certifications
The Centre of Excellence issues cyberhygiene maturity certifications that attest to the level achieved by each organisation, providing a recognisable quality seal that can be presented to clients, partners, supervisory authorities and in public procurement processes.
Certification follows a structured process: initial assessment through behavioural and procedural diagnosis, implementation of a 12-month cyberhygiene programme operationalised by ciberhigiene.eu, final assessment with quantifiable metrics, and certificate issuance indicating the CMI level achieved.
Organisational Certification
Comprehensive assessment of the entity as a whole, covering all five CMI dimensions and resulting in a certified maturity level.
Sectoral Certification
Assessment with benchmarking against the organisation's sector of activity, enabling meaningful comparison with industry peers.
Programme Certification
Attestation of successful completion of a specific cyberhygiene training cycle, validating the organisation's investment in behavioural transformation.
Reference Events and Publications
Where the cyberhygiene community convenes.
Annual Cyberhygiene Conference
The reference event bringing together decision-makers, regulators, professionals and academics to discuss the state of cyberhygiene in Portugal and Europe. Keynotes, panel discussions and networking opportunities.
Sectoral Seminars
Thematic sessions aimed at specific sectors — municipalities, healthcare, education, financial services — featuring relevant data, practical case studies and actionable recommendations.
Practical Workshops
Intensive training in cyberhygiene methodologies, CMI application and implementation of behavioural transformation programmes for cybersecurity practitioners and managers.
Publications
The Centre produces and disseminates knowledge to support informed decision-making and continuous improvement.
Normative and Regulatory Foundation
The Centre's mission and services are anchored in a comprehensive regulatory framework that establishes cyberhygiene as a legal obligation across the European Union.
NIS2 Directive — Art. 21(2)(g)
Establishes "basic cyberhygiene practices and cybersecurity training" as mandatory risk management measures for essential and important entities across all EU Member States.
Decree-Law 125/2025 — Art. 27
The Portuguese transposition of NIS2, enshrining cyberhygiene obligations and cybersecurity training in national law, with defined compliance timelines and supervisory mechanisms.
QNRCS & CIS Controls IG1
The National Cybersecurity Reference Framework of CNCS and CIS Controls Implementation Group 1 provide the technical reference frameworks for cyberhygiene implementation.
GDPR — Data Protection
Personal data security as a behavioural dimension: the GDPR's security requirements are inseparable from an organisation's cyberhygiene maturity and daily practices.
The information on legal frameworks presented here is for informational and educational purposes and does not constitute legal advice. The legislation cited may have been amended. Always consult the current version of legal instruments through official channels.
Integrated within a Specialised Ecosystem
The Centre of Excellence operates at the heart of an ecosystem of eight domains dedicated to organisational cyberhygiene. Each domain serves a distinct function; together, they provide comprehensive coverage.
Operational hub — cyberhygiene programmes, diagnostics and implementation methodology.
Centre of excellence (English) — research, certification and institutional quality seal for the ecosystem.
Centro de excelência (Português) — investigação, certificação e selo de qualidade institucional.
Cyberspace intelligence — digital environment monitoring and contextual awareness content.
Digital asset management — inventory, classification and protection of organisational cyber assets.
Threat intelligence — monitoring, analysis and communication of cybersecurity threats.
Fraud prevention — identification, alerting and prevention guidance for digital fraud.
Ecosystem gateway — safe internet practices and entry point for organisations and citizens.
Cybersecurity Officer support — dedicated guidance and resources for designated officers.
Contact the Centre of Excellence
For maturity assessments, certifications, institutional partnerships or Observatory information.
Contact Details
Email: info@cyberhygienecentre.eu
Phone: (+351) 213 243 750
Offices
Lisbon · Brussels · San Francisco
Ready to measure your maturity?
The CMI assessment is your first step towards demonstrating cyberhygiene compliance and building organisational resilience.