Onboarding of New Staff in Critical Information Systems: A Risk-Based Framework with Evidence from the Portuguese Regulatory Context

New staff placed in classified or sensitive environments before completing mandatory training are a well-documented source of security incidents, yet the operational pressure to grant provisional access remains widespread in Portuguese public bodies and regulated private entities. The findings are particularly relevant for critical information systems supporting public administration, critical infrastructure operators, defence organisations and other environments where personnel security directly influences operational continuity and organisational resilience. This article examines the risks of pre-certification deployment, identifies the principal knowledge gaps and procedural weaknesses that appear during the onboarding phase, and proposes a Structured Mandatory Onboarding Programme (SMOP) relatted to the Portuguese and European regulatory context. (1) Background: information classification regimes (SEGNAC), data protection (GDPR; Law no. 58/2019), cybersecurity (NIS2; Decreto-Lei no. 125/2025), and the Cybercrime Law (Law no. 109/2009) all impose training duties on data controllers and operators of essential and important services, yet these duties are frequently underdelivered, with new staff routinely receiving system access before completing the prescribed training pathway. (2) Methods: the study combines a documentary review of European and Portuguese regulatory instruments, a risk assessment grounded in the Human Factors Analysis and Classification System (HFACS), and a case-based review of recent enforcement decisions adopted by the Comissão Nacional de Proteção de Dados (CNPD) in Portugal. (3) Results: untrained new staff consistently underperform across four core competency domains — information classification and handling, chain of custody, incident detection and reporting, and secure use of IT systems — and account for a disproportionate share of knowledge-based non-compliance events, with risk peaking in the first thirty days of employment. (4) Conclusions: a front-loaded, competency-gated onboarding programme with formal assessment, signed Security Commitment, refresher schedule and auditable records is the principal proportionate control against this risk. The SMOP architecture proposed here is directly transposable to Portuguese public and private entities operating under SEGNAC, the GDPR and NIS2 and provides a concrete starting point for the personnel-security component of organisational compliance programmes.