HomeAnalyticsAlertsDigital Services Regulation in Portugal: New Requirements for Technology Companies

Digital Services Regulation in Portugal: New Requirements for Technology Companies

Portugal's digital services sector faces a significant compliance shift. The EU's Digital Services Act. now fully applicable across all member states. has been reinforced in Portugal by implementing measures that assign specific enforcement powers to Portuguese authorities. Establish graduated obligations for different categories of digital service providers. Additionally, set firm deadlines for full compliance. Companies that delay assessment risk penalties calibrated to global turnover, and the supervisory authority in Portugal has signalled that enforcement activity will begin promptly.

Digital services regulation in Portugal is now governed by a combination of directly applicable EU legislation and national implementing rules that designate the Autoridade Nacional de Comunicações (ANACOM. Portugal's national communications authority) as the primary competent authority for most categories of digital service providers. Obligations range from basic transparency and complaint-handling requirements for smaller platforms to algorithmic accountability and independent auditing duties for very large platforms. Compliance reviews are expected to begin from the first quarter of 2026, with formal enforcement possible immediately thereafter.

This alert summarises what has changed, which businesses are affected, and the immediate actions international technology companies operating in Portugal should take now.

What changed and when it takes effect

The Digital Services Act became directly applicable across the EU in February 2024 for all in-scope providers. Portugal has since adopted national implementing legislation that complements the EU text. This domestic layer addresses three specific areas: the designation of ANACOM as the primary Digital Services Coordinator. Procedural rules for out-of-court dispute settlement bodies. Additionally, penalties applicable to providers who fail to meet their obligations under Portuguese jurisdiction.

The national rules entered into force in late 2024. ANACOM has published enforcement guidelines indicating that compliance reviews for intermediate and hosting service providers will begin in the first quarter of 2026. Very large online platforms and very large online search engines. a category defined by user thresholds set at EU level. remain subject to direct European Commission oversight. However. Portuguese authorities retain concurrent powers where Portuguese users are affected.

For technology companies structured under Portuguese corporate legislation (CSC), the implementing rules interact with existing obligations around governance and disclosure. Directors of Portuguese-incorporated entities may bear personal accountability under civil liability provisions if the company fails to implement required compliance measures.

The Portuguese tax arbitration system, the Centro de Arbitragem Administrativa e Fiscal (CAAD, Portugal's specialised administrative and fiscal arbitration body), is not the primary venue for digital services disputes. However, where tax treatment of fines or compliance costs is contested, CAAD jurisdiction becomes relevant. The Tribunal da Relação (Court of Appeal) and ultimately the Supremo Tribunal de Justiça (Supreme Court of Portugal) will handle civil liability claims and appeals arising from enforcement decisions.

For companies considering how digital services obligations interact with intellectual property protection in Portugal, our analysis of intellectual property law in Portugal provides relevant context on platform liability for user-generated content and rights enforcement mechanisms.

To discuss how these regulatory changes apply to your platform or service, contact us at info@ferrazwhitmore.com.

Who is affected and what the threshold criteria require

The Digital Services Act applies to any provider of intermediary services that offers services to recipients based in the EU – regardless of where the provider is established. This means a technology company headquartered outside Portugal but serving Portuguese users is within scope.

The obligations are tiered. The lightest tier covers pure conduit and caching services. A more demanding set of obligations applies to hosting service providers, including cloud infrastructure companies, app stores, and content platforms. The most demanding obligations – systemic risk assessment, algorithmic accountability, and independent auditing – apply only to very large online platforms and search engines that exceed the EU-level user threshold.

For mid-tier providers – those offering hosting services but not qualifying as very large platforms – the key obligations activated under the Portuguese implementing rules include the following:

  • Publishing clear, accessible terms of service in Portuguese, covering content moderation rules and complaint procedures.
  • Establishing a single point of contact accessible to Portuguese authorities and designating a legal representative in the EU if the provider is not established in a member state.
  • Implementing an internal complaint-handling system that meets response time requirements set out in the EU text, with records available for inspection.
  • Cooperating with ANACOM requests for information and access to systems within specified timeframes.
  • Suspending repeat offenders whose content or conduct has been flagged through trusted flaggers or judicial orders under Portuguese civil procedure rules.

Companies that rely on software liability or technology licensing arrangements to distance themselves from content hosted on their platforms should note that this structural approach does not remove intermediary liability obligations. Practitioners in Portugal note that contractual allocation of liability between platform operators and upstream or downstream parties does not substitute for compliance with public law duties under digital services legislation.

AI Act compliance intersects with digital services obligations where a provider deploys general-purpose AI models as part of its service offering. The AI Act imposes separate transparency and documentation requirements, and ANACOM has indicated it will coordinate with AI Act supervisory bodies when assessing platforms that use algorithmic systems for content recommendation or moderation.

For a full overview of the regulatory regime applicable to technology companies in Portugal, including AI-specific obligations and software licensing requirements, see our service page on AI and technology law in Portugal.

For a tailored strategy on digital services compliance for your business in Portugal, reach out to info@ferrazwhitmore.com.

Immediate actions for international technology companies

Companies should treat the first quarter of 2026 as the operative deadline for completing baseline compliance. The following five steps reflect the immediate priorities identified by practitioners working through the Portuguese implementing rules.

Step 1 – Classify your service tier. Determine whether your offering qualifies as a pure conduit, caching service, hosting service, or online platform. Classification determines which obligations apply. Many technology companies initially misclassify because their service straddles categories – a common error that leads to either over-compliance or, more often, under-compliance on hosting duties.

Step 2 – Appoint an EU legal representative if required. Providers not established in any EU member state must designate a representative with authority to cooperate with ANACOM. This appointment must be documented and communicated to the authority. Failure to designate a representative removes the ability to invoke procedural rights during enforcement proceedings.

Step 3 – Review and localise terms of service. Portuguese-language terms of service that comply with the content requirements of the EU text are mandatory. Generic English-language terms are insufficient for providers whose primary user base in Portugal is not professional. The localisation exercise also provides an opportunity to review content moderation policies for alignment with Portuguese civil law standards around defamation, privacy, and consumer protection.

Step 4 – Build the complaint-handling and reporting infrastructure. Internal complaint mechanisms, trusted flagger cooperation protocols, and annual transparency reports are not optional add-ons. Establishing these systems takes time. Companies that have not begun should do so immediately, as implementation typically requires cross-functional input from legal, product, and engineering teams.

Step 5 – Map AI Act obligations against digital services duties. Where algorithmic systems are used for content moderation, personalisation. Alternatively. Automated decision-making affecting Portuguese users, the AI Act's transparency, human oversight. Additionally, documentation requirements apply alongside digital services obligations. An integrated compliance map is more efficient than treating these as separate workstreams.

For companies operating across Iberian markets, our recent alert on digital services regulation in Spain addresses parallel requirements under Spanish implementing rules, which differ in several procedural respects from the Portuguese approach.

About Ferraz & Whitmore

Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our AI and technology law practice supports technology companies, platform operators, and institutional investors managing digital services compliance, AI Act obligations, software liability questions, and technology licensing arrangements across EU and non-EU markets. The firm combines Portuguese civil law expertise with English common law tradition – a combination that is directly relevant for international providers navigating the interaction between EU-level regulation and national implementing rules. As a law firm in Portugal with a dedicated technology practice, we advise in-house legal teams and international entrepreneurs who need results-oriented counsel rather than generic compliance summaries. The firm's practitioners have experience before ANACOM, the Portuguese courts, and cross-border regulatory bodies, and maintain active participation in international practice groups focused on AI regulation and platform liability. To discuss how Portugal's digital services rules apply to your operations, contact us at info@ferrazwhitmore.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.