Blockchain 2020

Last Updated June 17, 2020


Law and Practice


TELLES Advogados is a full-service law firm with national coverage and a local presence in the two main cities of Portugal: Lisbon and Porto. The firm is represented by a range of departments that have many areas of expertise, including finance, projects, corporate and M&A, tax, energy and natural resources, real estate, and litigation. The finance, projects and capital markets team is comprised of eight members: one partner, four associates and three trainees. In addition, other practice areas involved in blockchain work are the digital, privacy and cybersecurity; tax; and litigation/arbitration teams. In recent years, the firm has enjoyed sustained growth and has achieved a greater presence in international markets as well as greater expertise in providing services suited to new technologies and business models.

The Portuguese economy and business ecosystem are already looking at blockchain as a solution capable of adding efficiency to business procedures. There are several case studies, ranging from the public to the private sector, from parking to insurance, from advocacy to energy, not only in the hands of start-ups and fintechs, but also from bigger companies and sector-specific organisations.

Blockchain started to gain popularity in 2017, largely because it was the system underlying Bitcoin. However, it is considered to have the potential to break paradigms in several fields. Companies see advantages in a digital registry that generates confidence without the need for intermediaries besides the reduction of expenses and the automation of processes.

Blockchain in Portugal

Notwithstanding this, in Portugal, blockchain has not been yet implemented in a significant number of services. Portugal’s current stage of development focuses on a prior level of development. Most Portuguese companies subscribe to the idea that blockchain will be present in their market in the near future and are preparing their businesses for that reality. PwC has estimated that, by the end of 2020, more than 50% of Portuguese companies will be implementing blockchain in their activities (this estimate may turn out not be that accurate due to the COVID-19 pandemic affecting the global economy). During 2019, we have assisted some entities already implementing blockchain in their activities, namely in the fields of data protection and treatment, jointly with start-ups providing those solutions; for example, the Portuguese start-up Blockchain Ventures has developed a personal data privacy management platform based on blockchain for the St. Louis Hospital in Lisbon. Also, Best Bank was the first incumbent in Portugal to undertake a fund transaction supported by blockchain. In addition, we have assisted several hubs created by non-profit organisations and, sometimes, universities to foster the development of companies providing blockchain solutions.

At present, there is no special regulation designed to govern blockchain assets and trading platforms insofar as the Portuguese regulation of market trading platforms was and is not specially envisioned to be applicable to this phenomenon.


At the beginning of March 2020, the Portuguese Government, through Resolution No 29/2020 of the Council of Ministers, established general principles for the creation and regulation of Technological Free Areas (ZLT), a regulatory framework for sandbox projects. Portugal intends to adopt a flexible and innovative approach to new technologies, businesses and products, which includes blockchain technology, in order to foster innovation and increase the attractiveness of Portugal as a hub for testing. This will be done through the creation of digital innovation hubs as collaborative networks that include specific digital competence centres aiming to disseminate and adopt digital technologies, brought to the table by companies, for their development, testing and experimentation. The goal of the government is – in concert with regulators, universities and market players, among others – to set the conditions to gradually create consistency and increase certainty, preparing an approach or legal framework for experimentation in Portugal, containing principles and rules applicable to all experimental activities involving new technologies and solutions. These ZLTs are one of the measures contained in the Portugal Digital Transition Action Plan for the 2021-2027 (approved by Resolution No 30/2020 of the Council of Ministers). The Portuguese government identified that the establishment of a digital society is an opportunity to reinvent the functioning of the State and its services, strengthening the economic competitiveness of the country and developing a favourable environment for innovation and technology. This Action Plan takes into consideration the institutionalisation of a regulatory and economic environment capable of fostering the use and creation of new technologies and business models.

The Portuguese market currently has in place several business models that take blockchain into account. Yet, most of these are at an early stage of development, or still at the level of conceptualisation. The main uses of blockchain that have been put into practice in Portugal are in relation to the issuance of tokens, namely by ICO’s by fintechs, and data protection and treatment. Yet, ambitious projects are being considered regarding the use of cryptography to measure electricity consumed by households and also the development of an energy marketplace (following the example of EDP Brasil, jointly with EDP Inovação and the Austrian start-up Riddle&Code, which developed a blockchain-based solution that enables automatic account settlement between all agents involved, in a secure, transparent and scalable manner, by using smart contracts), licensing and registration regarding various fields, access to different kind of information and internal compliance procedures.

Furthermore, Deloitte Portugal has developed an investment funds distribution platform based on blockchain, presented by the Portuguese Association of Investment Funds, Pensions and Wealth (APFIPP). This project aims to simplify and make more efficient the distribution of funds in Portugal and to reduce the need for the intervention of intermediaries. This proof of concept was carried out in partnership with a Portuguese university (Instituto Superior Técnico) and with the permanent support of the Portuguese Securities and Markets Commission (CMVM).

In any case, most of the blockchain business models in Portugal are envisioned from a B2B perspective and are provided by several foreign start-ups that chose to establish their headquarters in Portugal.

Portugal, as a member of the European Union, in line with the principle of harmonisation, has been following the EU position on blockchain regulation. Thus, activities in relation to banking and finance, insurance, payment services, investment services, anti-money laundering, data protection, among others, have been in line with the relevant EU Directives and Regulations, as well as the main entities' opinions, regarding this area of operation. The main regulators operating in this field concerning local law are the CMVM and the Portuguese Central Bank (Banco de Portugal, BdP), which have been following the European Supervisory Authorities (ESA’s) Most notably the European Securities Markets Authorities (ESMA) and European Banking Authority (EBA). Their reports, analysis, evaluation by working groups, and press releases have focused on cryptocurrencies and ICOs since these are the issues that have been drawing most attention from new market players, especially concerning the eventual risks they may represent regarding market supervision and consumer protection.

In any case, the Portuguese regulators recognise that technology must have enough space to develop and mature and that excessive regulation would undermine its impact and importance. However, they have been adopting an understanding that disruptive and innovative business models shall be subject, whenever applicable, to the existing regulatory regimes (ie, tokens that qualify as securities will be treated as securities, according to the Portuguese Securities Code) applying existing regulatory regimes to the mentioned activities, whenever applicable.

Portugal has no position on how to regulate the use of blockchain and digital assets yet, without prejudice to what may be applied at a supra-national level. Furthermore, bearing in mind the current legal system, as well as the EU Directives, major changes in the landscape are not to be expected to happen without prior supra-national adoption.

With regard to businesses and market players operating with blockchain technology there is no specific regulation addressed to them. The sole exception is that business models that are crowdfunding platforms have special regulation associated with them.

Portugal is a member of several international bodies, such as the Financial Action Task Force (FATF) and the Bank for International Settlements (BIS), there represented by the BdP. Their standards and guidelines are closely watched by the Portuguese regulators and, whenever relevant, followed (ie, regarding money laundering risks relating to blockchain and the risks associated with the use of cryptocurrencies). However, there has not been any particular implementation of any regulation specifically following the guidelines of such organisations. As discussed in 2.1 Regulatory Overview, the relevant supra-national influence over the Portuguese legal system is designed by EU entities, as a means to achieve harmonisation and unification across the member states, concerning blockchain and digital assets.

Blockchain's main uses will fall under the scope of financial activities. In this context, the main regulatory bodies in Portugal are the BdP, the CMVM and the Portuguese Insurance and Pension Funds Supervisory Authority (ASF). The scope of market regulation and the level of intervention of these is clearly defined by activity sector. Whereas the BdP supervises banking activities, financial companies, payment institutions, electronic money institutions and payment services; the CMVM supervises financial markets and their participants, trading venues and exchange bureaus, securities and activities related with them, such as IPO’s, Undertakings for the Collective Investment in Transferable Securities (UCITS) and Alternative Investment Fund Managers (AIFM). The ASF supervises insurance companies, reinsurance companies, insurance mediation and distribution as well as pension funds.

There are no self-regulatory organisations or trade groups that perform regulatory or quasi-regulatory roles with respect to businesses or individuals using blockchain in Portugal. The regulation is carried out by the main regulators, those mentioned in 2.3 Regulatory Bodies, within their scope of operation. However, it is worth noting the efforts of the Portuguese Blockchain Alliance (ALL2BC), a non-profit organisation dedicated to developing an ecosystem of Portuguese companies, academia and public organisations in order to provide the Portuguese economic and legal system with the right knowledge regarding blockchain. ALL2BC aims to help players to be ready for the revolution that is to come with the new business models based on blockchain. Alongside that, the Alliance promotes the development of national blockchain-based solutions. Currently, ALL2BC is developing, with the co-operation of several law firms, including TELLES, a white paper on blockchain-based activities and industry to present to the Portuguese government and regulators for the purpose of developing the appropriate legal system for this industry.

As a country with a civil law jurisdiction, the Portuguese legal system does not rely on the rule of precedent. Thus, judicial decisions, in spite of being extremely important in the context of legal interpretation, do not have the same influence as in common law countries. In any case, there are no public records of judicial decisions regarding blockchain, nor any ongoing litigation. However, the Portuguese Tax Authority has issued, as explained in 2.8 Tax Regime, some official rulings regarding cryptocurrencies, in the context of requests for binding information.

All the Portuguese regulators monitor companies that are under their supervision and licensed by them, even being able to conduct inspections of the company’s premises. However, to date, there are no, and have not been any, significant enforcement actions in Portugal that have been publicly reported.

There is currently no regulatory sandbox in Portugal. However, a project to develop one is currently envisioned, as explained in 1.1 Evolution of the Blockchain Market.

The Portuguese tax regime does not provide for any specific set of rules on blockchain or crypto-assets. However, during the last few years, the Portuguese Tax Authority has addressed the topic in three rulings. These rulings were issued in response to requests from taxpayers on how to frame the tax treatment of some crypto-assets, namely cryptocurrency, and although the rulings are only binding to the specific set of facts, taxpayers and situations on which they were issued, they are an important tool for understanding how the Portuguese Tax Authority regards the taxation of digital/crypto-assets and related activities.

The first ruling (December 2016) concerned personal income taxation, whereas the other two (February 2018 and July 2019) addressed VAT topics.

In the 2016 ruling, the Portuguese Tax Authority reviewed the possible qualification of the income arising from cryptocurrencies within the current Portuguese personal income tax framework. Looking at the rules pertaining to the taxation of capital gains, investment income and income derived from business activities by natural persons, the Tax Authority has taken the view that, as a general rule, realised capital gains or other income arising from cryptocurrency is not subject to tax. Attention should, however, be paid to the fact that two important exceptions are found: when cryptocurrency is received in consideration for a taxable activity, this activity remains taxable; and when cryptotrading is in fact the main and recurrent activity carried out by that person, the proceeds of that trading are in fact taxable business income of that individual.

In the 2018 ruling, the Portuguese Tax Authority clarified, in line with the view of the CJEU in Case C-264/14, Skatterverket v David Hedqvist, that it understood cryptocurrency to be a form of currency. Therefore, the Tax Authority concluded that the trading of cryptocurrency as a “means of payment” is, under the VAT Directive and the Portuguese VAT Code, exempt from VAT. In the 2019 ruling, the Portuguese Tax Authority concluded that the above treatment should also apply to cryptocurrency mining activities.       

The Portuguese Government launched a think-tank with the purpose of promoting and fostering business models based on blockchain and other financial technologies. That way, the main challenges and barriers could be identified by the competent entities. This initiative is aiming to, in the future, develop into a regulatory sandbox in association with the relevant regulators, namely the CMVM, the BdP and the ASF, among others that could be useful.

Moreover, in 2018, the government launched an annual initiative called GovTech that aims to reward and support innovative products and services created by start-ups that fit the solution of one of the 17 UN Development Goals. Not only did some promotors use blockchain on their projects, but it was also used by the government for the voting phase of the initiative, launching a virtual currency to be used as if it were a crowdfunding platform.

Additionally, the CMVM and BdP have been watching these business models and market developments closely, even dedicating special spaces on their websites to providing information related to blockchain, cryptocurrencies, ICO’s, tokens, AI, among other things. The CMVM even has an internal department dedicated to aiding with queries related to these new technologies, providing a special email address for those matters. These initiatives were created with the purpose of aiding promotors and investors as well as exchanging information and fostering dialogue between these regulators and developers or sponsors of new financial technologies, which operate within the fields of regulatory competence of the CMVM and BdP, and also to clarify the regulatory framework applicable to the same. It is also worth mentioning that both these regulators have been involved in various workshops and Q&A meetings across the country in order to clarify issues and engage in dialogue with interested parties.

In 2018, Portugal Fintech, a non-profit entity, jointly with the main financial regulators created “Portugal Finlab – where regulation meets innovation”. This initiative created a communication channel for fintechs, incumbents and Portuguese regulators to engage and to provide aid on the legal issues arising from those businesses.

Furthermore, the Portuguese regulators are involved in European tasks forces such as the DLT Network, the CB Innovation Network and the WEF and NCB DLT Network. Moreover, some innovative initiatives have been backed by them, such as the Hackathon (which took place in Lisbon in 2019 and is scheduled to be in Paris in 2020) and the InnovationHub, whose first edition took place in Lisbon at the Websummit in 2019.

There is no specific Portuguese regulation applicable to digital asset ownership and transfer. Thus, the legal framework applicable will depend on the categorisation given to the digital asset in question (ie, a security or a commodity). Nonetheless, the concepts of public and private key are considered for this matter. The public key is publicly known and used for identification. The private key, used for authentication and encryption, is what grants a cryptocurrency user ownership of the funds on a given address. Since the public and private key are paired, when given an instruction to a blockchain network, the software signs the transaction with the user’s private key, indicating, in that moment, to the entire network, the user’s authority. In that instant (signing the transaction with the private key) the transfer is considered to be effective.

There are no exclusive laws or specific regulations applicable to any of the modalities of digital representations of assets, virtual tokens, their issuing and/or transfer in Portugal. On a case-by-case basis existing laws shall be evaluated to determine whether they apply to a specific ICO, token or related activity depending on the specific characteristics of each token.

However, there is a common understanding that these digital representations of assets (the tokens) are a representation of fungible and negotiable assets, which can be granted through rights analogous to those of traditional currencies. Rights of use, to develop a certain system, such as loyalty programmes or even other cryptographic currencies to be acquired in exchange for fiat currency, are typically framed in three categories, depending on the rights they contain.

Currency Tokens or Cryptocurrencies

The tokens representing a given cryptocurrency have the functions of (i) a means of exchange, (ii) a reserve of value and unit of account, and (iii) a contractual means of payment in accordance with the case law of the CJEU. They are not, therefore, considered securities, but rather recognised as means of direct payment among the operators that accept them benefiting from the exemption of Article 4/1§44 of MIFID II combined with the Prospectus Directive and Regulation.

Security Tokens

These contain characteristics that qualify them as an atypical security or financial instrument according to Article 1 of the Portuguese Securities Code (CdVM) and Article 4/1§44 of MIFID II. In a formal notification addressed to the entities involved in ICOs, dated 23 July 2018, the CMVM noted that tokens should be qualified, on a case-by-case basis, as atypical securities under Portuguese law. A test to assess whether or not a specific token may consequently become subject to securities regulation was developed and consists of the following elements:

  • Considered as documents (dematerialised or not), are the tokens representative of rights of a private and economic nature?
  • If the tokens are similar to typical securities under Portuguese law, does the issuer have an obligation to undertake actions from which the investor may draw an expectation of having a return on its investment?

Utility Tokens

These give holders access to products or services that are existing or under construction/preparation, other than securities or financial instruments. After an analysis of their characteristics and of the scope of a Portuguese cryptocurrencies, the CMVM stated, in a press release, that a token that merely allows its holders to participate in surveys related to the development of an online platform, which in the analysed case donated tokens to the online platform for the development of new features, does not qualify as a financial instrument, is not a security token and is therefore not subject to the securities legislation and the supervision of the CMVM.

The so called stable cryptocurrencies, or stablecoins, still have no distinction in our jurisdiction, either when referring to the form of fiat currencies, safeguarded in deposit or when referring to other real-world assets such as securities, commodities, real-estate, financial instruments and/or other assets, or events related to other crypto-assets. Consequently stablecoins controlled by algorithms to keep their prices stable and avoiding fluctuations are similarly undistinguished.

A cryptocurrency is defined as a “digital representation of value, not issued by a central bank, credit institution or e-money institution, which in some circumstances can be used as an alternative to money”, following the European Central Bank’s definition – to which the Portuguese authorities have largely subscribed. In Portugal, cryptocurrencies do not have legal tender and thus do not qualify as fiat currency, nor are they treated as money (whether physical or scriptural) or electronic money. Therefore, and in line with the statements made by the BdP, cryptocurrency acceptance at par value is not mandatory. There is no legal protection ensuring refund rights for consumers using cryptocurrencies to make payments, unlike what happens with regulated payment instruments, nor funds to cover the possible losses of its users, who will have to bear all the risk associated with transactions with these instruments. On 2015, the BdP issued Circular Letter No 011/2015/DPG recommending financial institutions not to hold cryptocurrencies due to the risks associated (in line with the opinion given by the EBA), such as the risks for its users and market players, financial integrity, money laundering. Cryptocurrencies are largely seen as an alternative payment method with a contractual nature that results from their status as private agreements, there being no restriction as concerns these private methods. They may, however, become subject to regulation if they perform as utility tokens or security/investment type tokens.

Portugal has not contributed to the phenomenon of tokenisation of non-fungible unique, digital items with blockchain-managed ownership.

The digital assets market has been growing in Portugal. As of the writing of this chapter, alternative financing, payment and money transfer services, regtech, cybersecurity and insurtech are the main fields searched by market players.

There is still no special regulation regarding exchanges, the implementation of the 5th Anti-Money Laundering Directive (AMLD5) into the Portuguese Legal System is certain to impose rules on these entities regarding anti-money laundering and know your customer (KYC) issues.

There has been been a major trend in Portugal regarding digital payment services, where most of the cases deal with the provisions set out in the Legal Framework for Payment Services and Electronic Money, in line with the revised Payment Services Directive (PSD2), applicable to most of the currently existing exchange platforms, considering that they are incorporated in Portugal and mainly provide payment services or electronic money. As an example, "coinbase" is registered within BdP as an electronic money institution. All major custodial exchanges at present are centralised exchanges (CEXs), they are not built on decentralised blockchain infrastructure but instead represent blockchain-based assets within an internal database that only they control. By contrast, decentralised exchanges (DEXs) are built using blockchain infrastructure, thus, users are allowed to trade their assets directly from a wallet they control.

A cryptocurrency exchange platform that allows for the deposit of fiat (cash) into the system and converts those funds into cryptocurrency is called an on-ramp. It is referred to as on-ramp since it allows users to acquire cryptotokens that enable their participation in the cryptocurrency ecosystem. A cryptocurrency off-ramp, on the other hand, refers to a cryptocurrency exchange platform that enables people to convert crypto-assets for products, services or the deposit of cash in their bank account.

In Portugal, most of these kinds of service are provided by foreign entities. However, they are subject to the applicable Portuguese legislation. There being no specific legislation addressing exchanges, the Legal Framework for Payment Services and Electronic Money provides the solution for such entities, considering them as electronic money institutions (eg, coinbase is registered within the BdP as an electronic money institution). As such, these businesses require a permit to operate, issued by the BdP, upon request and evaluation, and also need to be registered with that regulator.

In addition, it is worth mentioning that natural persons investing and trading in these platforms, are secured by Portuguese consumer laws, protecting them against fraudulent activity.

Law No 83/2017 is the Portuguese Law on anti-money laundering and combating terrorist financing. It subjects entities to some general provisions on the use of new technologies and products that favour anonymity, such as blockchain. Companies that are under its scope are required to monitor the risks regarding money laundering and terrorist financing, as regards their activities, arising from the use of new technologies. The provisions set forth in that legal text require them to pay particular attention to, and to document the procedures taken by them with regard to, risk mitigation and to keep a watchful eye on suspicious activities. Entities covered by this regime must undertake KYC procedures whenever there is an occasional transaction of more than EUR15.000 and reinforce those procedures when they identify an additional risk in their business relationships. According to the law, an additional risk is presumed to exist in products or operations that favour anonymity, in new products or commercial activities, in new distribution mechanisms and payment methods and in the use of new technologies or developing technologies, whether for new products or existing ones. Which means that considering digital assets the obliged entities should reinforce their KYC procedures.

One of the main concerns of the regulators in relation to blockchain and digital assets is the risk associated with money laundering and terrorist financing. For that reason, the use of digital assets has not been recommended. Furthermore, considering the publication of AMLD5, a legislative proposal has emerged regarding these concerns in the context of this Directive’s transposition into the Portuguese legal framework. As so, with the intent of updating Law No 83/2017, which establishes the mechanisms to prevent money laundering and terrorism financing, legislative proposal No 16/XIV recognises the necessity of “adopting measures to combat the risks inherent to the anonymity of currencies and other virtual assets which make their misuse possible for criminal purposes”.

Regarding specific measures, this proposal specifically aims to subject all service providers and entities engaged in activities related to these types of asset to the framework set by Law No 83/2017, which include information disclosure obligations as well as the standards by which enhanced due diligence will apply. Moreover, it should also be noted that this proposal suggests the addition of a provision establishing that activities with virtual assets may only be carried out by entities that have obtained prior registration with the BdP, which, for this purpose, will assess the competence and suitability of the applicant as a necessary condition for the granting and maintenance of the said registration. In this context, the BdP not only reserves the right to reject registration where it is established that there is a risk of serious non-compliance with laws and regulations designed to prevent money laundering and terrorist financing, but is also accredited with the powers of preventive supervision in this area of activity, which would include the competence to draft or approve regulations, or other rules of a general nature, designed to ensure that the obligations laid down in Law No 83/2017 are complied with.

Currently and as mentioned, only crowdfunding platforms have special legislation dedicated to them, there being no other specific regulation addressed to markets for digital assets in Portugal. That said, there is no special regulator for the digital assets market. Yet, the main regulators operating in these fields have internal departments dedicated to innovative and emerging markets.

It is worth mentioning that the regtech phenomenon is a reality in the Portuguese jurisdiction. These activities are still not automatically regulated and are consequently based on a case-by-case analysis, this firm has often assisted in this process. Regtech providers are tangential to regulated activities and consequently still do not require licensing or authorisations to undertake their business in Portugal. However, there are some cases where such providers do overlap with the regulated activities, in which case, they are subject to the already applicable rules. Another trend we have witnessed is that, in some other cases, these regtech activities represent an outsourcing of functions from the licensed entity once they focus on compliance and reporting, which means that certain obligations derived from the requirements of the overarching financial regulation will have to be complied with. The EBA’s guidelines on outsourcing arrangements must be considered in such cases.

There is no special regulation regarding re-hypothecation of digital assets in Portugal, whether by an exchange or any other entity.

The AMLD5 was the first European law to specifically mention wallet providers. Portugal is set to transpose this directive, the date, however, is still uncertain. Either way, the Portuguese legal system should adhere to the definition given to wallet providers: “an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies”. To date, there is still no regulation on hot and cold wallet providers in Portugal.

Initial Coin Offerings (ICOs) or other types of token offering are still not subject to specific regulation under Portuguese law.

The CMVM defines ICO's as "operations aimed at obtaining financing from the public through the issuance of tokens or coins which, as a rule, confer rights or functionalities related to the project they are intended to finance". Following the trend of most European Union countries, Portugal has adopted an approach characterised by a case-by-case analysis, in order to determine the nature of such offered tokens, specially their eventual qualification as securities. As an example, in certain cases ICOs intend to offer tokens representing rights or economic interests in a specific venture, project or company, or even in a token currency aiming to obtain future returns, which will lead to the automatic application of securities and financial market laws and, whenever this is the case, issuers must ensure compliance with all applicable obligations.

On 23 July 2018, the CMVM, in line with ESMA and other EU member state authorities, issued a communication addressed to entities involved in the launching of ICOs, pronouncing on the legal qualification of the tokens involved in these operations and concluding that, if a token is qualified as a security and the respective ICO is addressed to Portuguese investors, the relevant national and EU laws shall apply. Also, on 9 January 2019, ESMA came forward with an advice on ICOs and crypto-assets on the potential application of the Prospectus Directive, the Transparency Directive, the Market Financial Instruments Directive, the Market in Financial Instruments Regulation and respective implementing acts, the Market Abuse and Short Selling Regulation, the Settlement Finality Directive, the Central Securities Depository Regulation and the Alternative Investment Fund Managers Directive. The CMVM clarified that whenever an ICO qualifies as a public offering, not only should a prospectus be drafted and submitted, but it will also be subject to information quality requirements. Market abuse rules prescribe the sanctioning regime in force, which arises from non-compliance with any of the obligations related to the issue and placing on the market of securities; this may amount to fines of up to EUR5 million. Furthermore, investors and promoters should also bear in mind the risk of civil and criminal liability related to this type of initiative.

Whenever it is found that tokens do not have the characteristics of securities, given the lack of a specific regulatory framework, recourse should be made to supplementary regimes such as the advertising code or competition rules, complemented by general civil rights rules.

An Initial Exchange Offering (IEO) is a type of ICO. Therefore, the same principles that govern ICOs are applicable to IEOs. As such, tokens in relation to these may be qualified as securities and if so, this should result in the automatic application of securities and financial market laws. Yet, the difference is that in the case of an IEO there is a financial intermediary involved – the exchange platform – therefore, we must bear in mind the legal framework applicable to financial intermediaries. There is no specific regulation regarding IEOs nor exchange platforms per se.

Concerning the regulation in Portugal applicable to fundraising, readers should note the Crowdfunding Legal Regime Law No 102/2015 and the CMVM regulation 1/2016, which refers to an open call to the public through electronic platforms enabling interaction between fundraisers and the market allowing financial pledges to be made and collected through the platform. Currently, there are four types of crowdfunding in Portugal:

  • donation-based crowdfunding, where individuals donate amounts to meet the larger funding aim of a specific charitable project while receiving no financial or material return;
  • reward-based crowdfunding, where individuals donate to a project or business with the expectations of receiving in return a non-financial reward such as goods and services, at a later stage in exchange of their contribution;
  • investment-based crowdfunding, where companies issue equity or debt instruments to crowd-investors through the platform; and
  • lending-based crowdfunding, where companies or individuals seek to obtain funds from the public through the platform in form of an agreement.

This last crowdfunding category includes the down payment of the value of invoices of the borrower, by means of which that invoice serves the purpose of collateral. This does not constitute invoice trading (which is subject to specific rules regarding factoring activity).

Investment-based crowdfunding platforms generally have to be authorised under MIFID and therefore benefit from a passport to carry out regulated services and activities throughout the EU. This is the case where crowdfunding platforms provide investment services in relation to financial instruments, in particular transferable securities or units of collective investment undertakings unless they are authorised under a domestic bespoke regime developed under the exemption in Article 3 of MIFID.

The crowdfunding categories and activities that are within the scope of the CMVM’s supervisory powers are solely those that pertain to equity and lending-based crowdfunding.

There is no specific legal provision applying to funds that invest in digital assets in Portugal. However, considering the Portuguese Law and the opinion issued by the CMVM (for the sake of interested parties) and also, at EU level, considering ESMA’s position on the potential application of the Alternative Investment Fund Managers Directive to certain ICOs, stating that some investment funds or collective investment schemes that invest in digital assets can be incorporated as alternative investment specialised funds or as collective investment schemes in non-financial assets, it is safe to say that the legislation applicable to specialised collective investment schemes in non-financial assets (ie, crypto-assets) shall be applied. Such realities are under the CMVM’s supervision and must be permitted by the regulator to operate its activity. The licence shall be granted by the CMVM upon analysing compliance with the legal structuring required by law, governance issues (ie, board members' qualifications to undertake the envisioned activity) and provisional financial sustainability. The application of the Undertakings for Collective Investment in Transferable Securities Directive is possible in cases where a token offering may be seen as a collective investment scheme, as that term is defined in UCITS.

In Portugal there are no specific restrictions or requirements regarding the purchasing, holding or selling of digital assets (except where they qualify as securities).

Furthermore, where digital assets do not qualify as financial instruments, advisory services that are made solely in relation to them, and also the management of portfolios related to those kinds of assets, are not subject to the investment services laws and regulations applicable to securities. Thus, there is no specific licensing procedure. However, traditional advisory services and management services require prior permission and are subject to the CMVM and the BdP’s supervision. As a general rule, the Legal Framework for Credit Institutions and Financial Companies (RJICSF), the Portuguese general law applicable to brokers and other financial intermediaries, does not specify any particular issue concerning specialities related to dealing in digital assets. Therefore, whether or not a specific legal regime applicable to individuals (ie, financial advisory, exchange bureau, brokers, among others) shall be applied must be assessed on a case-by-case basis.

Portugal also has special regulations applicable to some financial intermediaries that deal in digital assets. Decree-Law No 91/2018 approved the Legal Framework for Payment Services and Electronic Money, transposing into the Portuguese legal system the PSD2. The regime established therein regulates access to the activity of payment institutions and electronic money issue services. This is the special regulation applicable to a type of financial intermediaries that deal (although not exclusively) in digital assets, namely due to the increased complexity and volume of electronic payments, was well as the emergence of new ways of market actuation (ie, open banking).

In any case, the procedure for incorporation of any of these kinds of entities follows the same principles; permit and post registration besides the regulator, whether the CMVM or the BdP.

There are no specific Portuguese laws or regulations that address the legal enforceability of contractual arrangements made through smart contracts, computer codes or the utilisation of a blockchain-based network. As referred to in 2.5 Judicial Decisions and Litigation, Portugal is a country with a civil law jurisdiction, the Portuguese legal system does not have the rule of precedent. Nevertheless, this does not mean that this type of contractual instrument is unsuitable to operate in accordance with Portuguese Law.

Smart Contracts should be examined in accordance with current general contractual law, namely the Portuguese Civil Code (CC) and Law No 7/2004 – Electronic Commerce Law (ECL) – in respect of the essential elements for celebration of a contract. As said the principle of contractual freedom of the parties is set forth in the CC (Article 405) and in the ECL (Article 25). The following contracts are excluded from this principle of admissibility of electronic contracts:

  • those regarding family law and succession;
  • those that require the intervention of courts, public entities or other entities that exercise public powers;
  • real estate contracts, with the exception of leasing; and
  • deposits and guarantees, when they are not integrated into the professional activity of the one providing them.

Moreover, declarations issued electronically satisfy the legal requirement in written form when contained in a medium that offers the same guarantees of reliability, intelligibility and conservation.

It should also be noted that according to Article 33 of the ECL, for contracts signed exclusively by means of computers, without human intervention, the common regime applies, except when this presupposes an action. The provisions on error are applicable in:

  • the formation of will, in case there is a programming error;
  • the declaration, if there is a malfunction of the machine; and
  • the transmission, if the message arrives deformed at its destination.

Developers play a key role in designing, developing, maintaining and evolving blockchain-based networks and the codes that run those systems. In the Portuguese legal system, as a general rule, any legal or natural person can be held liable for damages. Developer’s liability is an issue that has been creating a lot of discussion in the legal and technological environment worldwide, since the proof of damage caused by developers and its tracking is neither easy nor linear. In theory, if one can prove a loss arising from software, and prove that the developer had responsibility in that matter, that person would be liable. Yet, this question has not been raised in Portugal and, therefore, there is no judicial decision allowing this matter to be analysed from the perspective of the courts.

The Portuguese legal system has not yet addressed this multilateral and peer-to-peer relationships. Given the lack of specific rules and regulations, the entities involved should assess the risk and potential liability associated, setting up whenever possible (ie, private blockchains) an appropriate contractual framework to regulate the issue. That would involve allocating liability between developers, namely for system errors and failures. In addition, entities should ensure insurance coverage, depending on the extent of the risks associated.

Decentralised financial (DeFi) platforms are not prohibited in our jurisdiction however we still have no regulation for such activity, the same for lending of cryptocurrencies in line with the above mentioned.

As previously mentioned, there are no specific regulations applicable to any of the modalities of digital representations of assets, virtual tokens, their issuing and/or transfer in Portugal. However, on a case-by-case basis we have assisted in the assessment of the already existing laws in order to determine whether they apply to a specific issuance, token or related activity depending on the specific characteristics of each token.

Considering this scope (a security), the CMVM noted that tokens should be qualified, on a case-by-case basis as atypical securities under Portuguese law being consequently subject to a test to assess if a specific token ought to be subject to securities regulation, as referred to above (3.2 Categorisation). Bearing this in mind it will follow Portuguese securities regulation.

In the traditional Portuguese legal system, a lender’s claim to a borrower’s collateral is called a lien. The background for the formation of a lien has always been a financial guarantee agreement, which is enough, without the necessity of a special form. By means of this, the borrower has a compelling reason to repay the loan on due time since if he or she defaults on it, he or she stands to lose the pledged asset. According to the CdVM, a pledge (or lien) of securities shall be constituted by a registration in the account of the holder of the securities, with an indication of the amount of securities pledged, the guaranteed obligation and the identification of the beneficiary. Besides the CdVM, the financial lien entered into the Portuguese legal system by the transposition of the Directive 2002/47/CE, originating Decree-Law No 105/2004. According to this, on financial pledges, the registration in electronic form is proof enough (if the object of the pledge is identified) for the lender to execute that guarantee. Furthermore, the financial pledge may provide the lender with the means to sell or encumber the asset, just as if he or she owned it. Also, without prejudice to what is agreed by the parties, the execution of the guarantee by the lender shall not be subject to any requirement (namely, prior notification to the borrower of the intent to proceed). This framework, alongside the existence of a financial pledge agreement guarantees that the lender takes an effective security interest in an asset pledged as collateral.

There is still no special requirement for acting as a custodian for digital assets in Portugal. It follows the same requirements for incorporation and operation of custodian entities, a financial intermediary, in the Portuguese legal system consisting in a prior permit issued by the BdP, and post registration with CMVM. In the Portuguese ecosystem, custodian services are mostly provided by banks, there being no specialised custodian entities incorporated.

Regulation (EU) 2016/679 of the European Parliament and the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation or GDPR), is directly applicable to Portugal as well as to other member countries of the EU. So, the provisions of the GDPR are directly applicable in Portugal, as well as all its requirements, rights, etc. Portuguese Law No 58/2019 ensures that the execution of the GDPR in Portugal, is also applicable, but does not have any novelty regarding the fundamental aspects of the GDPR.

The existing legal framework was developed with traditional centralised processing of data in mind and did not consider blockchain and its decentralised and immutable nature. The immutability of blockchain raises fundamental challenges regarding data subjects' rights, particularly regarding the right to be forgotten and the right to rectification of personal data.

The right to rectification and the right to erasure are two fundamental rights of data subjects, set forth by the GDPR. The right to rectification means that the data subject shall have the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning him or her (Article 16, GDPR). The right to erasure (or the right to be forgotten) means the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the legal grounds applies (Article 17, GDPR).

So, on the one hand, the GDPR is based on these assumptions that data can be modified or erased where necessary to comply with the legal requirements, and, on the other hand, one of blockchain's main objectives is ensuring data integrity to increase trust in the network.

One of the more common difficulties that is pointed out to blockchain solutions is the difficulty of applying the right to erasure to blockchains. Blockchains are usually designed to render the modifications or erasure of data difficult or even impossible. “For example, where the relevant consensus-mechanism that is used is proof-of-work, the majority of all P2P connected nodes would have to verify again the legitimacy of every effected transaction backwards, unbuild the entire BC block by block and then rebuild it afterwards, with every such transaction step to be distributed block-wise to all existing nodes” (European Parliamentary Research Service Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law? July 2019)

Nevertheless, practical solutions can be provided in order to circumnavigate this technical hindrance, through the adoption of measures that guarantee the inability of third parties to access the personal data on the Blockchain, namely if the recorded data on the blockchain is a commitment – a hash generated by a keyed-hash function or a hypertext – created via an algorithm and key, it’s possible to make the data inaccessible, through the erasure of certain verifying elements making it mathematically impossible to prove or verify which information was committed. Another solution relies on the destruction of the keyed hash functions secret key, which would produce similar effects.

Another method to achieve GDPR-compliance involves personal data being stored off-chain while simultaneously storing the reference to said data through a hash on the blockchain, allowing, if necessary, the total erasure of the data that was stored off-chain.

It shall be noted that the right to erasure is also a limited right, as data does not have to be erased where the further retention of the personal data should be lawful where it is necessary (namely), for compliance with a legal obligation (Article 17 (1) (e) and Recital 65 of the GPDR).

There is a well-known tension between the GDPR and blockchain-based solutions, addressed by several authors and studies (for more detail please refer to the study by the European Parliamentary Research Service mentioned in 8.1 Data Privacy).

Basically, there are two main tension points regarding the enforceability of a data subject’s rights.

Data Controllers

The first applies to the entity or entities that shall be considered as data controllers. A data controller is the natural or legal person, which alone, or jointly with others, determines the purposes and means of the processing of personal data. Joint controllers are two or more controllers that jointly determine the purposes and means of processing.

So, on one hand we have the GDPR that is based on the assumption that there is always a data controller, and that data subjects can address the data controller to enforce their rights under the GDPR. On the other hand, blockchains are distributed databases that often seek to achieve decentralisation by replacing a unitary actor with many different players.

This creates a serious difficulty over the allocation of responsibility and accountability of these data controllers. A consensus has not yet been reached within the EU over whether a joint-controllership exists under these cases.


The second point of tension relates to the enforceability of the rights of rectification and erasure (as detailed in 8.1 Data Privacy). On one hand, the GDPR is based on the assumptions that data can be modified or erased where necessary to comply with the legal requirements, and, on the other hand, one of blockchains main objectives is ensuring data integrity and increasing trust in the network. These two factors create a tension that will be very hard to reconcile.

Data Minimisation and Purpose Limitation

Data, according to the principle of data minimisation, shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed, and, according to the principle of purpose limitation, shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. These principles can be hard to apply to blockchain technologies, as DLT’s are append (only) databases that continuously grow as new data is added and reproduced in many computers all over the world. It is not clear yet if the purpose limitation principle covers only the initial transaction or whether it also comprises the continued processing of personal data once it has been put on-chain.

Other difficulties apply when considering the transfer of data. On one hand we have the GDPR that states that personal data can only be transferred to third countries where (i) these benefit from adequacy decisions, (ii) appropriate safeguards are offered, or (iii) on the basis of a derogation. On the other hand, we have blockchain technology with multiple nodes on which the ledger is kept and data that can be located in various jurisdictions, both inside and outside the European Union, that cannot be controlled in a permissionless system as anyone may access the network without the need for prior authorisation by a central gatekeeper.

In summary there is work to do, but as a Report on Blockchain by the European Parliament (27 November 2018) highlighted, “blockchain technology can provide solutions for the data protection by design' provisions in the GDPR implementation on the basis of their common principles of ensuring secured and self-governed data”. Blockchain could be seen as a tool to achieve GDPR objectives, providing data subjects with control over the personal data that directly or indirectly relates to them is one of the various objectives pursued by the Regulation.

The activity of mining cryptocurrencies is still not regulated in Portugal and there are no restrictions on the operation of such activity. In 2019, the Portuguese Tax Authority, by means of an official ruling, in the context of a request for binding information regarding the tax framework applicable to mining activity for the purposes of VAT, concluded for the application of VAT rules to remuneration of cryptocurrencies, namely the application to those currencies of the legal provision that exempts transactions, including negotiation, concerning currencies, banknotes and coins, which are legal means of payment, in line with the opinions of the Court of Justice of the European Union.

The proof of stake consensus protocol is a part of most blockchain-based businesses and transactions as is intimately connected with that. In this context, the “staking” of tokens is not regulated in Portugal, nor does it exist as a provided service. Thus, it is another unregulated area in the Portuguese legal system. General rules of law may be applied to it.

TELLES Advogados

Rua Castilho, 20
4th floor
1250-069 Lisbon

+351 21 030 88 30

+351 21 030 88 39
Author Business Card

Law and Practice


TELLES Advogados is a full-service law firm with national coverage and a local presence in the two main cities of Portugal: Lisbon and Porto. The firm is represented by a range of departments that have many areas of expertise, including finance, projects, corporate and M&A, tax, energy and natural resources, real estate, and litigation. The finance, projects and capital markets team is comprised of eight members: one partner, four associates and three trainees. In addition, other practice areas involved in blockchain work are the digital, privacy and cybersecurity; tax; and litigation/arbitration teams. In recent years, the firm has enjoyed sustained growth and has achieved a greater presence in international markets as well as greater expertise in providing services suited to new technologies and business models.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.