Portugal’s most relevant regulators for crypto-assets are now explicitly designated for MiCA purposes. Under Law 69/2025, the BdP is the competent authority for (among other areas) supervision of MiCA Titles III and IV (asset-referenced tokens and e-money tokens) and specific components of Title V (including, among others, the authorisation and notification process for CASPs and certain financial institutions), while the CMVM is competent for MiCA Titles II and VI (including market abuse and behavioural requirements) and other specified components. Law 69/2025 also sets out co-operation duties and points of contact for cross-border administrative co-operation, which is particularly important because MiCA operates through home-state authorisation and EU passporting logic. Alongside financial regulators, data protection oversight can be highly relevant for blockchain implementations, and the European Data Protection Board (EDPB) has issued guidelines on processing personal data through blockchain technologies, reinforcing that GDPR compliance must be built into design choices.

International alignment is clearest in AML/CFT. The EU “travel rule” Regulation (EU) 2023/1113 extends information-accompanying-transfer rules to crypto-asset transfers, aims at traceability, and explicitly states that it implements standards issued by the Financial Action Task Force (FATF) to tackle money laundering and terrorist financing. Portugal’s transitional MiCA execution rules expressly connect legacy VASP activity to the application of Regulation (EU) 2023/1113 and to Portuguese AML law, treating certain entities as CASPs for those AML purposes during the transition. In securities-market style areas (market integrity, conflict management, complaints handling), MiCA also reflects widely used International Organization of Securities Commissions (IOSCO)-style principles, but the strongest documentary anchor within the permitted sources is the EU’s formalised, rule-based transposition of FATF travel-rule expectations.

MiCA is the bespoke EU framework for crypto-assets that were previously not comprehensively regulated by existing EU financial services acts. The EUR-Lex summary describes MiCA as establishing uniform rules for issuers and crypto-asset service providers, including transparency/disclosure, authorisation/supervision, governance, consumer protections, and market abuse measures. MiCA applies from 30 December 2024, with the stablecoin-focused Titles III and IV applying since 30 June 2024, which means that in Portugal the core EU crypto regulatory regime is already in force as of the date of this article. Portugal executed MiCA through Law 69/2025, which adds national supervisory architecture, procedures, and a sanctions regime.

Characterisation and classification remain critical because MiCA is not meant to encompass traditional instruments that are already regulated elsewhere, and because certain tokens (notably ARTs and EMTs) trigger specialised authorisation and reserve/backing obligations. The BdP’s own MiCA implementation page for ART/EMT issuance stresses that ARTs and EMTs are governed by MiCA Titles III and IV, and that offers/admissions of ARTs generally require an EU-established and authorised issuer (or a credit institution meeting specified conditions), while EMTs can only be offered by credit institutions or electronic money institutions subject to notification and white paper publication steps. At EU level, the European Supervisory Authorities (ESAs) have issued guidelines and standardised tests supporting consistent classification of crypto-assets and requiring explanations or legal opinions to accompany certain white papers, which underscores that “what is this token?” is a regulated question, not a marketing question.

Regulated activities under MiCA include both issuance/offer/admission processes and service provision as a CASP, with a harmonised authorisation and passporting model. Portugal’s Law 69/2025 makes it a very serious administrative offence to provide crypto-asset services without authorisation and also penalises conduct that suggests a person is an authorised CASP when they are not. Prohibitions and constraints in practice therefore arise from (i) licensing perimeters and (ii) specific token-type requirements, rather than from an outright ban on crypto in Portugal, and the BdP has reiterated that crypto-assets are not prohibited as such. Retail-professional segmentation exists in various MiCA concepts (for example, certain exemptions tied to qualified investors in ART contexts), and Banco de Portugal’s ART guidance expressly notes that some offers can be exempt from authorisation, including where directed only to qualified investors, though documentation and notification obligations can still apply.

Notwithstanding this, with relation to custody and transfer services of EMTs on behalf of clients, BdP follows the EBA’s interpretation that these are generally qualified simultaneously as crypto-asset services and payment services under PSD2 (namely, as payment accounts and execution of payment transactions). Therefore, any CASP that intends to provide these services as part of their crypto-assets services offer is required to have a dual authorisation as a CASP and payment service provider (PSP) or partner with a dual authorised entity.

Over the next 12 months from 13 April 2026, the most legally concrete “incoming change” in Portugal is the end of the national transitional runway on 1 July 2026 for certain entities registered under the pre-MiCA virtual asset regime, after which MiCA authorisation becomes decisive for continued operation. In addition, MiCA is continuously operationalised through technical standards and guidelines produced by EU authorities, and EBA materials indicate an ongoing pipeline of RTS/ITS and guidelines relevant to stablecoin issuers and, by extension, systemic-risk management.

Using a legal wrapper such as a fund can change which regulatory regimes apply to the investor-facing product, but it does not remove the relevance of MiCA where the structure includes issuance of in-scope crypto-assets or the provision of crypto-asset services. In practice, fund wrappers often shift the core investor protections towards fund law (governance, custody/depositary arrangements, valuation rules, risk disclosures) while leaving MiCA to govern token issuance or CASP functions where those functions occur. MiCA itself is described as an entity-based regime, and ESMA stakeholder advice notes a “two-track approach” in which already-regulated financial entities may be subject to notification-type processes rather than the full authorisation process when they expand into crypto-asset services. This means that regulated firms may benefit from procedural relief, but not from a substantive exemption from crypto-asset conduct expectations.

For regulated firms and investment funds holding crypto-assets, the main regulatory consequences are typically prudential, governance, and disclosure-driven. Where a regulated entity provides custody, exchange, or platform-type services as a CASP, MiCA’s client asset segregation expectations and operational requirements become central, including the insolvency-relevant legal segregation expectation for custody providers. For stablecoin exposure, additional prudential and reserve management expectations arise at issuer level, and the EBA’s MiCA materials set out extensive technical standards and guidelines addressing liquidity, conflicts, stress testing, and reserve-asset composition for ART/EMT issuers. Even with a fund wrapper, classification and perimeter analysis remains unavoidable, especially where the wrapper invests in tokens that may be close to traditional financial instrument boundaries.

Portugal can support token issuance activity, but post-MiCA the viability of any ICO/TGE is driven by whether the token is an ART, an EMT, or another MiCA in-scope crypto-asset, because the authorisation and disclosure obligations change materially by category. The BdP’s guidance on ARTs explains that public offers or admission requests in the EU generally can only be made by an EU-established issuer authorised under MiCA (or by a credit institution meeting MiCA conditions), and even where authorisation exemptions apply (such as limited size or qualified-investor-only offers), a crypto-asset white paper must still be drawn up and notified. For EMTs, the BdP states that the issuer must be a credit institution or an electronic money institution and must notify the competent authority and publish the white paper under MiCA procedures.

Disclosure obligations in Portugal are therefore largely MiCA-driven, not bespoke “Portuguese ICO law”. Portugal’s Law 69/2025 supports this by imposing sanctions for non-compliant public offers/admissions and by allocating supervisory responsibilities between the BdP and the CMVM depending on the token type and regulatory topic. Transitional provisions are important for firms that were previously registered only for AML purposes, because continuing activity is allowed only up to 1 July 2026 at the latest, and token issuance or service expansion plans must be mapped into MiCA authorisation timelines. In short, token launches “from Portugal” are viable, but only with early category determination, correct authority engagement, and a MiCA-compliant disclosure package.

For tokens that qualify as financial instruments instead of crypto-assets, financial markets rules such as those arising from MiFID II and the Portuguese Securities Code will apply, regardless of the technological wrapper of the asset.

Portugal now has a clear market abuse framework for crypto-assets admitted to trading on a crypto-asset trading platform within MiCA’s scope. Law 69/2025 explicitly classifies as “very serious” administrative offences the use or transmission of inside information, breaches of the inside information disclosure regime, market manipulation (subject to potential criminal characterisation), failures to maintain effective prevention and detection systems, and failures to report suspicious orders/transactions by those who professionally organise or execute crypto-asset transactions. This national sanctions framework operationalises MiCA’s market integrity goals within Portugal’s enforcement system and clarifies that crypto-asset market abuse is not an unregulated space.

Compared to traditional securities regimes, the major practical differences are usually the market microstructure and data environment rather than the core prohibitions. Crypto trading often occurs across fragmented venues, with faster retail participation and different custody and settlement mechanics, which makes surveillance and attribution harder and increases reliance on platform-level monitoring tools. ESMA stakeholder materials emphasise issues such as online marketing dynamics, “finfluencers”, and the need for surveillance of undesirable practices that have contributed to CASP collapses in the past, which forms part of the supervisory context for market integrity. In effect, Portugal and the EU have chosen to apply “market abuse-type” norms to crypto markets, but with a stronger operational focus on platform controls and suspicious activity reporting.

Portugal’s post-MiCA enforcement framework is now explicit and substantial. Law 69/2025 sets out wide-ranging administrative offences, and it empowers authorities to impose precautionary measures including seizure and freezing of “values and crypto-assets”, as well as closure of establishments where illicit activity is carried out. It also establishes meaningful sanctions for unauthorised provision of crypto-asset services and for misleading indications that a person is an authorised CASP. This indicates that Portuguese enforcement is designed to be more than advisory and that regulators can act quickly where consumer or market risks are detected.

On cross-border breaches, the system is oriented around administrative co-operation and points of contact. Law 69/2025 designates the BdP and the CMVM as points of contact for cross-border administrative co-operation under MiCA, which facilitates co-ordinated supervisory responses where firms solicit or serve clients across member states. Pre-MiCA, the BdP also used public alerts to warn that certain entities were not registered as VASPs under its supervision and, in some cases, not authorised to accept deposits or other repayable funds, which is a form of reputational enforcement particularly relevant for cross-border online schemes. Over the next 12 months from 13 April 2026, enforcement intensity is likely to increase around the 1 July 2026 transition deadline, because that date creates a clear compliance boundary between legacy AML registration and full MiCA authorisation.

In Portugal, licensing/authorisation triggers now arise primarily under MiCA for crypto-asset services and certain token issuance, supplemented by AML/CFT perimeter rules. Historically, “activities with virtual assets” could only be exercised by entities obtaining prior registration with the BdP under Article 112-A of Law 83/2017, and that law defines the covered activities broadly, including exchange services, transfers, and custody/administration (including private key control tools). Portugal’s Law 69/2025 now makes it a very serious offence to provide crypto-asset services without the due authorisation and sets additional enforceable “substance” style duties (EU seat/management-body residency expectations) for CASPs.

Territoriality is addressed directly in Portugal’s MiCA transition rules and in Banco de Portugal’s earlier registration perimeter. TheBdP consultation draft on virtual asset registration (used to regulate Law 83/2017 registration mechanics) defined when entities are considered to operate “in national territory,” including when they are constituted in Portugal for virtual-asset activities. Under MiCA, foreign entities serving Portuguese clients can be pulled into EU authorisation and marketing constraints depending on how services are provided and solicited, and the cross-border co-operation design in Law 69/2025 reflects that expectation.

Grandfathering exists but is time-limited and conditional. MiCA allows CASPs that provided services before 30 December 2024 under national law to continue until 1 July 2026 or until authorisation is granted or refused, and it permits member states to shorten that window. Portugal’s Law 69/2025 adopts a specific transitional regime: only entities that were registered with the BdP as of 30 December 2024 and had started activity (and communicated that fact under BdP Notice 3/2021) may continue the registered activities until 1 July 2026 or MiCA authorisation/refusal, whichever comes first, while registrations of entities that had not started activity by 30 December 2024 are treated as having lapsed at that date. During the transition, Portugal also treats these entities as “CASPs” for travel-rule and AML purposes, which prevents a regulatory vacuum but raises the practical expectation that they must run MiCA-grade compliance uplift programmes well before July 2026.

Under the pre-MiCA AML registration regime, Portugal already imposed structured onboarding expectations for virtual asset activity, including fit-and-proper review and documentation requirements. Law 83/2017 requires prior the BdP registration for virtual asset activities and provides for competence and suitability assessment as a condition for granting and maintaining registration. The law and related BdP materials set out refusal, lapse, and cancellation grounds, including where there is a risk of serious non-compliance with AML/CFT rules, and also provide for lapse if activity is not commenced within a defined time window. This historical structure is relevant because it underpins the transition cohort eligible to operate until 1 July 2026.

Post-MiCA, substance and governance expectations become even more operationally demanding, even where the detailed procedural documents are authority-specific. Portugal’s Law 69/2025 makes it a very serious offence for CASPs to breach duties, such as having a registered office in an EU member state where the CASP carries on at least part of its activity, having effective management in the EU, and having an EU-resident management body member. For stablecoin issuers,the BdP describes formal authorisation and notification processes with defined timelines for completeness checks and merit assessment in ART cases, and a pre-notification timing expectation in EMT cases, which effectively forces early build-out of compliance and documentation capacity. Prudential requirements depend strongly on the exact authorisation type (CASP versus ART issuer versus EMT issuer) and on whether the entity is already a bank or electronic money institution, but EBA materials set out extensive prudential-adjacent standards for reserve assets and governance for ART/EMT issuers.

Where CASPs are required to hold a dual licence as a PSP, prudential and own funds requirements must be accounted for each licensed entity autonomously, and the own funds used to comply with the requirements of one cannot be used to comply with the other.

Portugal’s MiCA execution law expressly treats change-of-control style events as a serious compliance issue. Law 69/2025 classifies as a very serious offence the failure to notify the competent authority of the direct or indirect acquisition or disposal of a qualifying holding in a crypto-asset service provider. This means M&A involving Portuguese-supervised CASPs must include a regulatory notification and approval strategy, and it cannot be treated as a purely corporate law transaction.

Change of control also ties into governance and fitness expectations because suitability of key persons and owners is part of the MiCA supervisory model. EBA materials show that joint EBA/ESMA guidelines exist for suitability assessments of shareholders with qualifying holdings and for management body members for ART issuers and CASPs, which reinforces that change-of-control is assessed substantively, not just procedurally. For deal planning, this implies longer lead times, careful structuring of interim control rights, and robust disclosure of ultimate beneficial owners and financing sources, especially where crypto-business revenues may present higher AML/CFT sensitivity.

MiCA establishes an EU-wide authorisation concept intended to permit the cross-border provision of crypto-asset services within the Union under harmonised conditions. Portugal’s MiCA execution law designates points of contact for administrative co-operation and specifically positions the BdP and the CMVM to co-ordinate cross-border supervision, which provides the necessary infrastructure for passporting to function in practice. The BdP’s own MiCA materials for ART/EMT issuance include a dedicated section on Passaporte comunitário, reflecting that cross-border effect is an inherent part of the stablecoin issuance and supervision model.

For Portuguese-authorised firms, passporting is not a “free for all”. Firms must still comply with host-state consumer, marketing, and AML expectations, and they must manage operational differences in local complaint handling and dispute resolution access. Portugal’s Law 69/2025 requires CASPs and certain token issuers to offer consumers access to effective out-of-court complaint handling and alternative dispute resolution, and to adhere to multiple ADR entities within three months of starting activity, which becomes part of the compliance baseline for a Portuguese home-state authorised provider. During the transitional period until 1 July 2026, “passporting” in the MiCA sense is generally constrained for entities that are still operating only under the legacy registration regime, because they have not yet obtained MiCA authorisation.

Marketing crypto-asset services into Portugal is constrained by the authorisation perimeter, by MiCA disclosure and conduct expectations, and by general Portuguese advertising law. The BdP’s consumer materials stress that crypto-assets are not legal tender, are volatile, and have limited investor protection, which shapes how promotions should be framed and what risk disclosures are prudent. Portugal’s Advertising Code adopts a broad definition of advertising as any commercial communication aimed at promoting goods or services, which means crypto-asset promotions and influencer-driven campaigns can fall within its scope even where no specific “crypto ad law” applies. ESMA stakeholder advice also highlights the importance of monitoring online marketing and “finfluencers” in crypto distribution channels, reflecting EU-wide sensitivity to marketing-driven harm.

Exemptions and reverse solicitation are difficult in crypto because the internet blurs solicitation lines. ESMA stakeholder materials note that crypto “amplifies the need” to clarify what counts as solicitation or reverse solicitation due to blogs, message boards, and other crypto-specific channels. As a result, firms relying on reverse solicitation should document the client journey and avoid any Portugal-targeted promotional steps that could be characterised as active marketing. In the next year, the most immediate practical marketing change is the 1 July 2026 end of Portugal’s transitional period for legacy registrants, because post-deadline marketing by an entity lacking MiCA authorisation is likely to face materially higher enforcement risk.

White-labelling into Portugal is legally viable only if the regulated perimeter is respected and responsibilities are contractually and operationally aligned with who is actually providing the regulated service. MiCA is an entity-based regime, and Portuguese law treats it as a very serious offence to provide crypto-asset services without authorisation or to suggest authorisation when it is absent. This creates a direct risk that a “white-label partner” is, in substance, an unauthorised CASP if it performs core service functions (custody, exchange execution, platform operation) rather than merely providing technology to an authorised entity.

Operationally, white-label arrangements also raise outsourcing and conflict-of-interest concerns, which are prominent in EU supervisory work on CASP authorisation and conduct. ESMA stakeholder advice discusses the importance of understanding corporate structures and the failures that contributed to CASP collapses, as well as the need for segregation and robust controls, all of which become harder when service delivery is split among multiple entities. For Portugal-specific planning, firms should assume regulators will look through branding to real control of client assets, transaction execution, and compliance systems, and they should structure the relationship so that the authorised entity retains sufficient control to meet its governance and monitoring obligations.

DeFi is not “banned” as a concept in Portugal, but regulatory obligations can arise depending on whether a regulated service is being provided and whether it is partially centralised. ESMA stakeholder materials, referencing MiCA’s Recital 22, state that partially decentralised services are in MiCA scope while fully decentralised services are not, and also note that distinguishing the two is not straightforward. This implies that many real-world “DeFi” offerings that have identifiable operators, front-ends, fee capture, or governance control points may be treated as in-scope.

For CeFi firms using DeFi rails (for example, routing trades or liquidity management through protocols), the principal concerns are client asset segregation, conflict management, and operational risk. MiCA custody rules emphasise segregation and insolvency protection for client assets held in custody by CASPs, which becomes harder if assets are deployed into smart contracts where legal and operational segregation is less clear. The firm must also ensure that risk disclosures and consent processes appropriately reflect smart-contract risk, oracle risk, MEV and execution uncertainty, and the possibility that protocol governance changes can alter risk exposures. In practice, supervisors are likely to test whether “DeFi use” is consistent with the firm’s ability to return client assets promptly and to maintain surveillance systems appropriate to its service commitments.

Portuguese corporate structuring for DeFi commonly tries to balance decentralisation narratives with legal accountability and operational control, but the precise “market standard” cannot be confirmed from the permitted official sources. What is clear is that MiCA is entity-based, and ESMA stakeholder materials highlight that MiCA’s regime is oriented toward identifiable entities and authorisation processes, even as DeFi challenges that model. As a result, a purely “DAO-only” model can create regulatory ambiguity if any identifiable party effectively provides services or controls a front-end that targets EU users.

Where a DeFi operation is partially centralised or has an operating entity that provides services to clients, Portuguese licensing and substance requirements can become relevant by analogy to CASP expectations. Portugal’s Law 69/2025 creates enforceable duties for CASPs around EU management location and governance composition, which signals that regulators expect accountable governance anchored in the EU. Even if a protocol is decentralised, any Portuguese operating company involved in custody, brokerage, or client interfacing may face MiCA-triggered licensing needs. Practical set-up planning therefore focuses less on “capital requirements for a DAO” and more on whether any entity is performing a regulated function and how that entity can meet governance, risk, and compliance expectations.

Portuguese judicial materials demonstrate that crypto-assets can be treated as objects of legal action (seizure, return, forfeiture), but there is limited publicly accessible, crypto-specific Portuguese jurisprudence in the permitted sources addressing DeFi protocol liability as such. What can be stated confidently is that Portuguese courts have engaged with crypto-assets in criminal procedure contexts and have analysed wallet access and seizure legality, which indicates judicial willingness to treat crypto-assets as actionable assets rather than as legally “invisible.” For DeFi harm scenarios, that suggests victims may pursue remedies through general tort, contract, and unjust enrichment doctrines, supplemented by criminal law where fraud or misappropriation exists, but the precise doctrinal pathways will be intensely fact-dependent.

On the regulatory side, accountability is likely to be pursued through authorisation perimeter enforcement and market integrity tools rather than through “protocol liability” doctrines. Law No 69/2025 empowers precautionary measures including seizure and freezing of crypto-assets, and it sets market abuse and unauthorised service offenses at a “very serious” level, which can be used where identifiable actors are involved. ESMA stakeholder materials also emphasise the need to monitor DeFi development and clarify MiCA’s application to DeFi operations, which signals an enforcement posture that will evolve as factual patterns become clearer.

Payments in crypto-assets are not prohibited in Portugal, but they are not equivalent to paying in euros, and they do not transform the payer or payee into a regulated payment institution simply because a crypto transfer occurred. Banco de Portugal has clearly stated that crypto-assets are not legal tender in Portugal, no one is obliged to accept them, and crypto-assets do not perform the functions of money in the way legal tender does. Therefore, accepting crypto as consideration is generally a private-law and tax question, but not “currency use” in the legal tender sense.

Where crypto-based payment products resemble regulated payment services (for example, client fund custody, fiat legs, or issuance of redeemable monetary value), Portuguese and EU payments law can be triggered. Portugal’s Regime on Payment Services and Electronic Money (Decree-Law 91/2018) defines payment services broadly, reflecting PSD2 transposition, and it anchors the regulated payments perimeter around “funds,” payment accounts, and payment execution services. Firms offering crypto-to-fiat payment facilitation, custodial wallets with payment functionality, or stablecoin-based payment instruments must therefore analyse whether they are providing regulated payment services, issuing e-money, or providing MiCA-regulated crypto services. In practice, hybrid models are where most risk accumulates, especially if consumers experience the product as “money-like” while the firm lacks the corresponding authorisation.

Tokenisation of real-world assets (RWAs) in Portugal is regulated primarily by the legal nature of the underlying right and by whether the tokenised instrument is already covered by existing financial services regulation, with MiCA filling gaps for “non-traditional” crypto-assets. MiCA is explicitly described as applying to issuers and service providers of crypto-assets that were “so far not regulated by other EU financial services acts”, which implies that many tokenised securities and traditional instruments remain governed by the existing securities framework rather than by MiCA’s crypto-native perimeter. At the same time, MiCA-driven classification processes and standardised tests (including ESAs templates for explanations and legal opinions) highlight that tokenised products must be analysed carefully to determine whether they qualify as ART/EMT/other MiCA crypto-assets or instead as traditional regulated instruments.

From a practical standpoint, tokenisation does not “de-regulate” an asset. If the token represents rights equivalent to shares, bonds, fund units, or other regulated instruments, the tokenised form is likely to carry forward the regulatory obligations attached to that instrument class, including the investment services (custody, trading platform operation) related to them under MiFID II and the Portuguese Securities Code. Portugal’s Law 69/2025 also establishes mechanisms of co-operation between the BdP, the CMVM, and the ASF for legal qualification opinions on crypto-assets, which reflects institutional recognition that tokenisation creates recurring classification questions with real supervisory consequences. In implementation, the primary compliance work is therefore to map the token’s legal nature, the service model, and the investor/customer perimeter, and then to apply the appropriate combination of traditional financial regulation, MiCA, AML travel-rule obligations, and consumer/advertising standards.