Contributed By Vieira de Almeida & Associados
As an EU Member State, Portugal’s digital economy framework is largely shaped by harmonised EU legislation aimed at promoting market fairness, consumer protection and digital trust. Key instruments include:
Portugal has also reinforced its digital policy agenda through an updated National Digital Strategy, which prioritises public-sector digitalisation, business transformation, cybersecurity, digital inclusion and the green–digital transition.
Recent EU Developments
The EU has proposed a Digital Networks Act, aiming to update the current electronic communications regulatory framework embodied in the European Electronic Communications Code. The proposal aims to create a more integrated single market for high-quality digital networks that underpin the broader digital economy, including fibre, 5G/6G and advanced connectivity services.
Portugal’s digital economy is shaped by the continuous expansion of EU digital regulation and the rapid integration of advanced technology. Data governance remains a complex area, particularly in international data transfers, where GDPR safeguards must be balanced against the need to facilitate global digital trade. Addressing persistent digital divides also remains a policy objective, with targeted measures needed to improve digital access and skills among underserved regions, ageing populations and smaller businesses.
AI Governance
An additional central challenge concerns the implementation of AI governance obligations, as regulators and market participants work to support innovation while enforcing new requirements on oversight, risk classification and accountability.
Cyber Resilience
Cyber resilience has become a strategic priority. The growing reliance on digital infrastructure increases systemic exposure to cyber incidents, prompting policymakers to strengthen supervisory frameworks and encourage sustained investment in security, compliance and incident response capabilities.
The taxation of digital goods and services in Portugal is largely shaped by the EU VAT system, with domestic rules closely following EU directives and recent reforms addressing digital business models. VAT is applied on a destination basis, meaning that tax liability is determined by the location of the customer rather than the supplier.
Key Compliance Challenges
From an operational perspective, compliance can be demanding, particularly for digital platforms and cross-border providers. Key challenges include:
Although simplification tools such as the One-Stop Shop system have eased some administrative burdens, ongoing compliance remains resource-intensive, and areas of interpretative uncertainty continue to create exposure.
Digital advertising income in Portugal is taxed under the EU VAT framework, with the applicable treatment depending on factors such as the supplier’s tax residence, the B2B or B2C nature of the service and the customer’s location. In cross-border contexts, destination-based VAT rules and reverse-charge mechanisms are commonly applied.
TMT companies typically rely on automated tax and invoicing systems aligned with Portuguese requirements, including SAF-T reporting, and maintain accurate records on customer identification and VAT status for compliance.
Portugal, as an EU member state, applies a consumer protection regime grounded in EU law and supplemented by national legislation. Key instruments include:
Compliance Obligations
Within this framework, companies need to ensure transparency in contractual terms, pricing and digital content features, apply fair contractual conditions, safeguard personal data and ensure secure digital transactions, while maintaining effective customer support.
Dispute Resolution
Consumer disputes are resolved through a combination of alternative dispute resolution mechanisms and court proceedings, with arbitration, mediation and julgados de paz commonly used for lower-value claims. In practice, structured internal complaint-handling systems and alternative dispute resolution mechanisms are increasingly relied upon to manage disputes efficiently and reduce litigation and reputational risk.
Overview
Blockchain forms part of Portugal’s digital ecosystem, primarily within defined and specialised use cases in the TMT sector. Beyond crypto-assets, deployment tends to be selective, with applications emerging in areas such as digital identity, smart contracts and limited platform governance functions.
Regulatory Classification and Compliance
The main legal challenges stem from regulatory classification and compliance. Despite the introduction of a comprehensive EU framework under Regulation (EU) no. 2023/1114, (the MiCA Regulation), and the expansion of AML obligations to crypto-asset service providers, legal uncertainty may still arise around the legal characterisation of tokens, licensing requirements and the application of securities law to specific use cases.
Additional compliance challenges stem from the pseudonymous nature of blockchain transactions in the context of AML/CFT rules and the tension between ledger immutability and GDPR principles, particularly data minimisation and erasure rights.
AML Obligations
In the AML domain, crypto-asset service providers that fall within the definition of the MiCA Regulation, regardless of whether they are otherwise subject to the remaining provisions of Law no. 83/2017 (AML Law) have become subject to the MiCA Regulation’s enforcement measures as provided for in the AML Law. They are therefore subject to a set of obligations aimed at mitigating risks associated with transfers of funds and crypto-assets, including:
Registration with the Banco de Portugal (the Portuguese Central Bank and banking regulator) is mandatory, as it is the competent authority in Portugal responsible for verifying compliance with MiCA and the AML Law. Crypto-asset service providers are subject to the sanctions regime under the AML Law in the event of non-compliance. Depending on their features, token issuances may also qualify as securities and fall under the supervision of the Comissão de Mercado de Valores Mobíliarios (CMVM), the Portuguese Securities Market Commission, responsible for regulating and supervising the securities market and all agents operating within it.
Overall, Portugal’s approach aims to support innovation while managing financial, technological and governance risks in line with evolving EU standards.
General Framework
In Portugal, cloud and edge computing services that process personal data are subject to the GDPR, complemented by Law no. 58/2019, which ensures its application in Portugal. The GDPR also applies to non-EU based cloud and edge providers when they process personal data of subjects located in the EU. In such cases, transfer impact assessments must be carried out and appropriate safeguards must be implemented, particularly where foreign laws may require access to the data. The Data Act also introduces cloud switching and interoperability obligations. Unjustified data-localisation requirements for non-personal data are also prohibited under Regulation (EU) 2018/1807. The regulation also applies to cloud and data-centre services.
Controller–Processor Obligations
In most cases, cloud service providers act as processors under the GDPR. This means that controllers must enter into contracts with these providers, governing matters such as processing instructions, security measures, data return or deletion when the contract ends. Regulators also stress the importance of data portability and having clear exit strategies when changing providers.
EU Policy Developments
EU policy developments are expected to further strengthen security and governance requirements. These include planned initiatives such as the European Commission’s Cloud and AI Development Act, which aims to promote a secure and competitive European cloud and AI ecosystem.
Sector-Specific Requirements
Sectors that handle large amounts of sensitive or critical data, such as banking and finance, insurance, healthcare and telecommunications, are subject to stricter supervisory and sector-specific rules. These often require higher security, resilience, and audit standards in cloud outsourcing agreements, as well as close control of international data transfers.
Under the NIS2 Directive, public authorities, critical infrastructure operators, essential service providers and digital service providers must implement appropriate technical and organisational security measures and report significant incidents. These requirements also affect cloud and edge computing deployments.
The EU AI Framework
Portugal applies the EU’s horizontal AI regime, with Regulation (EU) 2024/1689 (EU AI Act) as the primary, directly applicable instrument. The EU policy environment continues to evolve, including:
Complementary Legal Frameworks
Beyond the EU AI Act, AI-related activities must also comply with the GDPR, consumer and product safety rules, cybersecurity requirements as well as civil and criminal law.
National Measures
In addition to Autoridade Nacional de Comunicações(ANACOM) serving as the national AI authority (which also acts as the Portuguese telecoms and postal regulator), Portugal has adopted the National AI Agenda (Agenda Nacional de Inteligência Artificial, ANIA) through Council of Ministers Resolution no. 2/2026. This agenda aims to promote responsible AI adoption and strengthen institutional capacity.
Complementing ANIA, the National Digital Strategy Action Plan 2026–2027 advances cloud sovereignty, data spaces, interoperability and cybersecurity, and creates public-sector enablement mechanisms to scale responsible AI adoption in government and the economy.
Deepfakes and AI in Transport
Portugal still has no laws specifically targeting deepfakes or AI in transport. However, existing laws may still apply. Deepfakes may give rise to liability under existing civil liability rules (including claims for damages), cybercrime and fraud offences under Law no. 109/2009 (the Cybercrime Law), and the GDPR, since a person’s image and voice qualify as personal data.
Pilots and testing of self-driving features rely on EU law, most notably Regulation (EU) no. 2019/2144 (the Vehicle General Safety Regulation). For drones, the regime is defined by Regulation (EU) no. 2018/1139, on common rules in the field of civil aviation, and the EU Drone Regulations (Regulation (EU) no. 2019/945 and Regulation (EU) no. 2019/947), implemented domestically via Decree-Law no. 87/2021.
Applicable Legal Framework
IoT solutions may be subject to a set of cross-cutting EU and national legal instruments, depending on the specific solution’s characteristics.
Electronic Communications
At the forefront, IoT solutions may be subject to the ECL to the extent that these qualify as connectivity services falling under the electronic communications services’ definition provided therein. In such cases, sector-specific conditions apply, including the obligation to obtain a general authorisation to provide such services from the national regulatory authority (ANACOM).
In this context, rules on legal interception, personal data and communications privacy apply where IoT and machine-to-machine communications are qualified as electronic communications services and/or networks, notably pursuant to Law no. 41/2004, which transposes Directive 2002/58/EC (ePrivacy Directive). This law sets obligations relating to confidentiality and security of communications and regulates the processing of traffic and location data.
Data Protection
IoT and machine-to-machine solutions that entail the processing of personal data are fully subject to the GDPR (and the implementing Law no. 58/2019), including data minimisation, purpose limitation, security of processing, breach notification and privacy by design and by default requirements.
The Data Act
IoT solutions may also be subject to the Data Act, which establishes harmonised rules on access to and use of data generated by connected products and related services, granting users access and sharing rights and regulating data sharing with public sector bodies in cases of exceptional need.
Cybersecurity
Cybersecurity obligations may arise where IoT solutions support essential or important entities under the NIS2 Directive. In Portugal, the NIS2 Directive has been transposed by Decree-Law no. 125/2025, covering risk management, incident reporting, supply-chain security and governance. In parallel, Regulation (EU) no. 2024/2847 (the Cyber Resilience Act) introduces horizontal essential cybersecurity requirements for products with digital elements, including vulnerability handling, updates and conformity assessment across the lifecycle.
AI in IoT
The EU AI Act is increasingly relevant to IoT ecosystems where connected devices integrate AI systems or models for monitoring, profiling, prediction, or automated decision-making.
Companies deploying IoT solutions in Portugal face significant compliance challenges arising from the combined and lifecycle-based application of EU data, product and cybersecurity frameworks, in addition to the electronic communications regulatory framework.
Data Governance
A central challenge is compliance with the Data Act, which introduces obligations connected with data generated by connected products, including:
Cybersecurity Compliance
The Cyber Resilience Act establishes essential cybersecurity requirements for products with digital elements, including vulnerability management, defined security update lifecycles and incident and vulnerability reporting obligations. Manufacturers, importers, and distributors must prepare for conformity assessments and CE marking within applicable transition periods.
Data Protection
The GDPR imposes strict requirements on data minimisation, purpose limitation, security, accountability, breach notification and the performance of Data Protection Impact Assessments for high-risk processing. These obligations are particularly demanding in IoT contexts characterised by continuous, passive personal data collection and extensive inferential capabilities.
Governance Frameworks
To manage these overlapping requirements, companies should adopt integrated governance frameworks aligning Data Act compliance, cybersecurity under the Cyber Resilience Act, and privacy governance under the GDPR, supported by coordinated legal, technical and organisational measures across the product.
IoT companies in the EU operate primarily under the GDPR, the EU Data Act, the Data Governance Act and applicable sector-specific regimes.
General Data Protection Regulation
Under the GDPR, any sharing of personal data must comply with the principles of lawfulness, fairness, transparency, purpose limitation and data minimisation, and rely on a valid legal basis (consent, contract, legal obligation, or legitimate interests). Controllers must clearly inform users about what data is shared, with whom, and for what purposes and must implement appropriate security and accountability measures.
Special category data (health, biometric, or genetic data) are subject to strict conditions, enhanced safeguards, and typically require Data Protection Impact Assessments. Criminal offence data and children’s data attract additional protections under both EU and Portuguese law. In combined personal and non-personal data sets, the GDPR and the Data Act apply concurrently, requiring logical separation, purpose binding, role-based access controls and protection of trade secrets and confidential business information.
Data Act
The Data Act establishes a user-centric framework for data generated by connected products and related services. Users have the right to access such data and to instruct data holders to share them with third parties of their choice. The regulation also introduces pre-contractual transparency obligations and design duties for manufacturers and service providers.
Where a legal obligation to make data available exists under either EU or national law, business-to-business data sharing must occur on fair, reasonable and non-discriminatory terms, with restrictions on unfair contractual clauses and enhanced protections for Small and Medium Enterprises. For cloud and data processing services, the Data Act introduces a switching and interoperability regime, progressively removing switching charges, with full elimination by 12 January 2027.
Data Governance Act
The Data Governance Act complements this framework by regulating data intermediation services and the re-use of certain categories of protected public-sector data, with the objective of fostering trust in voluntary and cross-sector data sharing.
Sector-Specific Rules
Sector-specific rules (including healthcare, finance, energy, or electronic communications) may impose additional confidentiality, security, or notification obligations. Where IoT or machine-to-machine connectivity qualifies as an electronic communications service, ePrivacy-style secrecy of communications may apply to both content and metadata.
Provision of audiovisual media services (AVMS) in Portugal is subject to a set of requirements and procedures that must be met by television broadcast services, operators and distributors, video-sharing platform services and providers, as well as by on-demand audiovisual services and providers.
Television Broadcasting Services
According to Law no. 27/2007 (the Television Law), television broadcasting may only be pursued by companies with varying fixed minimum share capital and whose main corporate purpose is to carry out such activities. Television broadcasting services, operators and distributors, if subject to Portuguese jurisdiction according to Articles 2 and 28a of Directive no. 2010/13/EU, should be registered with the Entidade Reguladora para a Comunicação Social (ERC), the Portuguese Media Regulatory Authority.
Provision of television broadcasting services may be accessed by two means.
Licences and authorisations, which are non-transferable, are issued for a period of 15 years and are renewable for equal periods. Every five years, including upon renewals, the ERC conducts periodical assessments in order to ascertain compliance with the legal and regulatory preconditions of the licence or authorisation. The Television Law safeguards freedom of reception and retransmission from other EU Member States.
Video-Sharing Platform Services and On-Demand Audiovisual Services
Video-sharing platform services and on-demand audiovisual services are also within the scope of the Television Law, as amended by Law no. 74/2020, which transposes into national law Directive (EU) no. 2018/1808. However, they are not subject to the same requirements and procedures set forth above for television broadcasting services, thus benefitting from a considerably simpler regime.
Scope of Application of Electronic Communications Rules
The Electronic Communications Law (Law no. 16/2022) comprises the core regulatory framework for electronic communications networks and services in Portugal. The ECL applies to electronic communications networks and services, associated facilities and services, including:
Requirements Prior to Market Entry
As a rule, the provision of electronic communications networks and services does not depend on the prior granting of an individual licence from ANACOM. Instead, it is subject to the simpler general authorisation regime, which determines that undertakings intending to provide electronic communications networks or services must notify ANACOM before commencing their activity in Portugal. Following the notification, companies can start their activity immediately, while also becoming subject to the set of regulatory obligations associated with the general authorisation regime.
Notwithstanding the above, the use of radio frequencies and numbering resources remains subject to separate regulatory procedures, including the granting of individual rights of use if required.
Security Requirements
The ECL imposes extensive security obligations on providers of electronic communications networks and services, for safeguarding the integrity, availability and confidentiality of networks and services. ANACOM has supervisory and enforcement powers, including the power to define technical and organisational security requirements, issue binding instructions, require security audits, monitor compliance and adopt corrective or sanctioning measures.
ANACOM’s Regulation no. 303/2019, on the security and integrity of electronic communications networks and services, deepens these obligations and requires undertakings to:
Non-compliance with the security obligations set forth in the ECL and Regulation no. 303/2019 may result in administrative fines and, in cases of repeated infringements or serious negligence, operational restrictions or revocation of the right to operate. While these obligations are, in practice, still being enforced by ANACOM, they are expected to become formally revoked in the near future, per Decree-Law no. 125/2025. This framework sets out horizontal cybersecurity obligations and applies to providers of public electronic communications networks and services.
In Portugal, net neutrality is primarily governed by Regulation (EU) no. 2015/2120 on open internet access, which establishes that, as a rule, internet access providers must treat all traffic equally, without discrimination, restrictions or interferences, regardless of content, applications, services, end users or equipment.
In exceptional circumstances, providers are allowed to introduce measures not aligned with this principle to:
These rules aim to ensure competition in electronic communications and adjacent markets, strengthening end user protection and market transparency by limiting discriminatory traffic practices. However, they also impose significant constraints on providers by requiring ongoing investments in capacity planning, monitoring and auditable controls to justify any exceptional traffic management measures strictly on technical and legal grounds.
Overview
Emerging technologies such as 5G, IoT and AI are accelerating the convergence of electronic communications, digital services and data-driven business models, reshaping electronic communications services and networks. 5G provides the core connectivity layer enabling massive IoT deployments and low-latency communications, while AI increasingly supports network planning, management, optimisation and security.
In Portugal, as across the EU, this convergence has increased regulatory focus on network resilience, cybersecurity (with special focus on Decree-Law no. 125/2025 and the EU 5G Toolbox), infrastructure deployment, data and consumer protection, reflecting the growing strategic importance of electronic communications infrastructures.
Infrastructure and Connectivity
The deployment of and access to 5G and IoT-enabled physical infrastructures are governed by Regulation (EU) no. 2024/1309 (the Gigabit Infrastructure Act), which aims to accelerate fibre, backhaul and 5G networks by:
This framework operates alongside the national regime under Decree-Law no. 123/2009, which transposed Directive 2014/61/UE (the Broadband Cost Reduction Directive), and is expected to be amended soon.
AI in Telecommunications
The AI Act applies to AI systems used in electronic communications, particularly high-risk applications, introducing additional obligations on transparency, risk management and non-discrimination. Although no national implementing legislation has yet been adopted, the National Artificial Intelligence Agenda, approved by Resolution of the Council of Ministers no. 2/2026, anticipates increased computational demands and greater reliance on cloud and edge computing. This will have implications for network coverage and architecture, security and regulatory compliance, whilst increasing interdependence between telecommunications, cloud services and data infrastructures.
Cybersecurity
The NIS2 Directive, transposed into Portuguese law by Decree-Law no. 125/2025, also expands cybersecurity obligations for entities in the telecommunications and digital infrastructure sectors. Providers of electronic communications networks and services are classified as essential or important entities and must implement comprehensive risk management measures, report significant incidents to competent authorities and ensure supply chain security.
Practical Implications
Companies integrating 5G, IoT, and AI technologies must address a broad set of legal requirements, including spectrum licensing and usage conditions, network security and resilience, cybersecurity compliance, data protection, infrastructure access and territorial planning. Given the complexity and overlap of these regimes, an integrated legal and regulatory compliance approach from the outset is essential, namely to ensure that product and service development is aligned with this.
Technology Agreements: Main Challenges and Specificities
Organisations entering into technology agreements in Portugal face recurring challenges under the influence of European regulatory frameworks. Portugal does not have a single, standalone legal instrument for technology agreements; instead, these are governed by multiple overlapping legal regimes. These challenges encompass four main areas.
Regulated Industries and Greater Restrictions
Some regulated sectors in Portugal are subject to additional restrictions. For instance, banking and financial services are governed by Regulation (EU) 2022/2554 (the DORA Regulation), requiring comprehensive ICT risk management, resilience testing (including threat-led penetration testing), incident reporting, oversight of critical ICT third-party providers, including contractual rights to audit, data access and exit strategies.
Key Elements in Electronic Communications Services Agreements
Electronic communications services agreements in Portugal are shaped by key mandatory provisions under Law no. 16/2022, transposing the European Electronic Communications Code. Key elements to include are listed below.
Companies should closely monitor future legal developments, as the Digital Networks Act, which will replace the European Electronic Communications Code, proposed on 21 January 2026, may introduce relevant changes to the legal landscape in this regard.
Interconnection Agreements
In Portugal, interconnection agreements are mostly regulated by the ECL. Key considerations for companies entering interconnection agreements include:
Primary Legislation
The primary legislation governing trust services, electronic signatures, and digital identity in Portugal and across the EU is Regulation (EU) no. 910/2014 (the eIDAS Regulation), implemented nationally by Decree-Law no. 12/2021. This regime addresses the validity, effectiveness and probative value of electronic documents, recognition of electronic identification for natural and legal persons, and rules for the State Electronic Certification System (SCEE), based on public key infrastructure. Providers of qualified trust services are strictly liable for damages from non-compliance and must maintain sufficient insurance.
Data Protection
All processing and management of personal data is subject to the GDPR and Law no. 58/2019, ensuring secure processing, data minimisation, valid user consent and breach notification.
Legislative Developments
Legislative developments include Decree-Law no. 125/2025 and the eIDAS 2 Regulation, which updates the eIDAS Regulation framework for new digital identity solutions and expanded trust services. In short, the eIDAS 2 Regulation provides for:
Trusted Lists
The eIDAS Regulation and the eIDAS 2 Regulation require all Member States to establish, maintain and publish trusted lists, detailing qualified trust service providers and services. Commission Implementing Decision (EU) no. 2015/1505 sets the technical specifications and formats relating to these lists. In Portugal, the National Security Cabinet is the designated supervisory body responsible for the national trusted list.
The updated Portuguese trusted list issued on 27 January 2026 includes six active trust service providers:
Digital Identity Schemes
Portugal’s digital identity ecosystem is anchored by the eID Citizen Card and complemented by the Digital Mobile Key, Professional Attributes Certification System (SCAP), and ID.gov.pt wallet, with Autenticação.gov as the main electronic authentication and signature platform. These schemes ensure user control, data access, correction rights, and guarantee privacy and non-discrimination under both the Portuguese Constitution and the EU Charter.
Overview
In addition to being subject to sector-specific regimes where there are elements of gambling or betting, gaming activity is also subject to general legal regimes. Key regulatory instruments include:
While Portugal does not have a gaming-specific regulatory framework, Pan-European Game Information (PEGI) self-regulation is a voluntary, pan-European scheme widely used by Member States; it is not an EU “legal code” but an industry-led self-regulatory initiative.
Main Legal Challenges
Increasingly blurred boundary between gaming and gambling – the incorporation of specific features and monetisation models into games, particularly certain forms of loot boxes, continues to attract regulatory scrutiny, raising questions as to their possible alignment with gambling-like activities.
Gaming platforms with social functionalities – platforms that integrate social features face a growing set of regulatory and operational challenges, including content moderation obligations and the implementation of effective reporting arising from the Digital Services Act.
Intellectual property in digital and virtual environments – significant risks persist, notably in relation to piracy, unauthorised reproduction of assets and characters and the misuse of trademarks within virtual settings.
In-Game Purchases and Loot Boxes
In-game purchases may qualify as digital content or digital services and may therefore be subject to consumer protection rules on conformity, information duties and updates. Consumers are entitled to remedies such as repair, price reduction, or termination/refund in the event of non-conformity, in accordance with Decree-Law no. 84/2021.
Loot boxes present a particular challenge, where they involve payment, randomised outcomes and the attribution of a prize with economic value, they may fall within the concept of games of chance and thus be classified as gambling. In such cases, their offering is subject to licensing and regulatory requirements under Decree-Law no. 66/2015.
Age Ratings and Content Restrictions
In Portugal, video games carry age ratings overseen by IGAC and must be sold in line with that label (Decree-Law no. 23/2014). Online gambling and betting services, as well as content comparable to games of chance, are in principle restricted to individuals aged 18 and over, pursuant to Decree-Law no. 66/2015.
The legal requirements for game developers in terms of content restrictions require compliance with Portuguese criminal and civil law, particularly rules prohibiting illegal or harmful content and ensuring the protection of minors. For games with online or social features, developers may also be subject to the Digital Services Act, which sets obligations on the handling of illegal content and the safeguarding of minors, while consumer and gambling laws may further limit certain content and monetisation practices.
In Portugal, multiple authorities oversee gaming compliance:
These authorities have broad enforcement powers, including inspection and audit rights, the ability to order the suspension or modification of unlawful practices, the imposition of administrative fines and ancillary sanctions and, where applicable, the seizure of equipment or referral for criminal proceedings.
Recent Enforcement Actions
The SRIJ has taken enforcement action against unlicensed online gambling platforms operating without the required authorisation in Portugal.
IP Challenges Faced by Game Developers
Game developers face heightened IP exposure from piracy and unauthorised copying with rapid online and streaming distribution, disputes stemming from poorly scoped or mismanaged licences (including music, third-party characters and proprietary engines), and the complexity of enforcing rights across multiple jurisdictions with divergent copyright, trademark and software laws.
Legal Protection of IP in Virtual Environments
Portugal provides robust legal protection for game developers through the Copyright and Related Rights Code, which safeguards creative content and software. Game titles, branding, technologies and visual elements are protected by Decree-Law No. 252/94 on the legal protection of computer programs and the Industrial Property Code. Game developers hold copyright protection over the original digital assets they create, including character models, maps, animations and in-game environments. Developers may enforce these rights through measures such as court injunctions or claims for damages. Contractual arrangements are essential to ensure that IP ownership is clearly allocated and consolidated across all contributors.
Copyright Key Considerations in Digital and Virtual Assets
Game developers retain copyright over original digital assets and their protection depends on clear licensing arrangements, the use of Digital Rights Management (DRM) measures to prevent unauthorised use and careful consideration of virtual economy assets, whose legal treatment may vary according to their functionality and the applicable jurisdiction.
Trademark Laws for Virtual Goods and Services
Trademark protection covers brand identifiers such as names, logos and other distinctive signs used in games and related services. In Portugal, this may also apply to virtual goods, requiring developers to secure appropriate licences for virtual reproductions of real-world brands and increasingly to seek trademark registration specifically for use in virtual and metaverse contexts in order to safeguard their digital brand presence.
Implications of User-Generated Content
User-generated content such as mods, skins and custom levels raises IP challenges relating to the definition of ownership, the risk of third-party IP infringement and the monetisation of player-created content. To mitigate these risks, developers must rely on clear terms of service and licensing frameworks that allocate rights, regulate use and commercialisation, and enable effective control over infringing or unauthorised content within the game ecosystem.
Legal and Regulatory Framework
Although Portugal has no specific legal framework for social media, various key legal regimes impact these activities.
On the one hand, social media is subject to legislation on intermediary services, consumer protection, gambling and contractual clauses, specifically:
On the other hand, data protection, privacy and cybersecurity legislation are also key to social media activities, notably:
Finally, legislation on intellectual property and artificial intelligence may also play an important part when regulating social media activities, including:
Considering the increasing impact of social media consumption, particularly the widespread use of influencer marketing, self-regulation has been active in producing best practices frameworks, such as:
Key Legal Challenges
There is an increasing awareness regarding the protection of minors, namely in relation to data protection and privacy, age verification, content moderation, monetisation of user data, targeted advertising and profiling, and the potential mental health consequences regarding the use of AI algorithms of an addictive nature within social media software.
Control of disinformation and hate speech are still major concerns for social media platforms, especially in the context of content directed at minors, as well as during political campaigns and electoral periods. Enforcement of the DSA regarding online protection of minors, alongside risk assessment and mitigation of illegal content, is an ongoing challenge.
Following the European Parliament’s Report of 26 November 2025 advising EU Member States to limit social media use for minors under 16, these topics are expected to be under national discussion in the near future.
Supervision of the different legal and regulatory aspects of social media activities in Portugal is conducted by:
These authorities are empowered to:
Consumer associations also ensure close monitoring and enforcement of legislation applicable to social media activities, while being empowered to initiate class actions.
The Directorate-General for Consumers (DGC), the Food and Economic Safety Authority (ASAE) and the Gaming Regulation and Inspection Service (SRIJ) have been especially active in investigating and enforcing against illegal activities in the social media ecosystem, with a clear focus on influencer marketing and compliance with consumer protection legislation.
Regulatory Framework
In Portugal, electronic communication service providers operate under a layered framework that couples the GDPR and its national implementing law (Law no. 58/2019) with sector-specific rules arising from Law no. 41/2004 (transposing the ePrivacy Directive) and the ECL. General data-protection principles interact continuously with telecommunications-specific confidentiality and security duties.
The Portuguese Data Protection Authority (CNPD) supervises compliance with the GDPR, while the National Regulatory Authority (ANACOM) oversees telecom-specific obligations and related regulation, ensuring that network integrity and user-protection requirements dovetail with data-protection standards. Providers must uphold the confidentiality of communications, respect strict limits on processing traffic and location data, obtain prior consent for non-essential cookies and marketing, notify breaches and meet contractual and disclosure duties to end-users.
Operational Challenges
Operational challenges mirror EU norms but are amplified by the vast volumes of network data typical for telecom providers. Valid consent must be secured for some uses (such as analytics and marketing) beyond core service provision, while data-minimisation imperatives routinely collide with billing, fraud-prevention, and quality-of-service needs.
The effective execution of user rights (access, erasure, and portability) must function seamlessly across operational and business support systems, as well as multi-vendor ecosystems. This pressure has only increased as CNPD’s recent outreach and enforcement on unsolicited marketing and cookies signal heightened scrutiny of consent and transparency controls.
Cross-Border Transfers
Cross-border transfers must comply with the GDPR by deploying approved mechanisms (notably the modernised standard contractual clauses) and performing transfer-impact assessments. CNPD directs controllers to the European Commission’s updated clauses while monitoring third-country risks. Telecom operators typically combine rigorous vendor due diligence with strong encryption and data-at-rest segregation – particularly where cloud hosting or global network operation centres are involved – to keep residual risks within tolerable bounds.
Lawful Interception and Data Retention
Lawful access obligations are framed both by criminal procedure and Cybercrime Law and by the evolving data-retention regime, which was recalibrated through the approval of Law no. 18/2024 to narrow retention and reinforce judicial oversight. In practice, providers must engineer interception and retention capabilities that remain strictly bounded by necessity and proportionality and are activated only pursuant to judicially authorised access.
Third-Party Vendors and Cloud Service Providers
Because third-party processors and cloud vendors are integral to Portuguese telecom networks – from virtualisation layers to CRM and billing – GDPR-compliant frameworks must be underpinned by detailed data processing agreements with sub-processor flow-downs and audit rights. The sector-specific security and integrity regime (which will be revised following the approval of Decree-Law no. 125/2025, transposing the NIS2 Directive) imposes incident-reporting duties, security-policy obligations, permanent contact points and disclosures where incidents significantly impact services. These contractual and regulatory levers shape architectural choices for 5G, edge deployments and data-residency patterns.
Impact of Evolving Regulations
With NIS2 now transposed, the governance, risk-management, supply-chain and incident-reporting expectations for “essential” and “important” entities (categories that typically capture major telecom operators) have expanded significantly. This requires commensurate updates to contracting frameworks and to board-level oversight and accountability.
Primary Challenges
For Portuguese digital media and streaming services, the privacy and security baselines are set by the legislation outlined above. Primary challenges include consent orchestration across devices, reconciling minimisation with personalisation, and providing granular user controls and rights workflows at scale. CNPD's public focus on unsolicited communications and cookies signals enforcement risk for ad-tech implementations and may imply changes in the near future.
Privacy-by-Design and Security-by-Design
Privacy-by-design and security-by-design are operationalised via data protection impact assessment for new tracking or profiling features, default-off settings for non-essential cookies, strict purpose scoping, data mapping of events and identifiers, and pseudonymisation. Security controls should reflect GDPR requirements and sector security duties, including:
Where platforms rely on content delivery networks (CDNs), cloud, or analytics, controllers must implement processor screening, SCCs/transfer assessments where relevant, and maintain audit and deletion routines.
Third-Party Data Sharing
Third-party sharing with advertisers, analytics and CDN partners creates role-allocation complexity (controller/processor/joint controller). Contracts must embed GDPR terms, sub-processor flow-downs and clear bans on own-use of data, with technical mitigations such as server-side tagging, IP truncation, event-level hashing and access minimisation. Transparency layers should comply with Law no. 41/2004 and provide easy opt-outs and preference centres.
Impact of Emerging Cybersecurity Regulations
Portugal has recently updated its framework via the approval of Decree-Law no. 125/2025. Many streaming platforms fall within “digital providers” or other covered categories, triggering governance, risk management, supply chain and incident-reporting duties overseen by the National Cybersecurity Centre (CNCS).
Where operators also qualify as providers of electronic communications services or networks (thus being considered essential entities), ANACOM's integrity/security regime adds notification and policy duties, which are also covered under Decree-Law no. 125/2025.
Technology agreements should therefore allocate NIS2-aligned controls, notification timelines, cooperation, audit and liability, and reference CNCS guidance, which will be approved in 2026. Aligning these with GDPR breach-notification and processor obligations helps avoid duplicative workflows and inconsistent timelines.
28 Rua Dom Luís I
1200-151 Lisboa
Portugal
(+351) 213113400
(+351) 213548939
vieiradealmeida@vda.pt www.vda.pt