The year 2024 marked a significant milestone for the fintech industry with the full implementation of Regulation (EU) 2023/1114 of the European Parliament and the Council of 31 May 2023, commonly known as the “MiCA Regulation”. This regulation, which fully came into force in December 2024, established a comprehensive legal framework for markets in crypto-assets. It now governs issuers of crypto-assets that were previously unregulated under other EU financial services laws, as well as crypto-asset service providers dealing with e-money tokens and asset-referenced tokens.

The primary aim of MiCA is to provide legal clarity for crypto-asset issuers and providers, fostering innovation while ensuring financial stability and protecting investors from associated risks.

Alongside MiCA, another key regulatory development is the Digital Operational Resilience Act (“DORA”), which came into force on 17 January 2025. DORA (Regulation EU 2022/2554) mandates that financial institutions, including credit institutions, payment services, and electronic money providers, must build resilient internal security networks and systems capable of withstanding and recovering from disruptions, particularly those related to information and communication technologies (ICT).

Until 2024, the Bank of Portugal was responsible for overseeing anti-money laundering (AML) and counter-terrorism financing (CTF) activities, as well as supervising entities engaged in virtual asset activities, as outlined in Law No 83/2017. However, one of the main changes expected in 2025 is the creation of national legislation to implement MiCA, as well as the designation of a competent authority for receiving and assessing applications for authorisation to provide crypto-asset services.

For entities already registered with the Bank of Portugal to conduct activities with virtual assets, MiCA’s new requirements will present challenges. These entities may continue their operations during the transitional period until 1 July 2026, although Portugal has yet to issue the domestic regulations required to fully regulate MiCA’s implementation. It is important to note that each EU Member State may opt for a shorter transitional period. Regardless of this, companies previously registered with the Bank of Portugal must seek MiCA authorisation to ensure full compliance within the defined timelines.

MiCA’s rigorous requirements are expected to strengthen the crypto market by filtering out providers lacking solid foundations, thereby creating a more stable and transparent ecosystem that appeals to established financial institutions.

In terms of technological integration, the MiCA regulation’s transparency and consumer protection provisions are likely to encourage fintech companies in Portugal to adopt advanced technologies, including artificial intelligence (AI). AI will play a crucial role in enhancing compliance, risk management, and customer service, facilitating the digital transformation of the sector. AI is already pivotal in the global fintech landscape and is set to continue driving transformative changes in Portugal, particularly in banking digitalisation, fraud prevention, risk management, and Insurtech applications.

Portuguese fintechs are a varied group of ventures. Fintech verticals in Portugal include payment services, neobanks, capital raising instruments, lending platforms, bank account aggregators, personal finance apps, crowdfunding platforms and insurance providers. Established legacy players are also present in investing, developing or promoting fintechs. The largest number of players follow a business-to-business model.

There is no general provision regulating the fintech industry in Portugal. The applicable regulatory framework is dispersed and depends on the client’s business model, sector and type of their/its clientele. Despite a case-by-case assessment being imperative, it is generally possible to identify the main regulatory framework that will likely apply to new fintechs:

• Decree-Law No 486/99 of 13 November establishes the Portuguese Securities Code, which sets the core rules regarding securities and is part of the main legal framework of Portugal’s financial sector;
• Decree-Law No 298/92 of 31 December establishes the Portuguese Legal Framework of Credit Institutions and Financial Companies;
• Law No 102/2015 of 24 August establishes the Crowdfunding Financing Act, which closely follows the provisions set by Regulation (EU) 2020/1503 of the European Parliament and of the Council of 7 October 2020 on European crowdfunding service providers for business, and lays down uniform requirements for the provision of crowdfunding services, for the organisation, authorisation and supervision of crowdfunding service providers, for the operation of crowdfunding platforms as well as for transparency and marketing communications about the provision of crowdfunding services in the EU;
• Law No 83/2017 of 18 August establishes the Combat Measures for Anti-Money Laundering and Terrorism Financing Act, which serves as a general framework for all fintechs on what concerns their anti-money laundering (AML) obligations as well as the implementation of “Know Your Customer” (KYC) provisions (“AML Act”);
• Decree-Law No 91/2018 of 12 November establishes the Payment Services and E-money Act;
• Decree-Law No 27/2023 of 28 April establishes the legal framework for asset management, which establishes the general framework for asset management companies and different types of collective investment organisations (including funds) (“Asset Management Regime”);
• Consumer Protection Acts also apply when dealing with consumers (including the Distance and Off-Premises Law (Decree-Law No 24/2014); the E-commerce Law (Decree-Law No 7/2004); the Digital Goods, Content and Services Law (Decree-Law No 84/2021); and the General Contractual Clauses Law (Decree-Law No 446/85));
• the General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (GDPR), is directly applicable in Portugal;
• the MiCA regulation came into effect in June 2023 and is fully enforceable in Portugal from 30 December 2024. However, the Portuguese Government has not yet enacted the domestic legislation required to regulate MiCA’s implementation in Portugal or designated the authority responsible for supervising, receiving, and assessing applications for the authorisation of crypto-asset service providers; and
• Regulation (EU) 2022/2554 on digital operational resilience for the financial sector – Digital Operational Resilience Act (DORA).

The above-mentioned Acts are the foundational framework applicable to most fintechs. Other provisions and regulations may apply, and any entrepreneur in this sector must comply with the ordinances issued by regulators and supervisory authorities that are regularly enacted in light of ongoing developments in sectorial practices. In addition to local laws, regulations and ordinances, EU frameworks also extensively regulate fintech activities.

The Portuguese legal framework does not provide pre-established compensation models or mechanisms for fintechs. Compensation schemes will largely depend on the type of business or project being developed, applicable regulations and type of clients. Rules applicable generally stem from the Market in Financial Instruments Directive II (“MiFID II”).

The compensation models for a fintech project will usually be designed using a commission, fee, or interest loan model.

Under the commission model, the industry participant will draw compensation from the subscription or closing of the position of a specific product. Under a fee-based model, the industry participant will collect a fee (fixed or variable) for rendering a specific product or service.

The particulars of each commission or fee model will largely depend on the regulatory landscape covering a given business activity, which, in some cases, may need to be segregated into different vehicles to obtain the practical effect desired by the industry participant.

For example, asset management and investment fund companies can draw commissions as established in their management rules. Still, they will not be allowed to charge a commission when a specific fund invests in other funds that the managing company of the fund controls.

In the context of payment and e-money institutions, there is the possibility of granting loans so long as they are associated with and exclusively granted for the sole purpose of the payment operation requested by the user and so long as the loan is reimbursed within 12 months. In such cases, the payment or e-money institution must ensure that the user disposes of sufficient funds under the ordinances issued by the Bank of Portugal. 

The main rule to be followed is that the compensation model deployed by an industry participant needs to be transparent, proportionate, explained in detail to the customers or users, and designed so that no conflict of interest arises from its application. Compensation model disclosure must occur before entering a contract or transaction (as applicable).

There are no main differences between the regulation of fintech industry participants and legacy players. The Portuguese legislature has significantly narrowed the previous legal framework asymmetry between fintech and legacy players by mirroring its EU counterparts and adopting the “same activity, same risks, same rules” principle.

In practical terms, the convergence between the applicable legal framework set for legacy players and that for fintech industry participants has translated into higher entry costs to “new players” but, at the same time has provided much-needed legal security when deploying a new financial solution in the market.

Legacy players are expected to have an initial advantage when digging into the fintech space, considering the need to comply with tighter and heftier compliance, supervision and regulatory obligations. However, if they are able to overcome the regulatory burden set by the national and EU regulations, new players will often enjoy more flexible management and a swifter decision-making process, allowing them to develop and deploy new solutions to address market needs that are “off the radar” of legacy players. In some cases, some regulatory exemptions will apply, which may render the development of a fintech project substantially easier.

In 2021, the Portuguese Government enacted general principles for creating and regulating Technological Free Zones, which could lead to the creation of regulatory sandboxes. Nonetheless, there is no particular regulatory sandbox in Portugal for fintech projects. This means that most industry participants must comply in part or in full with applicable regulations (some of which are listed in 2.2 Regulatory Regime).

In 2018, the Portuguese regulators created an innovation hub named the “Portugal FinLab”, opening a communication channel with new players in the fintech industry. The three main regulators participating in the FinLab are Autoridade de Supervisão de Seguros e Fundos de Pensões (“Insurance and Pension Funds Supervisory Authority”), Banco de Portugal (“Bank of Portugal”) and CMVM (“Portuguese Securities Market Commission”), which are usually the three leading independent regulators in the Portuguese jurisdiction.

Portugal FinLab’s purpose is to provide a communication channel between the regulators that allows start-ups and new players to navigate the complexity of the legal framework. However, it is not a sandbox facilitator. The only sandbox regime applicable is the DLT Pilot Regime, but it is not domestic in nature.

In 2023, CMVM launched a new sandbox initiative called “The Sandbox Market4Growth”. This initiative marks a strategic step towards a more dynamic, adaptable, and inclusive financial ecosystem by enabling companies to simulate fundraising through stock and bond issuance or venture capital investment. The simulator is available to domestic and foreign companies seeking access to the Portuguese capital markets. One of the main goals of Sandbox Market4Growth is to promote financial inclusion, encourage the creation of accessible and efficient financial services, and support the competitiveness of Portugal’s finance industry by fostering a culture of innovation and adaptability.

Four main national regulators have jurisdiction over industry participants, each with a specific field of jurisdiction:

• The Bank of Portugal acts as the Portuguese Central Bank and is therefore integrated into the European System of Central Banks under the European Central Bank. It is tasked with monitoring and supervising financial, payment, and e-money institutions, as well as with virtual asset provider authorisations.
• CMVM oversees the offerings of securities and financial asset management companies and advisory in Portugal. The competent authority is to issue an authorisation to engage in crowdfunding activities. Regarding crowdfunding, CMVM may also request technical opinions from the Bank of Portugal.
• The Insurance and Pension Funds Supervisory Authority is the supervisor with jurisdiction to oversee the insurance and pension fund markets.
• The National Data Protection Commission (Comissão Nacional de Proteção de Dados) is the Portuguese public authority that supervises data processing by all public and private entities in Portugal.

Participants may fall under the scope of one or more regulators depending on the nature of the project to be developed.

As Portugal has not yet adopted domestic regulation to implement and enforce the MiCA Regulation, the authority responsible for authorising and supervising crypto-asset service providers, as well as overseeing MiCA’s transitional regime and its terms, has yet to be determined.

In Portugal, regulators such as CMVM do not typically issue “no-action” letters in the same way regulatory entities might issue them in some other jurisdictions.

However, Portuguese regulators may provide informal guidance or clarifications regarding the application of existing regulations to specific cases, often through official statements, or written opinions.

Entities seeking regulatory clarification may approach the CMVM or other relevant authorities for such guidance, though these are not formally recognised as “no-action” letters.

Unregulated functions can be mostly outsourced at will. By contrast, regulated functions are required, in certain instances, to be disclosed to the competent regulator and must follow a particular set of rules. As a rule, both the nature and extent of the outsourcing must always be contractually defined and notified.

The European Banking Authority’s revised Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) are applicable to fintechs operating under MiFID II rules, as well as to credit institutions, payment service providers, and electronic money institutions. In May 2020, the Bank of Portugal issued a Circular Letter establishing that such regulations are applicable. Later on, in 2023, a Bank of Portugal Notice established a specific framework for the registration of outsourcing agreements, requiring participants to maintain a complete and permanently updated register of all subcontracting agreements, including the functions subcontracted to intragroup service providers, and to provide notice to the Bank of Portugal of any intention to subcontract an essential function with a minimum of 15 days’ notice.

From a contractual perspective, matters covered in outsourcing agreements will include service level standards, business continuity, liability allocation, data protection, client risk management, protection of assets or funds if custody is transferred, AML compliance and use or licensing of IP rights.

From an employment law perspective, restrictions apply to outsourcing functions to an ex-employee who was terminated during the previous 12 months. Portugal also has the transfer of undertaking rules that may impact outsourcing arrangements.

There is no legal concept of gatekeeper nor a specific liability regime for fintechs. Therefore, the characterisation or imposition of a service provider to act as a gatekeeper varies. Different market participants may be subject to distinct types of liability or scrutiny by regulators depending on the effective role played. In particular, obligations to report suspected money laundering activities apply across most sub-industries of fintech.       

Portuguese regulators may often deploy routine inspections and audits to legacy and fintech participants. Depending on the seriousness of any breach found by the regulator, different penalties may apply, ranging from a mere administrative notice to hefty fines and, finally, to licence or authorisation suspension or revocation.

Upon finding a breach of the compliance of regulatory provisions by the regulator, the outcome of the proceeding may be settled between the fintech participant and the regulator or disputed administratively and, upon conclusion, argued in the competent court. All supervisors have official websites where the fines imposed, and the results of enforcement actions can be accessed.

Several non-financial regulations may apply to fintechs.

Considering the scope of the activities developed by many fintech industry participants, the DORA Regulation, which fully entered into force on 17 January 2025, may also apply. This regulation imposes the requirement to implement security measures to protect ICT systems in use.

GDPR will likely apply as many fintechs process personal data as part of their business model. The Portuguese supervisory authority is the National Data Protection Commission.

MiCA requires crypto-asset service providers to comply with the GDPR. This applies to all published information, including data made available on their websites.

In addition, MiCA sets specific requirements for publications and marketing communications, including those on social media. Service providers must ensure compliance with these standards and take measures to prevent the dissemination of false or misleading information in crypto-asset white papers, as well as fraudulent or scam practices.

Under Law No 46/2018 of 13 August, which transposed the EU Network and Information Systems (NIS) Directive (2016/1148) into the domestic legal framework, fintech participants are required to have robust security measures in place against cyber threats. Encryption, access control, incident response, disaster recovery, and business continuity plans are essential contingencies that require implemented measures.

Besides regulators, fintech industry participants often use two types of audits, namely internal and external audits.

Internal audits are a series of procedures to ensure activities comply with regulations. In most instances, fintechs must disclose the content of their internal organisational mechanisms to the supervisory regulator before initiating activities. It is customary to hire external auditors to test and assess whether the previously established compliance mechanisms are up to par with provisions and regulations in force or need adjustments.

Considering that the violation of regulatory rules could result in hefty fines, fintech industry participants prefer to either outsource part of their financial or non-financial obligations to third parties or hire third-party private auditors to ensure they comply with their obligations.       

Industry participants may generally offer “regulated” and “unregulated” services unless otherwise provided. The issue of providing “regulated” and “unregulated” services was broadly seen as an issue before the development of proper regulations regarding virtual assets, which, for an extended period, could have been considered unregulated assets. With supervisors catching up with these new types of assets or services, one can argue that most activities are now regulated and that every product or service is likely to fall under the scope of some regulation.

In practical terms, fintech industry participants may be forced to undergo several different but parallel types of licensing, which, in many cases, will be independent of one another but deeply intertwined. For instance, fintechs wishing to deploy exchanges where crypto-to-fiat operations occur and associated payment services are provided may be requested by the supervisory authority to segregate these activities to mitigate the potential risks and conflicts of interest. In such cases, the solution may involve the creation of two separate legal entities covering each specific activity.

Most fintech companies must deploy AML and KYC internal provisions to get their licences and conduct their activities under the scope of the AML Act, which contemplates several duties, such as establishing policies and control procedures to identify money laundering risks.

The AML Act also forces fintech projects to identify their users through KYC procedures before engaging in a business relationship, establishing transactions of EUR15,000 or above, or dealing with virtual assets of EUR1,000 or above.

MiCA requires crypto-asset service providers to implement robust AML measures. This includes verifying user identities (KYC), monitoring transactions, and assessing the source of funds. Providers must also conduct enhanced due diligence when dealing with customers and financial institutions from high-risk third countries.

Fintechs should be able to refuse service to non-compliant customers or if they suspect services or products might be utilised in money-laundering activities or connected with the financing of terrorist organisations. When deploying their AML/KYC policies, fintechs must be ready to deploy sophisticated systems to control, monitor and identify possible money-laundering activities, swiftly notify the competent authorities, and collaborate with them when requested.

In practical terms, some of the duties of customer identification can be outsourced to third parties.       

Portugal’s AML framework, including Law No 83/2017 of 18 August, complies with FATF standards and requirements. As a member of FATF since 1991, Portugal enforces measures such as customer due diligence, transaction monitoring, and reporting of suspicious activities, aligning with FATF recommendations and EU regulations.

In accordance with Recitals 85 and 111 and Article 42 of MiFID II, as well as Article 314-D of the Portuguese Securities Code, Portugal allows the provision of regulated products and services from another jurisdiction under a reverse solicitation basis. This can be done without establishing a branch or obtaining authorisation from the CMVM, as long as the service is provided solely at the client’s initiative. The arrangement must not involve solicitation, promotion aimed at specific client categories, or targeted advertising encouraging particular investors to acquire a specific investment, with or without ancillary services.

There is no specific law regulating the services provided by robo-advisers. Therefore, they are likely considered to fall under the definition of order execution, investment advisory services or portfolio management. Usually, robo-advisers are used for trading in traditional securities, such as shares, bonds, exchange-traded funds, and other financial instruments regulated under the Portuguese Securities Code and other ordinances issued by the CMVM. Fintechs operating under this model will also be subject to MiFID II rules.

Fintech companies looking to deploy robo-advisers that trade both financial instruments and virtual assets will need to obtain a hybrid license. In Portugal, the Bank of Portugal is the competent authority responsible for authorising activities related to the custody of virtual assets. The Comissão do Mercado de Valores Mobiliários (CMVM) regulates activities involving security tokens. While the compliance requirements for different asset classes may have some similarities, distinct regulatory frameworks will apply based on the specific nature of the assets involved.

Legacy players such as banks and fund management institutions have been paying close attention to robo-advisers. New solutions are expected to be developed in the future, considering the advantages they bring from a mass investment perspective and the ability to capture many retail investors. In Portugal, Best Bank is one of the retail banks offering a robo-adviser-based solution for investment in financial instruments. Open Bank, another retail bank, offers a digital investment service that provides personalised investment advice and portfolio management.

In the event that robo-adviser services fall under the scope of MiFID II, “best execution” obligations require participants to take all sufficient steps to obtain the best possible result for clients.

Lending is an activity reserved for authorised credit and financial institutions, regardless of the type of borrower. In general, authorisation by the Bank of Portugal is required to grant loans as it is deemed a banking activity. Some forms of peer-to-peer lending would fall within the concept of crowdfunding and be regulated by the CMVM.

Depending on the type of loan, such as a consumer or asset-backed loan, rules vary in relation to certain criteria such as effort rates, interest rates and maturity date.

Consumer loans are regulated by Decree-Law No 133/2009 of 2 June in line with Directive 2008/48/EC of the European Parliament and the Council of 23 April 2008. The Law on Distance Contracting of Financial Services would also apply. In most cases, a consumer can cancel a loan agreement within 14 days.

For mortgage-backed loans, the general provisions are provided by Decree-Law No 74-A/2017 of 23 June, which transposes Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to residential immovable property. Under the above-mentioned provisions, lenders must refrain from unfair and misleading advertising practices and must present adequate information on the conditions of the loans being offered to the consumer.

Micro- and short-term loans are also allowed for payment, and e-money institutions are allowed, provided that the creditors meet some criteria and conditions.

Lending institutions manage the underwriting process until a loan agreement is concluded. This process entails assessing the borrower’s creditworthiness, conducting credit rating checks, and utilising internal risk classification procedures and external credit assessments. The type of collateral provided also has a bearing on the approval process. Each Portuguese bank usually has its own set of underwriting criteria. Additionally, all lenders are subject to AML obligations under Law No 83/2017 of 18 August.

The regulatory landscape governing credit checks on consumers, particularly for consumer real estate loans, is multifaceted. The Consumer Credit Directive (2008/48/EC), incorporated into Portuguese law, is the cornerstone for overseeing all consumer loan agreements. However, the evolving nature of financial transactions necessitates ongoing updates to regulatory frameworks.

Moreover, real estate-backed loans are subject to additional stringent regulations under the Mortgage Credit Directive (2014/17/EU), which is also transposed into Portuguese law. These regulations encompass various aspects, including advertising, contractual information dissemination and rigorous credit checks. The overarching goal is safeguarding consumers’ interests and ensuring responsible lending practices within the real estate sector.

The traditional Portuguese lending market relies on deposit-based solutions involving a banking licence. From a commercial perspective, legacy players such as banks and credit institutions are in a position to draw funding from deposits. They are usually backed by solid human and technological resources, allowing those players to collect deposits, enter into inter-bank lending, and issue debt and securitisations.

Specialised lending organisations, such as retail credit firms, have various avenues to secure funds for their lending operations. They can raise capital through securitisation or borrowing from other investors or institutions. Additionally, they may utilise peer-to-peer lending platforms, such as crowdfunding service providers, to access funds.

Peer-to-peer lending platforms will allow investors’ funds to be sourced.

Syndicated loans involve several parties, and complex documentation is mostly used for acquisitions or in the context of restructuring. Therefore, loan syndication is reserved for the largest transactions, falling outside most fintech players’ market scope and practice. Typically, the most significant financing contracts are conducted outside of online platforms, contributing to the country’s limited occurrence of loan syndication.

Payment rails represent the digital infrastructure, facilitating cashless transactions by transferring funds from a payer to a payee. Payment processors have the flexibility to select their preferred payment rail. However, certain fixed transaction systems have become established within traditional account-based payment systems.

For instance, within the Single Euro Payments Area (SEPA), bank transfers occur through the SEPA Instant Transfer Scheme, facilitating transfers between bank accounts. Faster Payments’ “Instant Payment” rail allows swift bank-to-bank transfers, a component of the European SEPA system widely supported by banks and savings banks in Portugal. This service operates round the clock, enabling users to execute transfers promptly.

Additionally, payments can be initiated via the SWIFT network to any member bank worldwide.

Modern payment methods diverge from conventional networks, enabling direct peer-to-peer transfers without intermediary financial institutions. This innovation allows users to transfer funds between accounts, bypassing traditional banking systems seamlessly.

It should be noted that although there is no legal impediment to developing and using alternative payment rails, the payment service scene in Portugal is highly dominated by SIBS, which holds control over the ATM network and is considered one of the most advanced systems in the world.

Payment transactions are governed by the EU Payment Services Directives, adopted into Portuguese law through Decree-Law No 91/2018 of 12 November, and fall within the jurisdiction of the Bank of Portugal.

As an EU member state, Portugal falls under the geographical influence set by the SEPA Regulation (Regulation (EU) No 260/2012), which outlines the SEPA, crucial in facilitating seamless cross-border money transfers. For instance, the regulation prohibits companies from rejecting cross-border direct debits, commonly called “IBAN discrimination”, by mandating acceptance of all EU payment accounts reachable through SEPA mandates.

Non-regulatory rules regarding cross-border payments and currency remittance usually stem from AML and anti-tax fraud concerns, with mandatory documenting and reporting required. Portugal transposed Directive (EU) 2020/284 (regarding introducing certain requirements for payment service providers), imposing additional requirements on payment service providers to maintain records for three years.

Additionally, EU Regulation 2021/1230 of 14 July 2021 establishes the rules for cross-border payments and the transparency of currency conversion charges within the EU.

The regulation applicable to financial assets trading platforms derives from MiFID II rules.

Euronext Lisbon, the only stock exchange in Portugal, is the most prominent trading ground for shares and other securities. Securities trading platforms are supervised by CMVM, ensuring compliance with transparency and market integrity standards.

Multilateral trading facilities (MTFs) are also regulated under Portuguese law and constitute alternative trading platforms enabling securities trading beyond conventional stock exchanges. MTFs are subject to the CMVM’s supervision and offer more adaptable trading conditions at lower costs. The only MTFs in operation in Portugal are Euronext Growth and Euronext Access, both managed by the Euronext group.

Organised trading platforms (OTFs) specialise in trading specific securities such as derivatives and have stricter regulations than MTFs. They must satisfy transparency and market integrity criteria while ensuring the absence of conflicts of interest influencing trade execution.

The new EU DLT Pilot Regime offers the opportunity to develop new types of platforms. Nevertheless, the novelty of this new legal framework has yet to be put to the test in the Portuguese jurisdiction, despite domestic legislation already having been enacted to allow its implementation under Decree-Law No 66/2023 of 8 August.

Finally, crypto exchange platforms can also be considered a regulated marketplace. See 6.3. Impact of the Emergence of Cryptocurrency Exchanges for more details.

Different asset classes will have different regulations and, in some cases, fall under the supervision of different regulators. Financial instruments typically fall under the scope of MiFID II, and fintech operators operating marketplaces are supervised by the CMVM. Virtual assets, if qualified as securities, will fall under the jurisdiction of the CMVM and are regulated by the DLT Pilot Regime and recently enacted domestic regulations. At the same time, fintech operators may require authorisation from the Bank of Portugal to operate as virtual asset service providers if non-security virtual assets are traded.

Hypothetically, depending on the virtual asset admitted to trading in the marketplace, a virtual asset service provider (VASP) licence may be required (issued by the Bank of Portugal) in addition to the enrolment of the exchange with the CMVM.

As of December 2024, the MiCA Regulation is fully in force, establishing a comprehensive framework for crypto-assets within the EU. MiCA governs the issuance, public offering, and admission to trading of crypto-assets, including asset-referenced tokens and e-money tokens.

Additionally, it sets out requirements for offerors and entities seeking to admit other crypto-assets to trading that do not qualify as asset-referenced or e-money tokens. The regulation also establishes rules for the provision of services related to crypto-assets. Portugal has not yet designated the authority responsible for supervising, receiving and assessing applications for the authorisation of crypto-asset service providers.

Regardless of their level of centralisation, cryptocurrency exchanges must always secure a VASP licence from the Bank of Portugal to conduct their activities. A VASP licence focuses on the KYC and AML screening aspects of the fintech operator, in line with Portugal’s transposition of the 5th AML Directive (2018/843), as set forth by the AML Act. However, at the time of writing of the present guide, one should be aware that since 30 December of 2024, the Bank of Portugal stopped licensing any VASP because the Portuguese Government failed to produce the domestic regulations needed to ensure its jurisdiction and competencies to supervise this sector.

The emergence of cryptocurrency exchanges has not yet impacted current domestic regulations. Still, it has drawn the attention of Portuguese supervisors. CMVM determined that, depending on the characteristics and features of a given virtual asset, it may fall under the concept of a financial instrument and, therefore, trading or issuance of such assets is under its supervision.

There are no specific listing requirements applicable to fintech companies. All trading platforms are required to have public, transparent, and non-discriminatory rules based on objective criteria that ensure the good functioning of the trading platform.

The Portuguese Securities Code governs listing requirements in a Portuguese-regulated market, regulations and instructions approved by the CMVM, and Euronext’s Rule Books and Notices. The MiFID II rules also govern listing, the Prospectus Regulation (2017/1129/EU), the Market Abuse Regulation (596/2014/EU) and the Transparency Directive (2004/109/EC) (as amended).

MiFID II dictates order handling rules, and the CMVM imposes the “best execution” principle on any financial administrator. Orders should be executed at the moment indicated by the client. When the client has not provided specific instructions, the financial intermediary must try to obtain the best possible result for the client, attending to several criteria such as price, costs, speed, the likelihood of execution and liquidation, or another pre-established factor in the EU legislation.

An intermediary will be required to inform the client beforehand of its execution policy, and any change in the execution of the orders must be communicated in advance. An intermediary may partially execute orders unless the client orders against it.

Peer-to-peer platforms have been increasing in numbers, and the crowdfunding market can be described as having gone beyond proof of concept. Both new players and legacy institutions have manifested some interest in this new type of platform, which grants investors access to several markets encompassing real estate, socially responsible investments, SMEs, etc.

The level of legal sophistication applied in developing such platforms varies depending on the type of investments offered to the public. For example, it is possible to find a solution in the Portuguese market where a crowdfunding platform has opted to create hybrid solutions by going through several types of licences, such as payment, crowdfunding, and insurance licences. In contrast, others opt for a more modest approach to retain a crowdfunding licence.

The ability to pass the crowdfunding licence to other EU member states, allowing new investment opportunities to different markets, has spiked the interest of some newly established players and legacy institutions.

Please see 6.5 Order Handling Rules.

Financial intermediaries must select their trading and execution venue based on a “best execution” policy and provide their clients with information on costs and expenses per service and financial instrument.

Additionally, inducement rules prohibit firms from paying or receiving benefits from third parties, with a few exceptions. Specifically, firms may accept payments or inducements if they are necessary to provide services that enhance the quality of those services. However, this is only permitted if the amount is clearly disclosed to the client in advance and does not compromise the investment firm’s obligation to act honestly, fairly, and professionally in the best interests of its clients.

The EU Regulation 596/2014 plays a key role in preventing market abuse within financial markets and trading activities.

High-frequency and algorithmic trading (HFAT) is allowed under the Portuguese Securities Code, bringing significant benefits to the market, such as increased speed of orders, increased market liquidity and reduction of bid-ask spreads.

However, there are also some risks associated with HFAT, such as:

• increased risk of market abuse and manipulation;
• protection issues for small investors;
• volatility and operational risks; and
• market fragmentation.

The general legal framework for HFAT is set out in MiFID II, and the Portuguese Securities Code, which stipulates that all financial intermediaries deploying such systems must keep registries of all placed orders, including cancellations, which must be immediately made available to the CMVM upon request.

Before initiating HFAT operations, any intermediary must communicate this intention to the CMVM and must provide the following:

• information about investment strategy;
• detailed information about the system metrics and limits;
• detailed information about security measures to avoid faulty orders; and
• detailed information proving that the system does not create a risk of market manipulation or abuse.

A financial intermediary can operate as a market maker through algorithmic trading provided it has informed the CMVM. Still, it must ensure that the market-making activity is conducted continuously during the platform’s negotiation period and that market liquidity is periodically and predictably.

A written agreement must be entered into with the trading platform establishing the conditions regarding how the liquidity and continuity of the market activity are to be ensured.

Additionally, security and control systems must be designed and put in place, allowing the monitoring of whether the conditions set out in the agreement entered into by the market makers and the platform are being consistently fulfilled.

No distinction is made between funds and dealers engaged in these activities in the Portuguese jurisdiction.

The Portuguese legislation closely follows Commission Delegated Regulation (EU) 2017/589, delineating the regulatory technical standards that are the organisational requisites for investment firms involved in algorithmic trading. As per these standards, an investment firm must ensure it has an adequate workforce equipped with the requisite skills and technical proficiency to oversee:

• the pertinent trading systems and algorithms;
• the monitoring and testing of those systems and algorithms;
• the trading strategies implemented through those trading systems and algorithms; and
• compliance with its legal obligations.

The investment firm bears full responsibility for its regulatory obligations, even in outsourcing or procuring software or hardware utilised in algorithmic trading activities. It is worth noting that these regulations do not directly apply to programmers responsible for developing or creating trading algorithms or other electronic trading tools.

The insurance industry uses several underwriting processes, which will significantly depend on the type of business model developed by the industry participant.

It should be noted that insurance activity is regulated in Portugal under Law No 147/2015 of 9 September and that various types of authorisations are available under this legal framework depending on the intended business model.

Most fintechs in insurtech operate brokerage models where data collection is remitted to a regulated insurance company, which will then apply its internal risk analysis methodology depending on the type of policy requested by the client. Insurance intermediation is also regulated in Portugal, governed by Law No 7/2019 of 16 January.

In Portugal, there are several types of insurance, some mandatory by law or contract. As examples of mandatory insurance in Portugal, one can point out the following:

• work hazard insurance;
• service hazard insurance;
• personal accident insurance;
• assistance to third parties;
• damage insurance;
• sickness insurance;
• fire hazard insurance;
• bond/deposit insurance;
• civil liability;
• theft insurance; and
• life insurance.

In some cases, the minimum coverage and conditions set by a type of insurance will be defined by ordinances issued by the ministerial department with jurisdiction over the sector in question.

Authorised insurance companies can engage in insurance activities in both the life and non-life sectors but must adopt distinct management for each activity, ensuring that both sectors are kept separate. Distinct minimum capital requirements are set for direct insurers and reinsurers and for life and non-life policies. The promotion and sale of distinct types of insurance products are subject to specific requirements, notably with regard to information duties.

Legacy players tend to specialise in either life or non-life insurance policies.

Regtech providers are not directly regulated as long as they do not render any service directly regulated as a subcontracted function or provide what could be considered reserved advice for some professions.

With the rise of new fintech solutions leading to the development of new regulatory frameworks, the compliance cost for all players, whether new or legacy ones, has risen in recent years. In turn, fintechs have created new and ingenious ways to streamline procedures to comply with all the new impositions set by these new legislations and regulations.

The category under which a potential regtech could theoretically be considered regulated needs to be assessed on a case-by-case basis, depending on the depth and level of “compliance activity” being developed. Assessing whether a particular solution is within the scope of a regulated sector or profession is not simple. For example, KYC services are strongly prone to being outsourced. In this case, the fintech solution provider should be aware that this third-party service provider could fall within the scope of the AML Act.

Another issue that should be considered when developing a regtech project is to be aware that certain outputs can be construed as legal advice, which in some jurisdictions is illegal because such advice is reserved for licensed professionals such as lawyers, financial analysts and advisers.

Considering that, in most cases, regtech solutions tend to require access to sensitive and personal data, all projects will fall under GDPR rules and DORA.

As stated in 9.1 Regulation of Regtech Providers, there is no specific set of provisions for regtechs. While DORA and GDPR do not explicitly reference regtech, their provisions are applicable to financial services firms.

To engage with this emerging trend, traditional banks, insurance firms and asset management entities are actively fostering their own financial innovations. They either outsource specific tasks to relevant service providers, form collaborations or partnerships with them or actively endorse and integrate with promising start-ups. This constitutes a change in legacy players’ approach to blockchain and cryptocurrencies, a topic mostly shunned or ignored in the past.

Blockchain technology can, for example, play a significant role in new methodologies for authenticating the identity of economic agents due to the multilaterally controlled nature of information present in a registry concerning past operations and behaviours. Additionally, it can enable or enhance peer-to-peer financing mechanisms through the internet and even allow for efficiency gains in accounting and auditing procedures within banking activities.

There is no specific regulation for blockchain or DLT as a standalone technology in Portugal. The regulatory focus on blockchain is limited to its use in the context of services involving securities, payments, financial intermediation or investment services, in addition to tackling any money-laundering-enabling features it may have.

The most recent set of rules stems from the DLT Pilot Regime. DLT financial instruments are financial instruments within the meaning of MiFID II that are issued, recorded, transferred and stored using a distributed ledger technology. One of the existing types of DLT, and the most well-known, is blockchain. The new Portuguese legislation encompasses a wide range of activities for operators of DLT-based market infrastructures. Operators are authorised to:

• provide registration and deposit services for DLT financial instruments;
• manage multilateral trading systems;
• manage securities settlement systems;
• receive, transmit and execute orders on behalf of others;
• manage portfolios on behalf of others; and
• trade on their own account.

However, Decree-Law No 66/2023 is limited to shares, bonds, and units of participation in collective investment schemes.

These operators’ roles are financial intermediaries under the Portuguese Securities Code, and the CMVM is the competent national authority for granting and revoking specific authorisations to operate a multilateral trading or securities settlement system based on DLT.

Currently, no overarching legal framework or singular legal definition for blockchain assets is applicable within Portugal.

Irrespective of the terminology employed, the classification of blockchain assets as regulated financial instruments is contingent upon the specific characteristics of each asset. This determination must be made on a case-by-case basis, considering whether the asset falls within the purview of existing financial services regulation.

In accordance with the current legal framework, specific blockchain assets meet the criteria to be classified as financial instruments under MiFID II (and its incorporation into Portuguese law) or under the Portuguese Securities Code. In essence, any blockchain asset exhibiting the attributes of a financial instrument is likely to meet the criteria for regulation within this framework.

The Portuguese law does not provide a concrete definition of the types of tokens that can be considered securities. It is necessary to analyse the characteristics of each token to determine whether it qualifies as a security under the Portuguese Securities Code.

Generally, most NFTs fall outside the concept of securities due to their non-fungible nature. However, this conceptualisation may be challenged in situations where NFTs are fractionalised and divided into smaller tradable units, a process similar to how traditional assets can be securitised and divided into shares.

The MiCA Regulation, now fully in force, broadens its scope to include new categories of crypto-assets that were previously unregulated under EU law. These include asset-referenced tokens and e-money tokens, as well as other tokens that do not fall under these classifications or existing EU financial services regulations.

The new rules, particularly those relating to transparency and authorisation requirements, will vary depending on the specific characteristics of e-money tokens, asset-referenced tokens, and utility tokens.

The CMVM’s first regulatory approach consisted of communicating with entities involved in launching initial coin offerings (ICOs) regarding the legal qualification of issued crypto-assets. It stipulated that such an asset must meet the following requirements to be considered a security:

• it represents one or more legal situations of a private and patrimonial nature;
• considering the represented legal situation, it is comparable to a typical security; and
• in the information provided by the issuer, there are elements from which the issuer’s commitment to conduct can be inferred, resulting in an expectation of return for the investor, whether it be:
1. the right to income (if the token, for example, grants the right to profits or interest); or
2. the performance of acts by the issuer or related entity suitable for increasing the token’s value.

Therefore, if a token is classified as a security, its ICO will be subject to the rules and obligations for publishing a public offering prospectus as stipulated in the Portuguese Securities Code.

As for other tokens that do not qualify as securities because they do not meet the requirements above, it is necessary to determine whether they fall within the scope of the AML Act regarding entities engaged in activities with virtual assets (ie, VASPs). If so, they are subject to compliance with applicable legal and regulatory provisions relating to AML and counter-terrorism financing (see 6.3 Impact of the Emergence of Cryptocurrency Exchanges).

On the other hand, if a token is classified as an asset-referenced token or an e-money token, it will fall within the scope of MiCA regulation and be subject to its requirements for issuers/offerors.

The regulation of crypto-assets is primarily determined by the categorisation of the assets being traded.

VASPs offering services described in 10.4 Regulation of “Issuers” of Blockchain Assets must adhere to diverse regulatory obligations concerning customer identification and verification, AML and the prevention of financing terrorism.

If virtual assets are classified as financial instruments or products, the exchange operator may need to obtain a license to offer investment services in accordance with the Portuguese Securities Code. This code implements MiFID II and may also be subject to the DLT Pilot Regime, depending on the circumstances.

For more on this topic, see 10.4 Regulation of “Issuers” of Blockchain Assets.

There are currently no specific regulations solely dedicated to staking activity. However, staking may fall under broader regulatory frameworks depending on its structure and the services provided.

There are no specific provisions for cryptocurrency loans, and as such, they will be regulated under the general provisions of the Portuguese Civil Code or the Commercial Code, depending on the nature of the parties involved in the lending agreement.

For “private loans,” a written contract is required for loans exceeding EUR2,500. For amounts over EUR25,000, the agreement must be formalised through a public deed.

If both parties involved in the loan are commercial entities, the formalities outlined above will be waived in accordance with the Commercial Code.

Derivatives, by their nature, represent a distinct class of securities. Therefore, cryptocurrency derivatives fall under the classification of financial instruments as outlined in Section C of Annex I of MiFID II and must adhere to its general provisions.

There is no set of specific regulations or laws governing DeFi. Even if the platform is decentralised, certain regulatory obligations may still apply depending on the nature of the services provided.

The operation of investment funds in Portugal is subject to the new regulation outlined in the Asset Management Regime, which establishes the legal framework for collective investment undertakings in securities in corporate form and real estate investment funds in corporate form. Within this regulatory framework, no specific provisions exclusively address investments in blockchain assets.

Please see 6.2 Regulation of Different Asset Classes.

There is no standalone concept of blockchain assets. The AML Act defines “virtual assets” to identify entities that operate as VASPs and are subject to AML/KYC obligations.

A virtual asset is “a digital representation of value that is not necessarily tied to a legally established currency and does not have the legal status of fiat currency, securities, or other financial instruments. However, it is accepted by individuals or entities as a medium of exchange or investment and can be transferred, stored, and traded electronically.”

There are no specific regulations in Portugal regarding the issuance or trading of NFTs or the operation of NFT platforms/marketplaces (please see 10.3 Classification of Blockchain Assets).

However, depending on the specific characteristics of an NFT, it may be susceptible to being included in the category of securities, thus being subject to the regulations outlined in the Portuguese Securities Code.

MiCA defines a “crypto-asset” as “a digital representation of a value or of a right that can be transferred or stored electronically using distributed ledger technology or similar technology”, excluding NFTs from being classified as crypto-assets. However, this exclusion does not entirely exempt NFTs from falling under the purview of MiCA. The regulation still encompasses the following types of crypto-assets:

• fractional NFTs;
• NFTs issued in a large series/collection;
• crypto-assets featuring a sole NFT element serving as a unique identifier; and
• crypto-assets that, despite being unique and non-fungible, exhibit de facto features linked to practical uses, rendering them fungible and/or not entirely unique.

NFT marketplaces are required to register as VASPs if they enable the crypto-to-crypto exchange of assets.

MiCA 2.0 is expected to include NFTs within its scope.

The rules set by PSD2 (Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015) were transposed to the Portuguese legal framework under Decree-Law No 91/2018, enacting the Regime for Payments and Electronic Money. However, other supranational European regulations and opinions, such as the technical standards set by Regulation (EU) 2018/389 of November 2017 on strong customer authentication, also play a pivotal role when establishing new open banking solutions.

With the adoption of PSD2, two new categories of service providers were established in the payment industry: payment initiation service providers (PISPs) and account information service providers (AISPs).

At the same time, PSD2 narrowed the playing field between fintech players and the already well-established legacy players, as they were forced to provide dedicated interfaces allowing the sharing of data originating from their payment accounts.

Open banking marks a pivotal moment for conventional banks, allowing third-party providers, including commercial platforms or alternative payment providers, to deliver banking applications and services directly through open application programming interfaces.

Decree-Law No 91/2018 of 12 November introduced changes to the provision of payment services in Portugal.

Notable aspects include its application to a wider range of payment operations, the creation and regulation of new types of payment services, the definition of security requirements for the execution of payment operations, and the imposition of greater responsibilities on payment service providers in the execution of unauthorised payment operations.

The impact of this regulation on open banking is reflected in AISPs, which allow the aggregation of information about accounts held with one or more payment service providers in a single application or website.

As for PISPs, they offer the possibility to initiate online payment operations without the customer having to interact directly with their payment service provider. PISP, contracted by the customer, accesses their account on their behalf and initiates the operation.

The Portuguese framework that transposes PSD2 establishes rules for managing operational and security risks, instructing measures for mitigation and appropriate control mechanisms to handle operational and security risks related to the payment services provided. This law also defines the procedures to be adopted in the event of operational or security incidents, with the Bank of Portugal being the entity responsible for taking all necessary measures to protect the security of the financial system.

Violating these measures can result in severe offences, subject to significant fines.

Regarding data protection, PISPs must ensure that:

• information about the customer is only provided to the payee and only with the customer’s explicit consent;
• the information requested from the customer shall only be that necessary to provide the services;
• data will not be used, accessed or stored for any other purposes; and
• the scope of data to be shared with AISPs and PISPs by the Account Servicing Payment Service Providers does not include the customer’s identity (eg, address, date of birth, etc).

AISPs must ensure that they access only the information from designated payment accounts and associated payment transactions. Also, regulatory technical standards on strong customer authentication and secure communication place a limit of four times a day on an AISP’s access to payment account data without the customer being directly involved.

The EU rigorously regulates both domains, with GDPR extending its reach to cover open banking and broader financial sector regulations, encompassing directives such as PSD2.

DORA Act does not directly address specific issues like data privacy or data security concerns raised by open banking, but it does play an important role in strengthening the overall resilience of financial institutions, which indirectly impacts security and operational risks, including in the context of open banking.

Portugal has criminalised insider dealing and market manipulation in regulated markets but does not provide specific provisions for fraud in financial services. The generic criminal provisions set out in the Portuguese Penal Code can apply if the objective legal elements are met. The most similar specific crime in the financial services sector would be the use of false or misleading information in investment solicitation, which can result in imprisonment of between six and eight years, with loss of gains of the perpetrator for engaging in such practice.

The most closely related crime in the financial service, in this case, would most of the time be that which is known as “Burla”, which criminalises the conduct of “whoever, with the intention of obtaining for themselves or for a third party illegitimate enrichment, by means of error or deceit about facts that they cunningly provoked, induces another person to perform acts that cause them or another person patrimonial damage”, leading to a punishment of imprisonment up to three years or a fine.

The Portuguese Penal Code establishes an aggravated “Burla” classification when the loss incurred by the victim is greater than EUR5,100. In these cases, the penalty can be imprisonment of up to five years. If other conditions are met, the term of imprisonment can go up to eight years.

Any fraudulent agent should also be aware that they will likely also be charged with forgery, tax fraud and money laundering.

Regulators are not focused on any specific type of fraud and will communicate any crimes they detect while exercising their supervisory powers and conducting inspections.

Considering the severity of the penalties applicable to financial crimes, most industry players do not flirt with such crimes because of the actual risk of incarceration, loss of gains and professional licence cancellation.

There are no specific provisions regarding liability for losses other than those set out in MiCA related to damages for providing incorrect information in the white paper. As a general rule, fintech firms do not benefit from the same level of legal protection as provided by Directive 2014/49/EU of the European Parliament and Council of 16 April 2014 on deposit guarantee schemes. As such, losses arising from “bad” investments are typically borne by investors.

The absence of a specific framework for customer losses does not imply that a fintech firm will not be held liable for losses resulting from breaches of contract or under the general civil liability provisions of Portuguese law.

It is important to note that, unlike the liability provisions under MiCA for incorrect information in the white paper, the general civil liability provisions will not impose liability on the firm’s administrators, managers, or supervisory bodies. Instead, liability will be limited to the legal entity responsible for the damages or losses.