Information Technology 2026

Last Updated July 08, 2026

Portugal

Law and Practice

Authors



Lektou was founded in 1985 and was formerly known as Rato, Ling, Lei & Cortés – Advogados e Notários. It has established itself as a leading full business law firm in Macau, with additional offices in Hengqin and Shenzhen (China), and Lisbon and Oporto (Portugal), under Lektou-Cortés, SP, RL. Lektou is dedicated to excellence in legal services, emphasising professionalism, integrity, multiculturalism and innovation to create value for clients while striving to find the best solutions. In the dynamic field of information technology law, Lektou stands out as a trusted adviser with extensive experience in technology-related transactions, regulatory compliance, data protection and cybersecurity, software and IT contracting, and all facets of the digital economy. Over the years, the firm has honed its specialisation, ensuring that clients benefit from insights and strategies that reflect the unique challenges and opportunities in both Macau and Portugal.

Domestic Framework for Information Society Services

Portugal has not adopted a standalone “online harms” regime comparable to the United Kingdom’s Online Safety Act. The primary platform and intermediary services framework is the directly applicable DSA, complemented by Law No 12-A/2026 of 15 April, which ensures national implementation of the DSA, amends Decree-Law No 7/2004 and revokes the interim Decree-Law No 20-B/2024 of 16 February.

Decree-Law No 7/2004 remains relevant as Portugal’s domestic framework for information society services and electronic commerce. However, Law No 12-A/2026 amended that regime, including Article 11 of Decree-Law No 7/2004, which now refers intermediary liability to the common regime with the specifications of the DSA. The DSA therefore provides the primary intermediary-liability framework. Law No 12-A/2026 also establishes the national procedural and enforcement rules for DSA orders, including orders to act against illegal content and orders to provide information.

Certain residual obligations under Decree-Law No 7/2004 may also remain relevant, including co-operation duties where content made available through a service may constitute a criminal offence.

Sector-Specific Content Obligations

Additional obligations arise under sector-specific regimes.

  • The Portuguese Copyright Code (Código do Direito de Autor e dos Direitos Conexos, or CDADC) contains rules for online content-sharing service providers. Platforms that store and give the public access to large quantities of user-uploaded content must either obtain licences from rights-holders or, where no authorisation is in place, show that they have made “best efforts” to secure it. They must also act expeditiously to disable access to, or remove, notified infringing material and take proportionate measures to prevent the same protected works from being made available again, while providing effective complaint and redress channels for users. In practical terms, the regime imposes a form of copyright-content moderation, although the applicable obligations are subject to proportionality and are less onerous for new or smaller platforms.
  • The Television and On-Demand Audiovisual Services Law (Law No 27/2007), as amended to transpose the Audiovisual Media Services Directive, requires video-sharing platform providers to adopt measures protecting minors and the wider public from illegal or harmful audiovisual content. This includes content involving incitement to violence or terrorism and hate speech. Appropriate measures may include flagging tools, parental controls and effective complaint-handling procedures.
  • Under the online gambling regime (Decree-Law No 66/2015), the regulator may order network intermediary service providers to block, remove or disable access to online gambling services made available by operators that are not legally authorised to operate.
  • The Cybercrime Law (Law No 109/2009) contains mechanisms for the preservation and production of electronic evidence in criminal investigations. Separately, the data retention framework under Law No 32/2008 has been substantially affected by Constitutional Court case law, notably Ruling No 268/2022, in relation to broad retention of traffic and location data. Providers may still be required to preserve data and co-operate with competent authorities, subject to judicial control.

Classic Intermediary Categories

Portugal does not have a separate domestic taxonomy of online-harms platforms. Law No 12-A/2026 instead organises national supervision around the DSA categories, including intermediary services, hosting services, online platforms, online marketplaces, search engines, and very large online platforms and very large online search engines (VLOPs and VLOSEs).

Decree-Law No 7/2004 historically reflected the E-Commerce Directive categories of mere conduit, caching and hosting. Those categories remain useful for understanding the role performed by each intermediary, but the operative liability framework is now primarily found in the directly applicable DSA.

In practical terms, the most important distinction is between intermediary or hosting services, online platforms and the largest services. Online platforms are subject to additional complaint-handling, advertising transparency and user-protection duties, while VLOPs and VLOSEs face enhanced obligations relating to systemic risk, independent audits, data access and transparency. Law No 12-A/2026 provides the Portuguese institutional framework for supervising these categories, without creating a separate national classification system.

Video-Sharing and Copyright-Specific Platforms

Portuguese sectoral rules also identify specific categories of platform. The Television Law treats video-sharing platform services separately from broadcasters and on-demand audiovisual services. Television broadcasting services are linear services, where programmes are provided for simultaneous viewing on the basis of a programme schedule. On-demand audiovisual media services are non-linear services, where users choose when to view programmes from a catalogue selected by the provider. Video-sharing platform services make programmes or user-generated videos available to the public, where the provider organises the content, including by automated means or algorithms, but does not exercise editorial responsibility over it.

In the copyright field, the CDADC also contains a separate concept of online content-sharing service provider. That regime is aimed at platforms whose main purpose is to store and give the public access to large quantities of user-uploaded copyright-protected content. Certain services, such as not-for-profit encyclopaedias, educational repositories, open-source development platforms, online marketplaces and business-to-business cloud services, are expressly excluded.

Digital Services Co-Ordinator

Law No 12-A/2026 appoints ANACOM (Autoridade Nacional de Comunicações) as Portugal’s Digital Services Co-Ordinator and as the lead authority for the national supervision of intermediary services under the DSA framework.

The same law also gives specific roles to the Media Regulatory Authority (ERC – Entidade Reguladora para a Comunicação Social) and to the Data Protection Authority (CNPD – Comissão Nacional de Proteção de Dados), particularly where audiovisual content or data protection issues are involved.

Investigation and Enforcement

The relevant authorities may request information, conduct inspections, issue orders and impose administrative sanctions. Depending on the breach and the applicable regime, enforcement may include orders to stop unlawful conduct, remove or restrict access to content or services, administrative fines and ancillary sanctions. Under Law No12-A/2026, more serious infringements may lead to fines of up to 6% of annual worldwide turnover, and periodic penalty payments may apply for continued non-compliance. The law also creates a national communication platform for interactions between providers and authorities and sets out co-operation duties intended to support DSA supervision in Portugal.

Sector-Specific Regulators

Other regulators remain relevant in their own fields.

  • The Gambling Regulator (Serviço de Regulação e Inspeção de Jogos) may act against unauthorised online gambling services, including through blocking mechanisms directed at network intermediaries.
  • ERC supervises video-sharing platforms under the audiovisual regime.
  • CNPD and the National Cybersecurity Centre (Centro Nacional de Cibersegurança, or CNCS) may also intervene where the relevant conduct raises data protection or cybersecurity issues.

Portuguese rules on e-commerce and online contracting are not contained in a single code. The main domestic instruments are:

  • Decree-Law No 7/2004, which regulates information society services and electronic commerce and implements the E-Commerce Directive;
  • Decree-Law No 24/2014, which applies to distance and off-premises consumer contracts, including online contracts for goods, services and digital content;
  • Decree-Law No 84/2021, which governs conformity and remedies for consumer sales of goods, digital content and digital services, and includes rules relevant to online marketplaces;
  • Decree-Law No 95/2006, which deals with distance marketing of financial services; and
  • Decree-Law No 57/2008, which prohibits unfair commercial practices and is relevant to online advertising, misleading interface design and dark patterns.

These statutes operate alongside the Civil Code (Código Civil) and the general consumer protection framework. They should also be read in light of the EU directives they transpose, in particular the Consumer Rights Directive and the Digital Content and Digital Services Directive.

Pre-Contractual Information Duties

For online consumer contracts, traders must give clear and comprehensive information before the consumer is bound. Under Decree-Law No 24/2014, this includes details such as the main characteristics of the goods or services, the trader’s identity and contacts, the full price, payment and delivery arrangements, withdrawal rights and complaint channels. Consumers normally have a 14-day withdrawal period, subject to statutory exceptions.

Digital Content and Digital Services

Where digital content or digital services are supplied, including where the consumer provides personal data instead of paying a price, Decree-Law No 24/2014 and Decree-Law No 84/2021 impose additional duties. Businesses should explain relevant functionality, interoperability and technical protection measures, and must provide updates where necessary to keep the content or service in conformity.

Marketplaces and Unfair Practices

Online marketplaces must make clear whether the third-party seller is acting as a trader or as a consumer, and how responsibilities are allocated. Separately, the unfair commercial practices regime prohibits misleading actions or omissions and aggressive practices. This captures, for example, hidden fees, false scarcity messages or deceptive interface designs on e commerce sites.

Under Decree-Law No 7/2004, traders must also make basic corporate and contact information easily available on their websites, and commercial communications must be identifiable as such.

General Validity of Electronic Contracts

Portuguese law recognises that contracts may be concluded electronically, and a contract is not invalid merely because it was formed online. Decree-Law No 7/2004 sets out the general framework for electronic contracting, while preserving traditional formalities for certain categories of contracts, including certain family, succession, real estate (other than leases) and guarantee arrangements.

The use of electronic contracting must also be voluntary in the sense that parties are only required to contract electronically if they have agreed to do so. In consumer contracts, standard terms cannot force the consumer to contract only through electronic means.

Practical Formation Requirements

Most ordinary business-to-consumer e-commerce does not require a qualified electronic signature. In practice, the contract is formed through the consumer’s express acceptance (eg, clicking an “order with obligation to pay” button), combined with the trader meeting its information and confirmation duties under Decree-Law No 7/2004 and Decree-Law No 24/2014.

Common implementation steps include:

  • explaining the technical steps required to place an order;
  • allowing the consumer to identify and correct input errors before confirming the order;
  • using an order button or equivalent function that clearly indicates a payment obligation; and
  • sending confirmation of the order in a durable medium, usually by email.

Certain regulated sectors may still require stronger signature or authentication requirements, but those are exceptions to the general position for everyday online business-to-consumer contracting.

On-premise licence models continue to be used in Portugal where customers want greater operational control or have constraints that make cloud migration less attractive. This is most common in heavily regulated sectors, such as financial services, healthcare and the public sector, where customers may prefer to keep sensitive data and key systems within infrastructure they manage directly. Other drivers include latency, performance and integration requirements. Some organisations still rely on legacy systems that are costly or risky to move to a SaaS environment. Existing investment in data centres and hardware may also make an on-premise model commercially appealing. Customers may also perceive on-premise arrangements as giving them more influence over customisation, upgrade cycles and change control. 

By contrast, SaaS products are often standardised and supplied on less negotiable terms.

Suppliers usually frame suspension rights around situations where continued access would create payment, security, legal or operational risk. Common triggers include:

  • non-payment, normally after a short cure period and sometimes following a staged approach from partial suspension to full suspension and termination;
  • suspected misuse of the platform, security incidents, malware, credential compromise, denial-of-service attacks;
  • breach of acceptable use policies, illegal content and infringement of third-party rights; and
  • where required by law, by a regulator or by a competent authority.

Customers typically negotiate limits on these rights. They often seek prior notice where practicable, with suspension limited to the affected users or functionality, prompt reinstatement once the issue is resolved and, in SaaS contracts, access to data for export during the suspension period where technically feasible.

Audit rights are negotiated differently depending on whether the arrangement is on-premises, hosted or SaaS.

Customer Audit Rights

Customers often ask for audit rights covering licence use, information security (sometimes referencing standards such as ISO 27001 or SOC reports) and data protection. These may be exercised directly by the customer or through an independent auditor, usually subject to confidentiality, notice and frequency limits.

Supplier Audit Rights

Suppliers are more likely to request audit rights where the customer controls the deployment environment, particularly in on-premises licensing. Their focus is usually on over-deployment, unlicensed use, user limits, geographic restrictions and compliance with licence metrics.

Market Practice

In SaaS contracts, traditional on-site audits are less common. Parties more often rely on usage reports, self-certifications, security attestations and targeted audits where there is a specific compliance concern.

On-Premise Solutions

Escrow is still seen in Portugal for business-critical on-premises software, particularly where the customer depends heavily on the supplier for maintenance and support (eg, public sector and large corporates). Release triggers usually include supplier insolvency, prolonged failure to maintain the product or discontinuation without an adequate replacement or migration route.

SaaS Solutions

Escrow is less common and generally of more limited utility in a pure multi-tenant SaaS model because the customer normally cannot operate the service independently. The operational platform, infrastructure and service dependencies are often as important as the code itself.

For that reason, SaaS negotiations tend to focus instead on data export, transition assistance, business continuity, disaster recovery and advance notice of service discontinuation. Where escrow is included in a SaaS context, it is often limited to supporting materials, such as documentation, configuration information or container images that may assist with migration.

SaaS providers usually give commitments on availability, support and continuity. A typical Portuguese SaaS contract will include:

  • an uptime commitment (commonly between 99.5–99.9% per month), subject to exclusions for scheduled maintenance and force majeure;
  • incident response and resolution targets based on severity levels;
  • support channels and escalation procedures;
  • service credits as the primary remedy for missed service levels; and
  • disaster recovery and business continuity commitments, including recovery time and recovery point objectives where the service is critical.

Customers also increasingly request clear rights to export their data in usable formats and assistance during exit or migration. This is particularly important for longer-term or business-critical SaaS arrangements.

EU AI Act as the Main Regime

Portugal has not adopted a separate national AI statute. The regulation of AI is therefore mainly driven by EU law, especially the AI Act – Regulation (EU) 2024/1689, which introduces a risk-based model, with prohibited practices, detailed duties for high-risk systems, transparency obligations for certain AI applications (including chatbots and deepfakes) and specific rules for general-purpose AI models.

The AI Act also sits alongside the Council of Europe Framework Convention on AI, Human Rights, Democracy and the Rule of Law.

Portuguese Legal Context

In Portugal, AI systems must also be assessed against existing rules on data protection, consumer protection, product safety, liability, employment and sectoral regulation. The GDPR and Law No 58/2019 will be particularly relevant where AI involves personal data or automated decision-making.

Portugal has not yet adopted a general domestic law that expands the AI Act. However, ANACOM has been designated in relation to supervision of EU fundamental-rights obligations for high-risk AI systems under the AI Act. Further national developments are expected to focus on enforcement architecture, competent authorities and sector-specific guidance. The AI Act’s phased application includes prohibited practices from February 2025, governance and GPAI rules from August 2025, and transparency rules from August 2026.

Portugal does not yet have a broad set of sector-specific AI regulations below the level of the AI Act. Most sectoral obligations apply to AI systems indirectly, because AI tools form part of wider ICT, data protection, cybersecurity or outsourcing arrangements.

The Labour Code, as amended by Law No 13/2023, expressly extends equality and non-discrimination principles to decisions based on algorithms or other AI systems. It also includes information duties relating to the use of algorithms or AI systems affecting employment decisions, including towards employees and worker representative structures.

In other regulated sectors, such as financial services, telecommunications, healthcare and public administration, AI deployments will generally be assessed through existing legal frameworks rather than AI-specific national rules. These include data protection, cybersecurity, operational resilience, outsourcing, consumer protection and professional liability rules. As a result, sectoral compliance requirements may be highly relevant to AI projects, but they are not, in most cases, AI-specific requirements.

Larger organisations in Portugal are increasingly adopting internal AI governance measures. These measures commonly include AI use policies, approval processes for higher-risk tools, ethics guidelines, model inventories, internal risk assessments and restrictions on the use of confidential or personal data in public AI tools. This is generally driven by GDPR compliance, operational risk, reputational concerns and preparation for the AI Act, rather than by a standalone Portuguese legal requirement.

This trend is likely to accelerate as the AI Act encourages the development of codes of conduct and other voluntary compliance measures for AI systems that fall outside the mandatory high-risk regime.

Customers are increasingly seeking contractual controls that make AI use transparent, auditable and legally manageable. The main negotiation points are as follows.

  • Transparency – customers want to know where AI is used, what the system does, whether outputs are automated or AI-assisted, and what technical or legal limitations apply.
  • Data use and data protection – contracts commonly address the use of customer data for training, fine-tuning or improving models. Customers also seek compliance with the GDPR, rules on international transfers, processor obligations and appropriate security measures.
  • Intellectual property – customers seek sufficient rights to use and commercialise outputs, and clarity on ownership of bespoke configurations, prompts, fine-tuned models or deliverables.
  • Performance and compliance – customers may request accuracy commitments, testing evidence, human oversight, audit rights and assistance with AI Act compliance where relevant.

These provisions are increasingly treated as core risk-allocation provisions rather than as technical annexes.

AI-related liability clauses increasingly separate different categories of risk. Contracts commonly distinguish between regulatory non-compliance, defective or biased outputs, misuse by the customer, data protection breaches and intellectual property claims arising from training data or generated content.

Suppliers usually try to keep AI liability within the general liability cap and exclude indirect or consequential loss. Customers, especially in regulated or high-risk deployments, often push for higher caps or carve-outs for data protection breaches and intellectual property infringement.

Indemnities are most often seen in relation to third-party intellectual property claims or unlawful use of data. The allocation of liability is also influenced by the AI Act’s distinction between providers, deployers, importers and distributors, since parties increasingly try to align contractual responsibility with the regulatory role each party performs.

Providers of AI solutions are mainly concerned with controlling risk in a fast-moving regulatory and technical environment. Their key concerns include the following.

  • Liability exposure – providers are reluctant to accept uncapped liability for outcomes affected by customer instructions, poor data quality, misuse or model limitations.
  • Regulatory compliance – the evolving and complex regulatory landscape, including the AI Act, GDPR, cybersecurity requirements and sector-specific rules, creates practical challenges in demonstrating compliance, including through documentation, testing, monitoring, human oversight and governance measures.
  • Confidentiality and IP protection – providers need to protect model architecture, training data, prompts, evaluation methods and trade secrets while still giving customers enough information for due diligence and compliance.
  • Data rights – providers often seek contractual rights to use data, particularly non-personal, aggregated or properly anonymised data, to improve services and develop models, while managing customer concerns about data use.
  • Performance expectations – many AI systems cannot deliver complete accuracy or full explainability. Providers therefore try to avoid warranties that imply error-free performance or a level of transparency that the technology cannot realistically provide.

The provision of IT services in Portugal is affected by several horizontal regimes, depending on the nature of the service and the customer’s sector.

  • Data protection – where the service involves personal data, the GDPR and Law No 58/2019 apply, including rules on lawful processing, security, data-processing agreements, sub-processing and breach notification.
  • Cybersecurity – entities covered by Decree-Law No 125/2025 must adopt cybersecurity risk-management measures and address supply-chain risks, including risks arising from cloud, managed services and other IT suppliers.

Sector-specific rules may also apply. Telecoms, financial services, healthcare and public sector customers may be subject to additional requirements on availability, integrity, resilience, outsourcing and incident reporting.

Consumer protection rules are also relevant where IT services are supplied to consumers, particularly for conformity, remedies and pre-contractual information.

Typical Structure

Liability clauses in Portuguese IT services contracts usually combine a general cap with exclusions and specific carve-outs. The cap is often calculated by reference to fees paid or payable during a defined period, commonly 12 months. Contracts also frequently exclude loss of profits, loss of business, reputational damage and other indirect or consequential losses. Depending on the transaction, carve-outs may apply for wilful misconduct (dolo), death or personal injury, confidentiality breaches, data protection breaches and intellectual property infringement.

Mandatory Law Considerations

Contractual limitations cannot remove mandatory statutory liability. This is relevant, for example, in consumer contracts, product liability, data protection and cases involving wilful misconduct. Portuguese courts may also scrutinise clauses that are excessive or inconsistent with mandatory legal protections.

Negotiation Practice

More sophisticated contracts increasingly use tiered caps. A lower cap may apply to ordinary contractual breaches, while a higher cap applies to higher-risk areas such as data protection, cybersecurity or intellectual property indemnities.

Warranties in IT services contracts are usually tailored to the nature of the project, but several provisions are common. Suppliers are typically asked to warrant that:

  • the services will be performed with reasonable skill and care;
  • deliverables will materially conform to the agreed specifications and service levels;
  • the services and deliverables will not infringe third-party intellectual property rights;
  • the supplier will comply with applicable laws, including data protection and cybersecurity requirements; and
  • the supplier has the rights, resources and authorisations needed to provide the services.

In consumer-facing arrangements, mandatory conformity rules under Decree-Law No 84/2021 limit the extent to which a supplier can disclaim or narrow statutory rights. Business-to-business contracts allow more flexibility, but customers will still often resist broad “as is” disclaimers for bespoke or critical services.

Agile contracting is increasingly used in Portugal for software development, digital transformation and systems integration projects, particularly where requirements are expected to evolve.

The usual structure is a framework agreement covering governance, pricing, intellectual property, confidentiality and liability, with statements of work, backlogs or sprint plans defining the work in more detail. These contracts require a different approach from traditional fixed-scope projects. They normally place greater emphasis on collaboration, prioritisation, change management and acceptance criteria, rather than on a complete specification agreed at the outset. Pricing is often based on time and materials, capacity or sprint-based fees, sometimes combined with milestone or quality controls.

Payment models vary according to the predictability of scope and the allocation of project risk. The most common models are:

  • time and materials, used where the work is exploratory, advisory or agile and the scope may change;
  • fixed price, used where deliverables are well defined and acceptance criteria can be agreed in advance;
  • milestone-based payments, often linked to delivery, testing or acceptance stages;
  • subscription fees, typical for SaaS and managed services; and
  • hybrid or outcome-based models, combining fixed, variable and performance-related elements.

Public sector customers tend to prefer more predictable pricing structures, while private sector customers are generally more open to hybrid models where the commercial incentives are clear.

Portugal’s telecommunications framework is mainly based on two statutes.

  • Law No 16/2022 is the Electronic Communications Law. It implements the European Electronic Communications Code and regulates electronic communications networks and services, including market entry, spectrum, numbering, end-user rights and universal service. Note that Decree-Law No 125/2025 has revoked certain provisions of Law No 16/2022 relating to security of networks and services, security incidents and related measures, with effect from 3 April 2026, although transitional provisions apply in relation to certain ANACOM acts;
  • Law No 41/2004 addresses privacy in electronic communications. It implements the ePrivacy Directive and contains rules on confidentiality of communications, traffic and location data, cookies and unsolicited marketing communications.

Various ANACOM regulations, decisions and notices further develop technical and consumer-protection aspects, including accessibility requirements for end users with disabilities. Law No 16/2022 was also amended by Decree-Law No 5/2026.

ANACOM (Autoridade Nacional de Comunicações) is the main telecommunications regulator in Portugal. Its responsibilities include market access, spectrum and numbering management, competition issues, service quality and end-user rights under Law No 16/2022. ANACOM also has additional roles as Digital Services Co-ordinator under the DSA, as the relevant sectoral cybersecurity authority for electronic communications and postal services under the Decree-Law No 125/2025 regime, and as the authority designated in relation to supervision of fundamental-rights obligations for high-risk AI systems under the AI Act.

CNPD (Comissão Nacional de Proteção de Dados) supervises data protection and privacy issues in the electronic communications sector, including cookies, traffic data, location data and direct marketing.

Consumer protection authorities, including the Directorate-General for Consumers (Direção-Geral do Consumidor), may also intervene where telecoms contracts raise consumer law issues.

General Authorisation

Electronic communications networks and services are generally provided under a general authorisation regime. In practical terms, this means that a provider usually notifies ANACOM rather than applying for an individual licence before starting activity.

Spectrum and Numbering

This general rule does not apply in the same way to scarce public resources. Rights of use for radio spectrum and numbering resources require specific allocation and licensing procedures overseen by ANACOM.

Ongoing Obligations

Operators may also be subject to regulatory fees and sector contributions, including under Decree-Law No 114/2024. They must comply with obligations on access, interconnection, emergency services, universal service funding and end-user protection.

Interconnection

Interconnection is governed by Law No 16/2022, which implements the European Electronic Communications Code. Operators with significant market power may face specific access or interconnection obligations, including transparency, non-discrimination and cost-oriented pricing. ANACOM may impose, monitor and enforce these obligations, taking account of the relevant EU and BEREC framework.

Roaming

Roaming within the EEA is mainly governed by directly applicable EU rules. These rules underpin the “Roam Like at Home” framework and related retail price protections. ANACOM is responsible for monitoring and enforcing compliance in Portugal, including in relation to end-user complaints.

End-User Rights

Law No 16/2022 contains a detailed set of protections for end-users of electronic communications services. These include rules on pre-contractual information, contract summaries, tariff transparency, billing, quality of service, number portability, contract duration and contract changes. For consumer contracts, the maximum initial commitment period is generally 24 months, although shorter alternatives must be made available in certain circumstances. Consumers must also be informed in advance of contract changes and may terminate without penalty where the law so provides, particularly where changes are detrimental to them.

Online Termination

Portugal has introduced a central online platform for terminating or switching telecoms contracts, under Ministerial Order No 284/2022. This makes it easier for consumers to exercise termination rights and reduces practical barriers to switching providers.

These telecoms-specific rules operate alongside general consumer protection law and the unfair commercial practices regime.

Legal Framework

The CDADC protects works as intellectual creations and treats the author as the natural person who creates the work (criador intelectual da obra). Copyright therefore arises first with the human author, although economic rights may be assigned or licensed. Computer programs are protected under the specific software copyright regime in Decree-Law No 252/94, as amended, which gives them protection analogous to literary works.

Contractual Distinction

Technology contracts usually separate pre-existing rights from rights created during the project.

Background IP refers to rights, tools, know-how and materials that a party brings to the engagement.

Foreground IP refers to new software, documentation, configurations or other deliverables developed under the contract.

Each party normally keeps its own background IP and grants the other party only the licences needed for the project. Foreground IP is dealt with according to the commercial model: bespoke development is more likely to involve assignment to the customer, while platform, SaaS and configurable solutions more often involve a licence. Transfers of registered rights, such as trade marks or patents, may require additional formalities and registrations.

The intellectual property rights most often discussed in IT and technology contracts are:

  • copyright, especially in software, source code, object code, documentation, interfaces and other written or visual materials;
  • patents and utility models, mainly where the technology includes hardware, technical processes or software-implemented inventions;
  • trade secrets and confidential know-how, protected through contract and the trade secrets regime introduced by Decree-Law No 110/2018;
  • trade marks and domain names, particularly for branding, platforms and online services; and
  • database rights, where the value lies in the investment made in obtaining, verifying or presenting data.

In SaaS and software projects, copyright and confidential know-how are usually the main focus. Patents become more relevant in hardware-heavy, life sciences, telecommunications and advanced manufacturing projects.

Portuguese technology contracts commonly allow suppliers to retain and re-use general know-how, techniques, methodologies and tools acquired or improved during a project. This is commercially important for suppliers, as it allows them to apply accumulated expertise across future engagements. That permission is usually limited by confidentiality and customer ownership provisions. Suppliers should not re-use customer-specific materials, proprietary data, business processes, branding or confidential information except where the contract expressly permits it.

This balance allows suppliers to build cumulative expertise and improve their offerings, while giving customers comfort that their proprietary data, business processes or branding will not be replicated for competitors. The distinction is consistent with Portuguese IP principles: copyright protects concrete expression, not abstract ideas, methods or general skills. Similarly, trade secrets protection does not normally prevent a professional from using general experience and expertise acquired lawfully.

Patent disputes in Portugal remain less common than in larger European jurisdictions, although patent awareness has grown in sectors such as pharmaceuticals, life sciences, telecoms and high-tech manufacturing. The Unified Patent Court and the European patent with unitary effect have also increased the strategic importance of patent issues for Portuguese businesses operating across Europe.

In software and IT contracts, however, parties still tend to focus more on copyright, trade secrets and contractual restrictions than on patents. Patent indemnities are nonetheless often included where the supplier provides hardware, embedded technology or standardised software that may be used in several jurisdictions. Portugal is not generally seen as a major forum for patent assertion entity activity, but cross-border patent risk is increasingly taken into account in larger technology transactions.

Human Authorship Requirement

Portuguese copyright law has no special rule for AI-generated works. The CDADC is based on the idea that a protected work is an intellectual creation and that the author is the human creator of that work. For that reason, the prevailing view is that output generated autonomously by AI, without meaningful human creative input, is unlikely to be protected by copyright.

AI as a Tool

The analysis is different where AI is used as an instrument in a broader human creative process. If a person makes creative choices in selecting, prompting, arranging, editing or refining the output, the final result may still be protected, provided it reflects that person’s own intellectual creation. This approach is consistent with the Court of Justice of the European Union’s emphasis on originality as the author’s own intellectual creation.

Contractual Solutions

Because the statutory position is still uncertain at the margins, parties increasingly address AI-assisted outputs in their contracts. They typically specify who may use the output, whether rights are assigned or licensed, and whether any warranty is given as to originality, non-infringement or lawful use of training data.

The main Portuguese and EU instruments in this area are:

  • the GDPR, which is directly applicable and sets the core rules on lawful processing, data subject rights, security, accountability and international transfers;
  • Law No 58/2019, which supplements the GDPR in Portugal, including by designating CNPD as the supervisory authority and setting national rules such as the age of consent for information society services at 13;
  • Law No 41/2004, which deals with privacy in electronic communications, including cookies, traffic and location data and unsolicited marketing;
  • Decree-Law No 125/2025, which transposes NIS2 and imposes cybersecurity risk-management and incident-notification duties on essential and important entities. The regime entered into force on 3 April 2026, and the implementing Regulation No 756/2026, published on 22 June 2026, should be checked for operational details, including notification forms and platform requirements; and
  • Law No 73/2025, which adapts Portuguese law to DORA for the financial sector. DORA has been directly applicable since 17 January 2025. The Banco de Portugal, CMVM and ASF are the competent authorities within their respective supervisory perimeters, and financial entities must maintain registers of ICT third-party agreements and report severe ICT incidents under the DORA framework.

Together, these regimes create overlapping obligations on data protection, information security, cybersecurity governance, supply-chain risk and incident reporting.

Personal Data Transfers

The GDPR restricts transfers of personal data from Portugal to third countries or international organisations unless the conditions in Chapter V are met. Transfers are typically allowed where there is an adequacy decision for the destination country, or where the controller or processor has provided appropriate safeguards (such as standard contractual clauses or binding corporate rules), in the absence of such a decision.

In situations where there is no adequacy decision nor appropriate safeguards, Article 49 GDPR allows transfers only under specific derogations, such as explicit informed consent of the data subject, necessity for the performance of a contract, important reasons of public interest, legal claims, vital interests or from a public register.

Non-Personal Data

There is no equivalent general restriction on transfers of non-personal data. However, sectoral confidentiality rules, trade secrets, export control requirements or contractual restrictions may still be relevant, depending on the type of data and the sector involved.

Portuguese law generally requires risk-based security rather than adherence to one mandatory technical standard.

Under the GDPR, controllers and processors must implement appropriate technical and organisational measures.

For entities covered by Decree-Law No 125/2025, which entered into force on 3 April 2026, the cybersecurity regime requires risk-based technical, operational and organisational measures and takes into account a national cybersecurity reference framework. The implementing Regulation No 756/2026, published on 22 June 2026, should also be checked for operational details before finalising incident reporting and platform references.

Sectoral regulators may recommend or expect adherence to recognised standards (eg, ISO 27001, NIST, or CSA CCM) as evidence of best practice, but these standards are typically not expressly mandated by legislation.

GDPR Breach Notification

Where a personal data breach occurs, the controller must notify CNPD without undue delay and, where feasible, within 72 hours of becoming aware of it, unless the breach is unlikely to create risk for individuals. Processors must notify the controller without undue delay. If the breach is likely to result in a high risk to individuals, the controller may also need to notify the affected data subjects.

Cybersecurity Incident Notification

Entities within the scope of Decree-Law No 125/2025 are subject to a separate notification regime for significant cybersecurity incidents to the competent cybersecurity authority (CNCS). The process is phased and may include an initial notification within 24 hours, an update within 72 hours where relevant, a notification of the end of the significant impact and a final report within the applicable statutory deadline, generally 30 business days after notification of the end of the significant impact.

Telecoms providers may also have to notify ANACOM of significant network security or integrity incidents under sector-specific rules, with short-phased notification deadlines. If personal data is affected, CNPD notification may also be required.

Customer and Supplier Roles

The legal duty to notify usually sits with the data controller, the telecoms operator or the essential or important entity. In contracts, however, customers typically require suppliers to notify them quickly, provide technical information and assist with investigation, mitigation and regulatory reporting.

The GDPR requires controllers to appoint only processors that can provide “sufficient guarantees” of compliance. In practice, this means that controllers should carry out due diligence before engaging a processor and maintain an appropriate level of oversight during the relationship.

Decree-Law No 125/2025, which entered into force on 3 April 2026, adds a more explicit supply-chain dimension for entities within scope. Essential and important entities must consider supplier and service-provider security as part of their cybersecurity risk management. The implementing Regulation No 756/2026 should be verified for operational requirements, including supplier classification and assessment processes. Portuguese organisations are therefore increasingly using structured vendor assessment processes, including questionnaires, certification checks, contractual security schedules and targeted audits for higher-risk suppliers.

Data Protection Terms

Where a supplier acts as processor, the GDPR requires a binding contract or equivalent legal act. The agreement must describe the processing and include the mandatory Article 28 terms, including instructions, confidentiality, sub-processing, assistance with data subject rights, deletion or return of data and audit rights.

Cybersecurity Terms

For entities subject to Decree-Law No 125/2025, cybersecurity requirements should also be reflected in relevant supply contracts. These clauses typically address minimum security measures, incident reporting, co-operation, audit, business continuity and remediation.

In practice, larger customers often use a layered structure: a master services agreement, a data-processing agreement and a security schedule. Higher-risk suppliers may also be subject to more detailed onboarding and ongoing monitoring obligations.

Supply-chain obligations may apply to both the customer and the supplier. They do not sit solely with the customer. Their application depends on each party’s legal role, the sector in which it operates and whether it independently falls within the scope of the relevant regime.

For example, under the GDPR, the customer will often be the controller and must assess whether its processors provide sufficient guarantees of compliance. The supplier may, in turn, have direct obligations as a processor. Under Decree-Law No 125/2025, a cloud, managed service or managed security service provider may also have direct cybersecurity obligations if it qualifies as an essential or important entity under the Portuguese cybersecurity regime. Conversely, the customer may itself be directly regulated if it operates in a covered sector, such as financial services, healthcare, energy, transport, telecoms or public administration.

In practice, contracts increasingly include mutual obligations, co-operation mechanisms and flow-down requirements so that both parties can meet their own regulatory duties.

Portuguese AI regulation is likely to develop mainly through implementation of the AI Act rather than through a separate national AI code. The immediate focus should be institutional: designating competent authorities, creating supervisory capacity and, where appropriate, developing regulatory sandboxes and sector-specific guidance. Further changes are also expected in adjacent areas. Product safety, product liability, consumer protection, data protection and employment rules may all need to be applied or adapted to AI-related risks, particularly in credit scoring, healthcare, recruitment, workplace monitoring and critical infrastructure.

At EU level, the proposed AI Liability Directive has been withdrawn. The principal EU-level liability development is now the revised Product Liability Directive – Directive (EU) 2024/2853 – which modernises the product-liability regime by expressly bringing software, including AI systems, and digital manufacturing files within scope. Portugal will need to transpose the Directive by 9 December 2026.

Cybersecurity will also become more closely linked to AI regulation, as AI tools are increasingly used both to launch and to defend against cyber-attacks.

Contract drafting in Portuguese IT, cloud and AI projects has become more detailed and risk based. Several developments are now common in the market:

  • data-processing agreements are usually more comprehensive and are often accompanied by separate security schedules;
  • security clauses increasingly refer to recognised standards or frameworks, including ISO 27001 and CNCS guidance;
  • AI provisions are now appearing in procurement documents, especially around training data, transparency, human oversight and regulatory change;
  • liability clauses more often use different caps for different types of risk; and
  • exit, portability and interoperability clauses are receiving more attention in cloud and SaaS contracts.

The EU Data Act must be taken into account, particularly in relation to switching, access to data and interoperability in cloud and data-driven services.

Hyperscalers have materially influenced technology contract negotiations in Portugal. Their standard cloud contracts, which are often offered on largely non-negotiable terms, set a de facto benchmark for market expectations, especially regarding availability commitments, data protection measures and security certifications.

At the same time, customers often have limited ability to negotiate core risk provisions with major cloud providers. Liability caps, audit rights, unilateral service changes and standard security terms are frequently presented on a take-it-or-leave-it basis, although large enterprise customers and public sector customers may obtain specific addenda or tailored commitments.

This affects negotiations with smaller vendors. Customers may ask local or smaller providers to match hyperscaler-style security and resilience standards, even where those providers cannot offer the same scale, infrastructure or pricing model. The result is a market in which hyperscaler terms often set expectations, but not always realistic benchmarks for all suppliers.

Traditional intellectual property concepts still apply to current technologies, but they do not always map neatly onto AI, big data, cloud computing or open-source software. Portuguese and EU law remain based on familiar categories such as copyright, patents, trade secrets, database rights and contractual licences.

Practical Adaptations

In practice, parties use contracts to fill many of the gaps. They allocate rights in outputs, restrict use of confidential information, regulate access to data, define permitted use of open-source components and clarify ownership of configurations, prompts, documentation and deliverables. AI creates particular difficulty because Portuguese copyright law is built around human authorship. The EU text and data mining exceptions, transposed into the CDADC, are also relevant to AI training, particularly in relation to rights reservations by rights-holders and the distinction between scientific research and other text and data mining uses.

Future Developments

Further clarification may be needed on AI-generated works, data access, model training and the relationship between copyright, trade secrets and transparency. Until then, Portuguese practitioners are likely to continue relying heavily on contract drafting to manage issues that legislation has not yet resolved.

Lektou

Avenida da República No 59
7º andar, 1050-189
Lisboa

Praça do Bom Sucesso No 61
5º andar, salas 501-502, 4150-146
Porto
Portugal

+351 211 507 232

mail@lektou.com www.lektou.com
Author Business Card

Trends and Developments


Authors



Lektou was founded in 1985 and was formerly known as Rato, Ling, Lei & Cortés – Advogados e Notários. It has established itself as a leading full business law firm in Macau, with additional offices in Hengqin and Shenzhen (China), and Lisbon and Oporto (Portugal), under Lektou-Cortés, SP, RL. Lektou is dedicated to excellence in legal services, emphasising professionalism, integrity, multiculturalism and innovation to create value for clients while striving to find the best solutions. In the dynamic field of information technology law, Lektou stands out as a trusted adviser with extensive experience in technology-related transactions, regulatory compliance, data protection and cybersecurity, software and IT contracting, and all facets of the digital economy. Over the years, the firm has honed its specialisation, ensuring that clients benefit from insights and strategies that reflect the unique challenges and opportunities in both Macau and Portugal.

Introduction

Portugal is no longer at a stage of anticipation with respect to the regulation of digital platforms. With the entry into force of the recent Law No 12-A/2026 of 15 April, the country now has a national framework to ensure the national execution and enforcement of Regulation (EU) 2022/2065 of 19 October 2022, the Digital Services Act (DSA).

In general terms, the DSA has applied since 17 February 2024, although certain rules have been in force since 16 November 2022 and certain obligations applied earlier to the largest platforms designated by the European Commission.

Law No 12-A/2026 therefore does not create a “Portuguese DSA”. Instead, it sets out the missing national enforcement arrangements: competent authorities, procedures, communication channels, complaint mechanisms, investigative powers, a sanctions regime and routes of appeal.

For providers of intermediary services – including “mere conduit”, “caching” and “hosting” services – as well as online platforms, online platforms allowing consumers to conclude distance contracts with traders (eg, marketplaces) and online search engines, the practical consequence is immediate. Compliance must now be demonstrable not only under the European regulation, but also before Portuguese authorities with concrete powers. The relevant question is no longer “how does the DSA apply?” but “can we prove that we comply?”.

The DSA in Brief: The Underlying European Regime

Scope and logic of the DSA

The DSA applies to intermediary services offered to recipients that are established or located in the European Union (EU), regardless of where the provider itself is established. This is a core feature of the regime: operators based outside the EU may still be caught where they offer services to users in the Union.

The obligations vary depending on the type of service and its scale: the greater the potential impact on recipients of the service and the digital public space, the more demanding the applicable regime.

Main substantive obligations

The main substantive obligations under the DSA can be grouped around a few key areas.

  • Accessibility and communication – single points of contact for authorities and users, and a legal representative in the EU where the provider is not established in the EU but offers services there.
  • Transparency and accountability – clear terms and conditions, transparency reports, statements of reasons for moderation decisions, and information on the main parameters used by recommender systems.
  • Content moderation – notice and action mechanisms for illegal content, internal complaint-handling systems, access to out-of-court dispute settlement, trusted flaggers and measures against misuse of notice or complaint mechanisms.
  • Advertising and interface design – advertising transparency, restrictions on profiling based on special categories of personal data, and limits on deceptive interface design.
  • Protection of minors – appropriate and proportionate privacy, safety and security measures, as well as restrictions on profiling-based advertising where the platform knows with reasonable certainty that the user is a minor.
  • Marketplaces – traceability of traders and interfaces that allow traders to provide pre-contractual, compliance and product safety information.
  • Very large online platforms and very large online search engines – enhanced obligations for VLOPs and VLOSEs, including systemic risk assessment and mitigation.

VLOPs, VLOSEs and scale

For designation purposes, the DSA uses a threshold of at least 45 million average monthly active recipients of the service in the EU. The Commission maintains a current list of designated VLOPs and VLOSEs, which changes over time as platforms are designated or have their designations terminated. Examples include major social media platforms, e-commerce marketplaces and search engines. Readers should consult the Commission’s current list for the latest designations and user figures.

Liability exemptions and voluntary measures

The DSA also preserves conditional liability exemptions for intermediary service providers. In simple terms, a provider is not automatically liable for hosted content if it has no actual knowledge of illegality, or if it acts promptly once it obtains that knowledge. Article 7 of the DSA further protects good-faith, diligent voluntary measures to detect, identify, remove or disable access to illegal content.

Why national implementation in Portugal matters

The key point is that the DSA establishes harmonised substantive obligations, but its effective enforcement in each member state depends on national legislation designating authorities, creating procedures and setting sanctions. This is precisely what Law No 12-A/2026 does in Portugal.

This is why the DSA should not be seen only as a set of rules on online content. It is a framework for making the digital space more explainable, auditable and accountable, requiring platforms to justify decisions that were previously largely invisible to users and regulators.

Law No 12-A/2026: Establishing the National Enforcement Framework

Law No 12-A/2026 ensures the implementation of the DSA in the Portuguese legal order. In addition, it amends Decree-Law No 7/2004 (on electronic commerce) and the Law on the Organisation of the Judicial System, and repeals Decree-Law No 20-B/2024, which had provisionally designated the competent authorities.

The timing is important. Portugal was among the member states targeted by the European Commission for failure to implement the DSA effectively, which led to the opening of infringement proceedings. Law No 12-A/2026 is therefore more than a designation statute: it creates an institutional model with supervisory, investigative and sanctioning powers.

What the Portuguese law adds to the DSA

The Portuguese law does not duplicate the substantive obligations – those arise directly from the DSA as a European regulation.

What it does is make the DSA enforceable at national level, through:

  • designation of the Portuguese National Communications Authority (ANACOM) as Digital Services Co-Ordinator;
  • allocation of sectoral powers (the Regulatory Authority for the Media, ERC, and the National Data Protection Commission, CNPD);
  • national procedures for complying with determinations;
  • communication platform managed by ANACOM;
  • sanctions regime;
  • routes of judicial appeal; and
  • institutional co-operation mechanisms.

Until Law No 12-A/2026 was adopted, DSA enforcement was most visible in relation to very large online platforms and search engines, whose enhanced obligations are supervised directly by the European Commission. National implementation brings the risk closer to operators active in Portugal.

That closer proximity should, however, be understood correctly. ANACOM becomes an important entry point for complaints, co-operation and national action. Where the provider is established in another member state, primary competence may generally remain with that state’s co-ordinator; and for VLOPs and VLOSEs, the European Commission continues to play a central role.

Competent authorities

The law allocates powers among three entities.

  • ANACOM – designated as the competent administrative authority and Digital Services Co-Ordinator, acting as the single point of contact with the European Commission and the other member states.
  • ERC – responsible for supervising matters relating to terms and conditions, advertising transparency and the protection of minors.
  • CNPD – competent for advertising based on profiling that uses special categories of personal data and for advertising based on profiling directed at minors.

This allocation follows the European trend of involving regulators with experience in communications, media or digital services.

The shared model creates a practical challenge: companies may need to engage with several authorities at once, particularly where the same product or functionality combines content moderation, advertising, protection of minors and processing of personal data.

Orders and information requests

The law specifies the duties of providers of intermediary services vis-à-vis judicial and administrative authorities.

In simple terms, operators must be prepared to comply with orders to act against illegal content, orders to provide information on individual recipients of the intermediary service concerned, or other information requests where this is required by law.

Those orders must satisfy formal requirements – including identification of the authority, legal basis, reasons, deadline and redress mechanisms – which gives operators greater predictability. In return, operators need teams, channels and records that can respond quickly and in a documented way.

Communication platform

The law provides for a centralised communication platform, managed by ANACOM, which will function as a structured channel between authorities and providers.

This platform will allow, in particular:

  • the sending of determinations by authorities to providers;
  • the receipt of communications from providers;
  • the transmission of determinations to co-ordinators in other member states;
  • the forwarding of complaints from recipients of the service; and
  • co-operation between public entities.

Until the platform is operational, communication will take place electronically through designated points of contact. In practice, the relationship between platforms and authorities is likely to become more structured, traceable and evidence-based.

ANACOM’s powers as co-ordinator

ANACOM has a broad range of investigative and enforcement powers. In practice, ANACOM may:

  • investigate potential infringements, including by requesting information from providers and third parties, asking staff for explanations and, where necessary, applying to the court for inspections;
  • require corrective action, including by ordering providers to cease infringements, imposing corrective measures and accepting binding commitments;
  • impose sanctions, including fines and periodic penalty payments; and
  • act in urgent or exceptional situations, including by applying for interim measures and, in extreme cases involving persistent infringements linked to crimes threatening life or safety, asking the competent judicial authority to temporarily restrict access to the service.

Complaints

Law No 12-A/2026 makes the right to lodge complaints provided for in the DSA more operational in Portugal.

Recipients of the service, as well as bodies, organisations or associations mandated by them, may lodge complaints against providers with the Digital Services Co-Ordinator. ANACOM may forward complaints, close them or adopt appropriate measures.

The complaint data show that users are already testing these mechanisms. In 2024, ANACOM recorded 66 complaints, covering issues such as illegal content, account suspension, difficulty making contact and removal decisions. In 2025, the number rose to 237 – a 259% increase. Instagram accounted for 36% of those complaints, followed by Facebook with 24% (those figures were recorded by ANACOM under the powers attributed to it by the provisional national framework then in place).

Sanctions and appeals

The sanctions regime is one of the clearest reasons to treat the DSA as a risk management issue, not a box-ticking exercise. In general terms:

  • some administrative offences may be sanctioned with fines of up to 6% of worldwide annual turnover or, for individuals, annual income; and
  • periodic penalty payments may reach 5% of worldwide average daily turnover or average daily income, per day, up to a maximum equivalent to 30 days.

Decisions of the Digital Services Co-Ordinator may be challenged before the Competition, Regulation and Supervision Court. Decisions of that court may be appealed to the Lisbon Court of Appeal, which decides at last instance.

The law also provides for limitation periods for sanctions proceedings and sanctions. As a rule, both are time-barred after five years. This point reinforces the need to retain documentation and evidence of compliance for appropriate periods.

Three less visible issues to watch

Three lower-profile aspects of Law No 12-A/2026 are likely to matter in practice.

  • The first is the Advisory Council, which sits within the structure of the Digital Services Co-Ordinator and includes representatives from the scientific community, civil society, consumers and businesses. It will not sanction operators, but may shape supervisory priorities and future guidance.
  • The second is the commitments regime. Providers may assume corrective measures before ANACOM; if accepted, those measures become binding and may suspend ongoing administrative offence proceedings, provided they are complied with.
  • The third is the financing and evaluation of the regime. The law provides for initial financing through 5G auction proceeds, a future reassessment of the model and a reasoned report from the Co-Ordinator by 20 April 2028.

Practical Implications: Turning Compliance Into Evidence

Operational readiness

Law No 12-A/2026 turns DSA compliance into an operational readiness issue. Companies should:

  • correctly classify the service provided – mere conduit, caching, hosting, online platform, marketplace, search engine or VLOP/VLOSE – as that classification determines the applicable set of obligations;
  • review single points of contact and, where applicable, designate legal representatives;
  • structure internal workflows for receipt of and compliance with determinations and requests for information, including validation criteria, deadlines and supporting documentation;
  • review moderation processes and complaint mechanisms, ensuring that reasons are given for decisions;
  • document evidence of compliance for potential audits and investigative measures;
  • prepare for interaction with multiple authorities (ANACOM, ERC, CNPD);
  • review policies on advertising and online protection of minors; and
  • test capacity to respond to disputes and sanctions proceedings.

Priorities by business model

The starting point is to classify the activity correctly, but the practical priority will vary by business model.

  • For online platforms allowing consumers to conclude distance contracts with traders, the focus will be on traceability of traders, product information and responses to illegal products or services.
  • For social networks, the most sensitive issues will be content moderation, statements of reasons for decisions, internal complaint-handling systems, the protection of minors and advertising.
  • For hosting or cloud services, the priority will be to have effective notice and action mechanisms, with records demonstrating when the provider became aware of content and how it responded.
  • For very large online platforms and very large online search engines, the concern also extends to systemic risks. What is at stake includes effects on fundamental rights, public security, the protection of minors and serious negative consequences for a person’s physical and mental well-being.

Before applying these priorities, providers should also consider whether any micro or small enterprise exemptions are available. The DSA is deliberately proportionate: while micro and small enterprises may be exempt from a number of platform-specific obligations (including internal complaint-handling systems, out-of-court dispute settlement, trusted flagger priority, certain advertising and recommender-system transparency duties and trader traceability obligations), that does not remove the need to classify the service correctly, comply with any core obligations that remain applicable and monitor whether growth, group structure or future designation changes the analysis.

Illegal products and marketplace duties

The DSA also creates specific duties where illegal products or services are offered through a platform. Once a platform becomes aware that an illegal product or service has been offered through its services, it may have to inform affected consumers, identifying the illegality, the trader and the available means of redress. As a rule, that individual obligation covers consumers who purchased the product or service in the previous six months if the platform has their contact details; otherwise, the platform must make appropriate information publicly available.

Recommender systems, advertising and minors

Protection of minors deserves particular emphasis. Platforms accessible to minors must adopt appropriate and proportionate measures to ensure a high level of privacy, safety and security. This may affect the design of recommender systems, age-assurance processes, advertising practices and the way in which terms and conditions are explained to younger users.

DSA compliance should not be assessed in isolation from data protection rules. Profiling-based advertising, age assurance, recommender systems, researcher access to data and responses to authority requests should also be reviewed under the GDPR and ePrivacy framework, particularly where minors’ data or special categories of personal data are involved.

For users: more routes to challenge decisions

The DSA already grants recipients of the service a set of rights and redress mechanisms. Law No 12-A/2026 makes part of that framework more operational in Portugal by identifying the competent authorities, regulating complaints to the Digital Services Co-Ordinator and creating institutional channels for co-operation and communication.

In practice, recipients of the service now have multiple routes for challenging platform decisions.

For users, the impact goes beyond the ability to file a complaint. The DSA seeks to reduce the “black box” effect of platform decision-making. When an account is suspended, content is removed or a post loses visibility, the user should receive an understandable explanation and know which redress mechanisms are available.

The DSA in Practice: Transparency, Enforcement and Litigation Risk

Transparency reports: turning scale into evidence

The DSA’s transparency obligations may require providers to report on notices relating to illegal content, moderation decisions, orders from authorities, complaints, internal complaint-handling systems, out-of-court dispute settlement, automated tools and human resources dedicated to moderation.

TikTok illustrates the scale that the DSA makes visible. In its sixth DSA transparency report, covering the second half of 2025, the platform stated that it had 178 million monthly active recipients in the EU and had removed around 112 million pieces of content for breach of its terms and policies, including videos, livestreams, advertisements, product listings and, for the first time, comments.

The report also states that 93.8% of infringing content was handled by automated systems without human review, with 97.6% of automated decisions confirmed as correct. These figures reveal an important shift: content moderation is becoming measurable, auditable and comparable.

AliExpress provides a second illustration of the practical scale of these obligations. In its transparency report for the period from July to December 2025, the platform notes that it was designated by the European Commission as a very large online platform, or VLOP, and identifies approximately 181.9 million monthly active recipients of the service in the EU, of whom more than 5.7 million were in Portugal.

The same report refers to 701,165 initial notices, 393,997 moderation decisions, an average action time of 14 hours, 238 orders from member state authorities to act against illegal content and 273 orders to provide information, all of which were complied with.

Taken together, these figures help to show that the DSA is not merely a legal exercise: it is a regime that requires operational capacity, trained teams and systems capable of responding at scale.

European enforcement

At European level, DSA enforcement is already a reality. The European Commission has opened proceedings against major platforms and has imposed significant fines, while internal complaint-handling and out-of-court dispute settlement mechanisms are being used at significant scale.

A particularly relevant example is X, formerly Twitter. In December 2025, the European Commission imposed a fine of EUR120 million for non-compliance with transparency obligations under the DSA, including issues relating to the design of the verification system, the advertising repository and researchers’ access to public data. In January 2026, the Commission opened a further investigation concerning X’s recommender systems and Grok, its AI-powered chatbot.

More recently, on 28 May 2026, the Commission fined Temu EUR200 million for failing to diligently identify, analyse and assess systemic risks relating to illegal products offered on the platform and resulting harm to EU consumers. The Temu decision reinforces that systemic risk assessment is not a box-ticking exercise and is particularly relevant for marketplaces where trader traceability and illegal product risks are prominent.

In May 2026, the Commission also preliminarily found that TikTok’s addictive design breaches the DSA. This includes features such as infinite scroll, autoplay, push notifications, and its highly personalised recommender system. The case is particularly significant because it shows that DSA enforcement is not limited to illegal content or transparency reporting: it also extends to the design of online services, including features that may affect minors, mental well-being and users’ ability to control their online experience.

The Commission has also opened formal proceedings against other platforms, including Shein on 17 February 2026 and Snapchat on 26 March 2026, signalling that enforcement activity continues to expand across the designated VLOP landscape.

Portugal: representative actions and litigation risk

In Portugal, litigation against large platforms shows that the risk is not merely administrative.

Ius Omnibus brought representative actions relating to consumers resident in Portugal who used Google products or services. In general terms, those actions concern allegations relating to the collection, association and combination of personal data at scale, personalised advertising, consent, use of services by minors, cookies, tracking technologies, international data transfers, processing of sensitive data, deceptive interface design and the use of data for artificial intelligence models or functionalities.

These actions are not based exclusively on the DSA. However, they illustrate the risk environment in which Law No 12-A/2026 will now operate: transparency towards users, personalised advertising, interface design, protection of minors and governance of large-scale platforms.

Conclusion

Law No 12-A/2026 marks the point at which DSA compliance in Portugal becomes a concrete enforcement issue. The substantive obligations already applied under EU law, but Portugal now has a national framework identifying the competent authorities, setting procedures for orders and complaints, granting investigative and enforcement powers and establishing a sanctions and appeals regime.

For providers active in Portugal, the immediate priority is to ensure that compliance is capable of being evidenced in practice. Service classification, points of contact, legal representation, notice-and-action workflows, moderation records, complaint-handling, advertising transparency, protection of minors, marketplace trader traceability and responses to authority requests should be documented, tested and capable of being explained to ANACOM, ERC, CNPD or, where relevant, another Digital Services Co-Ordinator or the European Commission.

Looking ahead, enforcement is likely to develop through a combination of regulatory supervision, cross-border co-operation, user complaints and private litigation. The Portuguese framework does not turn the DSA into a local regime, but it does make compliance more proximate, more procedural and more evidential. Companies that prepare now will be better positioned to respond to complaints, information requests, inspections and litigation; those that rely only on published policies may find that the decisive issue is not whether a rule exists, but whether the organisation can show how it was applied in practice.

In that sense, the time to act is before the first complex complaint, inspection or urgent request from ANACOM.

Lektou

Avenida da República No 59
7.º andar, 1050-189
Lisboa

Praça do Bom Sucesso No 61
5º andar, salas 501-502, 4150-146
Porto
Portugal

+351 211 507 232

mail@lektou.com www.lektou.com
Author Business Card

Law and Practice

Authors



Lektou was founded in 1985 and was formerly known as Rato, Ling, Lei & Cortés – Advogados e Notários. It has established itself as a leading full business law firm in Macau, with additional offices in Hengqin and Shenzhen (China), and Lisbon and Oporto (Portugal), under Lektou-Cortés, SP, RL. Lektou is dedicated to excellence in legal services, emphasising professionalism, integrity, multiculturalism and innovation to create value for clients while striving to find the best solutions. In the dynamic field of information technology law, Lektou stands out as a trusted adviser with extensive experience in technology-related transactions, regulatory compliance, data protection and cybersecurity, software and IT contracting, and all facets of the digital economy. Over the years, the firm has honed its specialisation, ensuring that clients benefit from insights and strategies that reflect the unique challenges and opportunities in both Macau and Portugal.

Trends and Developments

Authors



Lektou was founded in 1985 and was formerly known as Rato, Ling, Lei & Cortés – Advogados e Notários. It has established itself as a leading full business law firm in Macau, with additional offices in Hengqin and Shenzhen (China), and Lisbon and Oporto (Portugal), under Lektou-Cortés, SP, RL. Lektou is dedicated to excellence in legal services, emphasising professionalism, integrity, multiculturalism and innovation to create value for clients while striving to find the best solutions. In the dynamic field of information technology law, Lektou stands out as a trusted adviser with extensive experience in technology-related transactions, regulatory compliance, data protection and cybersecurity, software and IT contracting, and all facets of the digital economy. Over the years, the firm has honed its specialisation, ensuring that clients benefit from insights and strategies that reflect the unique challenges and opportunities in both Macau and Portugal.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.