Internet & Online Safety · Portugal
Online safety in Portugal: the EU Digital Services Act (2026)
Portugal shaded by its internet & online safety status
Online safety rules in Portugal: comprehensive law, under EU Digital Services Act (Regulation (EU) 2022/2065), implemented nationally by Law No. 12-A/2026 of 15 April 2026; ANACOM is the competent authority and Digital Services Coordinator..
As an EU member state, Portugal applies the directly-effective EU Digital Services Act (DSA) as its comprehensive online-content and platform-safety regime, and on 15 April 2026 enacted national implementing Law No. 12-A/2026 establishing supervision, enforcement and sanctions. ANACOM serves as the Digital Services Coordinator and single point of contact, with ERC, IGAC and CNPD holding sectoral competences. A separate bill restricting social-media access for under-16s passed a first parliamentary reading in February 2026 but is not yet final law.
The Digital Services Act in Portugal
In Portugal, online platforms and intermediaries are governed by the EU Digital Services Act (DSA), a directly-applicable regulation covering illegal content, transparency and user protection.
- Framework
- the EU Digital Services Act (Regulation (EU) 2022/2065)
- Approach
- notice-and-action on illegal content, transparency reporting, clear terms, and protection of minors
- Applies to
- online intermediaries, hosting services and platforms offering services to users in Portugal, wherever established
- Very large platforms
- platforms and search engines with 45M+ EU users face extra systemic-risk audits, overseen by the European Commission
- Maximum fine
- up to 6% of global annual turnover
- Oversight
- the national Digital Services Coordinator, plus the European Commission for very large platforms
The DSA is an EU regulation applied directly in Portugal; the national Digital Services Coordinator handles day-to-day supervision.
The Digital Services Act in Portugal: FAQ
Yes. As an EU member, Portugal is covered by the EU Digital Services Act (Regulation (EU) 2022/2065), which applies directly.
Notice-and-action mechanisms for illegal content, transparency reporting, clear terms of service, and measures to protect minors.
The national Digital Services Coordinator, with the European Commission supervising very large online platforms and search engines.
Up to 6% of a provider's global annual turnover for serious breaches.
Key points
The DSA (Regulation (EU) 2022/2065) applies directly in Portugal, imposing tiered due-diligence, notice-and-action, transparency and risk-mitigation duties on intermediary services, online platforms and VLOPs/VLOSEs, layered over the e-Commerce liability framework (mere conduit, caching, hosting).
Law No. 12-A/2026, published in the Diário da República on 15 April 2026 and in force shortly after, sets out Portugal's institutional framework for DSA supervision, enforcement powers and the applicable sanctions regime for intermediary service providers.
ANACOM (the national communications regulator) is designated both competent administrative authority and Digital Services Coordinator, acting as single point of contact for the European Commission, the European Board for Digital Services and other Member States' DSCs, and handling platform identification, supervision and complaints.
Alongside ANACOM, ERC oversees protection of minors and advertising rules, IGAC handles copyright/related rights, and CNPD covers prohibitions on profiling-based and minor-targeted advertising; breaches can attract DSA-level fines of up to 6% of global annual turnover.
A PSD bill setting a digital minimum age of 16 for autonomous social-media use (ban under 13; verified parental consent for 13-16 via the Chave Móvel Digital) passed a first parliamentary reading on 12 February 2026 but remains in committee stage and is not yet enacted; oversight would fall to ANACOM and CNPD.
Liability follows the DSA's harmonised conditional-immunity model for intermediaries plus mandatory notice-and-action, statement-of-reasons, internal complaint handling and out-of-court dispute settlement; the EU's age-verification blueprint (feature-ready 15 April 2026) is available for national customisation.
Timeline - major decisions & events
Portugal published Law 12-A/2026 in the Diário da República, formally establishing the national framework for supervising and enforcing the EU Digital Services Act. ANACOM is confirmed as Digital Services Coordinator with power to impose fines up to 6% of global turnover; the media regulator ERC handles minor-protection and advertising provisions.
Abreu Advogados / Diário da República ↗Portugal published Decree-Law 125/2025, replacing the NIS 1 regime (Law 46/2018) with a comprehensive new cybersecurity legal framework aligned with Directive (EU) 2022/2555. The CNCS is consolidated as national cybersecurity authority; penalties can reach €10 million or 2% of turnover; law entered into force 120 days after publication (3 April 2026).
Vieira de Almeida / Diário da República ↗The European Commission sent Portugal a letter of formal notice under the DSA infringement procedure, noting that while ANACOM had been designated as DSC by Decree-Law 20-B/2024, it had not been granted the enforcement powers or sanctions regime required by EU law.
PLMJ Law Firm ↗From 17 February 2024, the DSA obligations applied to all intermediary service providers in Portugal (not just VLOPs/VLOSEs), making platforms, hosting services, and online marketplaces subject to transparency, notice-and-action, and user-protection requirements directly enforceable by ANACOM.
ANACOM Consumer Portal ↗Portugal designated ANACOM as its Digital Services Coordinator under the DSA by Decree-Law 20-B/2024, meeting the formal designation deadline of 17 February 2024. However, the decree did not yet confer the full enforcement and sanctioning powers required, triggering the subsequent Commission infringement action.
ANACOM ↗Portugal issued Decree-Law 65/2021 to implement the EU Cybersecurity Act (Regulation 2019/881), defining cybersecurity certification obligations and strengthening the NIS Directive operational framework with binding incident-reporting duties and security officer requirements for essential-service operators.
CMS Expert Guide ↗Law 58/2019 adapted Portuguese law to the EU General Data Protection Regulation, confirming the CNPD (Comissão Nacional de Proteção de Dados) as the national supervisory authority. It introduced mandatory Data Protection Officers for public bodies and addressed special-category data processing, directly strengthening online privacy protections for users in Portugal.
Osservatorio sulle Fonti / Diário da República ↗Portugal enacted Law 46/2018 to transpose the first EU NIS Directive (2016/1148), establishing the national legal framework for the security of network and information systems across critical sectors (energy, finance, water, transport, telecoms). It nominated CERT.PT as the national CSIRT and underpinned the CNCS's authority until it was superseded by Decree-Law 125/2025.
NIS-2-Directive.com / Diário da República ↗Rights-holder associations, IGAC, Portuguese Consumer Directorate-General, and telecom operators signed a Memorandum of Understanding enabling the administrative blocking of copyright-infringing websites (via MAPINET) without requiring individual court orders. This institutionalised content blocking in Portugal and set a precedent for subsequent online content enforcement.
European Digital Rights (EDRi) ↗Portugal created the Centro Nacional de Cibersegurança (CNCS) by Decree-Law 69/2014, within the framework of the National Security Office. The CNCS became the anchor institution for national cybersecurity policy, incident coordination, and international cooperation, and remains the national authority under the NIS 2 regime today.
CNCS (National Cybersecurity Centre) ↗Portugal amended Law 41/2004 with Law 46/2012 to align with the revised EU ePrivacy Directive (2009/136/EC), replacing implied consent with a requirement for explicit, informed, prior opt-in consent before placing non-essential cookies. This directly shaped how Portuguese websites and online services handle user-tracking and advertising.
ConsentStack / Diário da República ↗Portugal enacted Law 41/2004 to transpose EU Directive 2002/58/EC, establishing the foundational rules on privacy in electronic communications, covering confidentiality, unsolicited marketing, traffic data, and the original cookie consent framework. It remains the cornerstone ePrivacy instrument for online services, as amended in 2012 and 2022.
Law Library of Congress ↗Portugal - other topics
Internet & Online Safety in other countries
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →