Online safety & content laws in Portugal (2026)

Portugal published Law 12-A/2026 in the Diário da República, formally establishing the national framework for supervising and enforcing the EU Digital Services Act. ANACOM is confirmed as Digital Services Coordinator with power to impose fines up to 6% of global turnover; the media regulator ERC handles minor-protection and advertising provisions.

Portugal published Decree-Law 125/2025, replacing the NIS 1 regime (Law 46/2018) with a comprehensive new cybersecurity legal framework aligned with Directive (EU) 2022/2555. The CNCS is consolidated as national cybersecurity authority; penalties can reach €10 million or 2% of turnover; law entered into force 120 days after publication (3 April 2026).

The European Commission sent Portugal a letter of formal notice under the DSA infringement procedure, noting that while ANACOM had been designated as DSC by Decree-Law 20-B/2024, it had not been granted the enforcement powers or sanctions regime required by EU law.

From 17 February 2024, the DSA obligations applied to all intermediary service providers in Portugal (not just VLOPs/VLOSEs), making platforms, hosting services, and online marketplaces subject to transparency, notice-and-action, and user-protection requirements directly enforceable by ANACOM.

Portugal designated ANACOM as its Digital Services Coordinator under the DSA by Decree-Law 20-B/2024, meeting the formal designation deadline of 17 February 2024. However, the decree did not yet confer the full enforcement and sanctioning powers required, triggering the subsequent Commission infringement action.

Portugal issued Decree-Law 65/2021 to implement the EU Cybersecurity Act (Regulation 2019/881), defining cybersecurity certification obligations and strengthening the NIS Directive operational framework with binding incident-reporting duties and security officer requirements for essential-service operators.

Law 58/2019 adapted Portuguese law to the EU General Data Protection Regulation, confirming the CNPD (Comissão Nacional de Proteção de Dados) as the national supervisory authority. It introduced mandatory Data Protection Officers for public bodies and addressed special-category data processing, directly strengthening online privacy protections for users in Portugal.

Portugal enacted Law 46/2018 to transpose the first EU NIS Directive (2016/1148), establishing the national legal framework for the security of network and information systems across critical sectors (energy, finance, water, transport, telecoms). It nominated CERT.PT as the national CSIRT and underpinned the CNCS's authority until it was superseded by Decree-Law 125/2025.

Rights-holder associations, IGAC, Portuguese Consumer Directorate-General, and telecom operators signed a Memorandum of Understanding enabling the administrative blocking of copyright-infringing websites (via MAPINET) without requiring individual court orders. This institutionalised content blocking in Portugal and set a precedent for subsequent online content enforcement.

Portugal created the Centro Nacional de Cibersegurança (CNCS) by Decree-Law 69/2014, within the framework of the National Security Office. The CNCS became the anchor institution for national cybersecurity policy, incident coordination, and international cooperation, and remains the national authority under the NIS 2 regime today.

Portugal amended Law 41/2004 with Law 46/2012 to align with the revised EU ePrivacy Directive (2009/136/EC), replacing implied consent with a requirement for explicit, informed, prior opt-in consent before placing non-essential cookies. This directly shaped how Portuguese websites and online services handle user-tracking and advertising.

Portugal enacted Law 41/2004 to transpose EU Directive 2002/58/EC, establishing the foundational rules on privacy in electronic communications — covering confidentiality, unsolicited marketing, traffic data, and the original cookie consent framework. It remains the cornerstone ePrivacy instrument for online services, as amended in 2012 and 2022.