Legal Alert | Implementation of the Digital Services Regulation in the Portuguese Legal System (Law No. 12-A/2026, of April 15)

Background

On 15 April 2026, Law No. 12-A/2026 was published, which ensures the implementation, in the domestic legal order, of Regulation (EU) 2022/2065 of the European Parliament and of the Council, on a single market for digital services, the so-called Digital Services Act (DSA). The new law also makes the fifth amendment to Decree-Law No. 7/2004, of 7 January (regarding e-commerce), the amendment of the Law on the Organization of the Judicial System and the repeal of Decree-Law No. 20-B/2024, of 16 February (which had then ensured the implementation, in the domestic legal system, of the DSA by designating the competent authorities and the coordinator of digital services in Portugal).

The DSA establishes a common framework in the European Union for providers of intermediary services, providing for duties of diligence and transparency with a direct impact on content moderation, advertising and the protection of minors (more information about the DSA here).

The Law now published aims, in particular:

• To define the national architecture for the implementation of the DSA, designating Autoridade Nacional de Comunicações (ANACOM) as the Coordinator of Digital Services and attributing sectoral competences to the Entidade Reguladora para a Comunicação Social (ERC) and the Comissão Nacional de Proteção de Dados (CNPD).
• To operationalise the compliance, by intermediary service providers, with determinations to act on illegal content and to comply with information duties, including minimum formal requirements and associated mechanisms.
• To provide for investigation and enforcement powers, as well as an administrative offence regime – with fines of significant value – ensuring, at the same time, procedural guarantees and remedies, in order to strengthen the protection of users.
• To implement mechanisms for cooperation and articulation between authorities and create an Advisory Council, as well as a communication platform for the operationalisation of the model.
• To create a communication platform, managed by ANACOM, for sending determinations, receiving communications from providers and forwarding complaints, ensuring interoperability with the European Commission’s systems.

For intermediary service providers operating in Portugal, Law No. 12-A/2026 is especially relevant, as it clarifies: (i) how determinations must be treated and complied with to act on illegal content and to comply with information duties, (ii) which duties of transparency and internal organisation tend to be more scrutinised, and (iii) the sanctioning framework associated with non-compliance.

Main aspects of the new law

I. Cross-cutting obligations (all intermediary services)

Regardless of the business model, intermediary service providers must ensure a minimum DSA compliance organisation that in practice includes:

• Provision of single points of contact for communication with competent authorities and service recipients.
• Designation of legal representative (when applicable).
• Provision of terms and conditions, in accordance with the DSA.
• Publication of transparency reports on content moderation, under the required terms.

At the institutional level, ANACOM acts as the Digital Services Coordinator and the single point of contact with the European bodies, being, as a rule, the authority with which providers will interact in matters of supervision and enforcement (without prejudice to the sectoral competences of the ERC and the CNPD).

II. Illegal content and requests for information

Law No. 12-A/2026 specifies the common duties to comply with determinations issued by competent judicial or administrative authorities, namely to: (i) act on illegal content, (ii) provide information about individual recipients of the services, and (iii) provide lists or information about unidentified groups of recipients.

The diploma is particularly relevant, as it explains the minimum formal requirements of the determinations, which should allow the provider of intermediary services: (i) to identify the issuing authority, (ii) to locate the content or information concerned, and (iii) to understand the legal basis, territorial scope, deadline and redress mechanisms.

From an operational point of view, the growing need to adopt internal procedures that ensure traceability, response times and adequate supporting documentation (including for audit and possible litigation purposes) is reinforced.

III. Obligations by type of service

In addition to the transversal obligations, there are specific obligations by type of service, namely:

IV. Supervision and consequences of non-compliance

The Digital Services Coordinator has relevant investigative and enforcement powers, including requests for information, judicially authorised inspections, acceptance of binding undertakings, cease-and-desist orders and the imposition of fines and periodic penalty payments, as well as, in exceptional scenarios, the possibility to apply to court for temporary restriction of access to the service.

The administrative offence regime allows fines of up to 1% (less serious infractions) or up to 6% (more serious infractions), of the annual global turnover in the case of legal persons, or of the annual income, in the case of natural persons, with the maximum amounts being reduced by half in case of negligence, or attempt.

In addition, periodic penalty payments of up to 5% of the average daily turnover (globally) per day up to a maximum of 30 days may be applied to ensure compliance with orders and decisions in the context of investigations.
The framework regime for administrative offences in the communications sector, approved by Law No. 99/2009, of 4 September, applies to the administrative offences provided for in Law No. 12-A/2026.

Next steps

For intermediary service providers, Law No. 12-A/2026 translates, above all, into a reinforcement of operational readiness requirements, for compliance with determinations and requests for information, as well as a significant increase in the sanctioning risk associated with procedural and/or transparency failures.

In this sense, the entities covered must:

• Map the type of service provided (intermediation, hosting, online platform, marketplace, search engine) and the specific obligations applicable.
• Regulate and structure internal flows for receiving and complying with determinations and requests for information (including validation criteria, deadlines, logging and governance).
• Review and update terms and conditions and transparency reports, define single points of contact, as well as a legal representative.
• Test, from a technical and operational point of view, the ability of the Digital Services Coordinator to respond to investigations and diligences, bearing in mind the sanctioning framework applicable in the event of non-compliance.
• Bear in mind the transitional provisions, namely: (i) the 90-day period for the appointment of the representatives of the Advisory Board, (ii) the dependence of the use of the communication platform by the judicial authorities on the signing of a protocol with the Instituto de Gestão Financeira e Equipamentos da Justiça (IGFEJ), and (iii) the obligation for the Digital Services Coordinator to prepare, within two years after the entry into force of the law, a report with the balance of the application of the regime and recommendations for adjustment.

The Technology and Data Protection team remains available to clarify any questions related to the implementation of this diploma. For more information, please contact us.