Portugal: A TMT Overview
Main Trends and Legal Challenges in the TMT Sector in Portugal
Portugal has seen fruitful new initiatives in the TMT sector, in line with international trends. For instance, Portugal's privileged geographic location has established the country as a critical landing point for submarine cables, attracting big tech companies like Meta, Google and EllaLink. The Portuguese government has instructed certain authorities to take actions aimed at streamlining the licensing procedures for the installation of submarine cables, which may further increase the sector’s attractiveness.
Furthermore, a procedure for granting individual rights of use of the radio spectrum in the 26 GHz range is expected soon, which will enable the development of multiple 5G and internet of things (IoT) solutions supported by millimetre-wave bands.
In addition to these trends, the TMT sector faces various legal challenges that may impact the operations and profitability of its players. One of the most pressing concerns is the growing adoption of emerging technologies, particularly AI, and the complexities surrounding its regulation. Compliance with evolving legal frameworks entails significant regulatory costs and challenges in ensuring that technology solutions remain future-proof.
Data and cybersecurity threats have significantly increased, posing serious risks to corporate reputations and exposing companies to substantial fines and liabilities. Regulators are scrutinising the TMT sector around issues such as compliance, consumer protection and content moderation. TMT companies must address these legal challenges proactively to protect their interests, maintain their reputation and remain competitive.
Electronic communications sector
General legal framework
Law 16/2022 (the "Electronic Communications Act"), transposing into national law Directive (EU) 2018/1972, is at the core of the sector's regulatory framework. Following the entry into application of Regulation (EU) 2024/1309 – ie, the "Gigabit Infrastructure Act" – there is some legal uncertainty, as the regulation has tacitly revoked much of Decree-Law 123/2009, which previously defined the legal regime of construction, access and installation of electronic communications networks and physical infrastructures.
Until an applicable national implementing law for the Gigabit Infrastructure Act is adopted, certain questions regarding the construction, access and installation regime will remain without clear answers.
Requirements for obtaining a licence/authorisation to provide electronic communications services and networks
Undertakings that wish to provide publicly available electronic communication services and networks in Portugal are required to submit a communication, through a pre-approved form, to the Portuguese regulatory authority for the communications sector (Autoridade Nacional de Comunicações – ANACOM) before commencing their activities under the general authorisation regime. Some undertakings, such as operators of number-independent interpersonal communications services, are exempt from this prior communication obligation.
Framework applicable to operators of interpersonal communications services
The Electronic Communications Act has brought about significant changes to the provision of interpersonal communication services, which were not defined under the previous framework. For instance, operators of number-based interpersonal communications services are now subject to the general authorisation regime, placing them alongside traditional operators in certain matters, such as end-user protection requirements, reflecting their market growth. Number-independent interpersonal communications services have a more light-touch regime.
Security of electronic communications networks and services
The Electronic Communications Act and ANACOM Regulation No 303/2019 set forth a series of obligations that operators must comply with regarding the security of electronic communications networks and services. These obligations require undertakings, among other things, to:
- implement technical and organisational measures that ensure a security level proportional to the risks posed to the security of networks and services; and
- notify significant security incidents affecting the operation of networks or services to ANACOM and the Portuguese Cybersecurity Centre (Centro Nacional de Cibersegurança – CNCS).
Portugal approved a new Cybersecurity Legal Regime by Decree‑Law 125/2025 of 4 December, which transposes Directive (EU) 2022/2555 (NIS 2) and will replace the existing sectoral security obligations for electronic communications operators. The new regime enters into force on 3 April 2026, with phased applicability for some obligations; it expressly repeals selected provisions of the Electronic Communications Act once successor instruments are in place.
This new regime significantly broadens the range of entities covered, strengthens risk-management and incident-reporting obligations, and consolidates the role of the CNCS as the national cybersecurity authority. Electronic communications operators fall squarely within the scope of this new framework.
Broadcasting/media sector
General legal framework
Besides the consumer protection panoply and the laws related to advertising and unfair commercial practices, the main legal instrument for regulation of the broadcasting sector is the TV Law (Law 27/2007). Regarding other media-related activities, the Radio Law (Law 54/2010) applies to radio broadcasting, while press activity is regulated by Law 2/1999.
Requirements for obtaining a licence/authorisation to provide services
Audiovisual service providers, depending on the nature of the services they provide, are subject to (i) licensing, by means of public tender, (ii) authorisation or (iii) registration requirements, which they must meet before they begin providing services in Portugal. The competent authority for this purpose is the Portuguese regulatory authority for the media sector (Entidade Reguladora para a Comunicação Social – ERC).
Restriction on common ownership/limits on participation
The TV Law only restricts the common ownership of free-to-air channels with nationwide coverage to protect and promote plurality. Specifically, the same natural or legal person cannot hold, directly or indirectly, 50% or more of the total licences available in the market for free-to-air channels with nationwide coverage for similar services with the same coverage.
Data protection and cybersecurity
General overview of the current and prospective legal framework
Portugal has a well-established data protection framework based on the General Data Protection Regulation (GDPR) and Law 58/2019, and further supported by EU and national guidelines and case law.
In recent years, the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados – CNPD) has been particularly active, with a focus on international data transfers, marketing communications and data subjects' rights. In addition, Law 18/2024, which was published and entered into force in early February 2024, introduces new obligations and requirements on access to electronic communications metadata for criminal investigation purposes, aligning the framework with Constitutional Court case law.
Furthermore, several EU regulatory initiatives are expected to impact the Portuguese market directly, such as the Data Governance Act (including the national implementing Decree-Law 2/2025) or the Data Act (which still does not have an implementing law).
The national Cybersecurity Framework has undergone a significant overhaul. The previous framework, which consisted of Law 46/2018, the Cybersecurity Act (Decree-Law 65/2021) and Commission Implementing Regulation (EU) 2018/151, has been revoked and replaced by Decree-Law 125/2025 of 4 December, which approves the new Cybersecurity Legal Regime and transposes Directive (EU) 2022/2555 (NIS 2) into Portuguese law.
The new regime enters into force on 3 April 2026, on a phased basis, with some obligations becoming applicable at different times. It significantly broadens the range of entities covered – introducing categories of essential entities, important entities and relevant public entities – and strengthens risk-management and incident-reporting obligations. The CNCS is consolidated as the national cybersecurity authority, with reinforced supervisory powers, alongside newly created sectoral and special supervisory authorities. Non-compliance can result in fines of up to EUR10 million or 2% of global annual turnover, whichever is higher. This is a matter to be closely followed by electronic communications operators, as they are within the new regime's scope.
Finally, Portugal has implemented, through Law 73/2025, Regulation (EU) 2022/2554 (the “Digital Operational Resilience Act” – DORA) on digital operational resilience for the financial sector, which establishes a common framework for managing risks associated with information and communication technologies (ICTs) and requires financial entities to ensure a high level of digital operational robustness. This includes implementing protective measures against cyber-attacks and other ICT-related vulnerabilities.
Digital services
General overview of the Digital Services Act (DSA)
The DSA, together with theDigital Markets Act (DMA), marks a new era of regulation in the EU's digital ecosystem. Applicable to a wide range of intermediary services and governed by the principle of "what is illegal offline should be illegal online", its main goal is to create a secure, predictable and trustworthy online environment, by imposing, for instance:
- measures to counter illegal content, goods and services online; and
- effective safeguards for content moderation.
ANACOM has been designated as the digital services co-ordinator in Portugal, alongside other competent authorities, the media regulator (ERC) and the CNPD.
On 27 February 2026, the Portuguese Parliament approved the DSA implementing law, which establishes the institutional and sanctioning framework applicable to intermediary service providers in Portugal. The law defines the responsibilities of online intermediary service providers, specifies ANACOM's powers and its collaboration with other competent authorities and introduces a centralised electronic platform for co-ordination between intermediary service providers, judicial authorities and administrative entities.
Intermediary service providers established in Portugal, or directing their activity to Portugal, must ensure compliance with obligations arising from the DSA, including the designation of points of contact and legal representatives, the provision of mechanisms for reporting illegal content, transparency in terms and conditions and recommendation systems, compliance of advertising practices and the implementation of measures for the protection of minors.
Following the international trend on the protection of children online, the Portuguese Parliament is also working on a draft law that establishes a minimum age of 16 for social media use and introduces age verification obligations for providers of online services such as social media platforms, betting, gaming and age-restricted websites, and app stores.
IT sector
Blockchain
Despite notable growth in recent years, there are relatively few significant new projects in the Web3 space. However, the adoption of blockchain and smart contract solutions continues, particularly in areas such as data sharing, digital identity the non-fungible token (NFT) market and the Metaverse.
While the EU has introduced several Web3-related initiatives, such as the DLT Regulation, the Fifth Anti-Money Laundering Directive (5AMLD), the Markets in Crypto-Assets Regulation (MiCA), the European Digital Identity Regulation (EUDIR) and the Data Act, there is still no unified regulation for DLT, smart contracts or NFTs in Portugal. Nevertheless, the EU Blockchain and Web3 Strategy, which aims to establish a "gold standard" for blockchain and promote the use of DLT and smart contracts, is expected to significantly impact the Portuguese market.
Artificial intelligence
The AI market is rapidly growing, with numerous start-ups and SMEs offering a wide range of AI-based solutions. In Portugal, three projects funded by the Portuguese government and the European Council's NextGenerationEU programme are driving the development and adoption of responsible AI solutions and policy standards, including the sustainable implementation of the AI Act:
- the Center for Responsible AI Consortium;
- Bridge AI; and
- the Amália large language model.
These initiatives align with the National Digital Strategy, which aims to boost innovation and investment in the AI ecosystem.
The AI Act, which came into force on 2 August 2024, is directly applicable in Portugal and is expected to have a significant impact on the Portuguese market. To ensure compliance and protect fundamental rights under the AI Act, the Portuguese government has designated 14 public authorities, co-ordinated by ANACOM, to oversee its implementation. Furthermore, the Portuguese legislature is set to transpose Product Liability Directive II by 9 December 2026.