See pdf

Law no. 12-A/2026, published on 15 April 2026, implements the EU Digital Services Act (“DSA”) in Portugal.

The statute sets out the national framework and implements the obligations of intermediary service providers under the DSA.

• ANACOM designated as Digital Services Coordinator, with supervisory, investigative and enforcement powers;
• Providers must act against illegal content and comply with orders from judicial and administrative authorities;
• Compliance commitments available as an alternative route to avoid or suspend infringement proceedings;
• Fines of up to 6% of annual worldwide turnover, proportionality criteria govern the determination of sanctions in individual cases; and
• Providers not established in Portugal are subject to the law where their services are directed at the Portuguese market.

Digital Services Regulation

The DSA establishes a harmonised framework of rules for digital intermediary services across the European Union. Its objectives are to strengthen online safety and to create a more transparent and accountable digital environment. As an EU regulation, it is directly applicable in all Member States without requiring national transposition.

The DSA applies to providers of intermediary services, including data transmission, caching and hosting, that offer their services to recipients located in the Union, irrespective of where the provider is established or incorporated.

Its principal obligations include requirements to remove illegal content, to implement notice-and-action mechanisms, to enhance transparency in content moderation and online advertising, and to prohibit practices such as the profiling of individuals based on sensitive personal data for advertising purposes.

General framework

Law no. 12-A/2026 ensures the effective domestic application of the DSA in Portugal. It identifies the competent national authorities, defines their respective powers and establishes coordination mechanisms between national bodies and EU institutions.

On the substantive side, the law specifies the obligations of service providers, in particular as regards action on illegal content and cooperation with public authorities, and sets out the requirements applicable to orders issued by competent authorities.

From an enforcement perspective, the law provides for administrative fines of up to 6% of global annual turnover, periodic penalty payments and, in serious cases, the possibility of seeking temporary access restrictions through the courts.

Competent authorities and institutional structure

The law designates ANACOM as Portugal's Digital Services Coordinator. In that capacity, ANACOM is responsible for supervision, enforcement and coordination with the European Commission, the European Board for Digital Services and counterpart coordinators in other Member States.

Two further authorities hold sector-specific competences:

• The Regulatory Authority for the Media (ERC) oversees matters concerning media content and advertising transparency; and
• The National Data Protection Commission (CNPD) supervises compliance with rules on personal data, including those applicable to targeted advertising and the protection of minors.

This tripartite structure reflects the cross-sectoral scope of the DSA and the existing division of regulatory competences under Portuguese law.

Obligations of intermediary service providers

Providers of intermediary services, including hosting services, online platforms and marketplaces, must comply with orders issued by judicial or administrative authorities. They are required to act against illegal content and to provide information concerning the recipients of their services when lawfully requested to do so.

Orders addressed to providers must satisfy a number of conditions: they must be duly reasoned and proportionate, territorially scoped, subject to defined time limits and must clearly identify the available means of challenge. These safeguards apply regardless of whether the order targets content, conduct or user identity.

These obligations extend to providers not established in Portugal where their services are directed at recipients in the national territory.

Supervisory, investigative and enforcement powers

As Digital Services Coordinator, ANACOM holds broad investigative and enforcement powers. It may request information, conduct inspections, issue cease-and-desist orders and impose corrective measures.

Requests for information must be duly reasoned and must provide for a minimum response period of ten working days. Addressees are required to respond fully and within the stated timeframe.

Compliance commitments. The law allows providers to offer compliance commitments – voluntary measures designed to remedy or prevent non-compliance with the DSA. When accepted by the competent authority and effectively implemented, such commitments may prevent the opening of infringement proceedings or lead to their suspension. This mechanism offers a structured route for providers to engage proactively with regulators and resolve concerns without formal enforcement action.

Interim and judicial measures. In cases of serious and persistent non-compliance, ANACOM may apply to the courts for temporary measures restricting access to services or interfaces. ANACOM may also impose provisional measures of its own initiative where there are indications of an infringement and a risk of serious harm pending final determination.

Administrative offences and sanctions

The law introduces a comprehensive set of administrative offences, aligned with the DSA, spanning content transparency, content moderation, online advertising, recommender systems, protection of minors and user redress mechanisms. Negligent conduct is expressly punishable.

While the statutory maxima are high, the law expressly requires sanctions to be calibrated in accordance with proportionality criteria, including the gravity and duration of the infringement, the degree of fault, the economic capacity of the infringer and the number of users affected.

Maximum penalties will in practice arise only in cases of repeated or deliberate non-compliance or where a provider has failed to cooperate with the competent authority. The imposition of sanctions does not discharge the obligation to bring the infringement to an end.

Impact on market players

The practical implications of the new regime differ considerably depending on the nature and scale of the provider.

Large platforms face the greatest regulatory exposure, subject to higher fines and more demanding governance requirements, particularly as regards transparency, algorithmic accountability and crisis response protocols.

SMEs and small platforms face lower financial risk in practice, given the proportionality mechanism built into the sanctions framework. Their main compliance burden lies in formalising procedures: clear terms and conditions, basic content moderation rules, functional complaint mechanisms and the capacity to respond to authority requests within prescribed deadlines.

Marketplaces and e-commerce intermediaries face strengthened obligations as regards trader traceability, the suspension of non-compliant traders and the provision of information to consumers.

Advertisers and ad-tech operators must comply with stricter requirements regarding advertising transparency, audience targeting and the protection of minors from behavioural advertising.

Conclusions

Law No 12-A/2026 consolidates the Portuguese legal framework for digital services and gives operational effect to obligations already applicable under EU law. It clarifies the institutional architecture, assigns supervisory responsibilities and provides enforcement tools proportionate to the scale and nature of the operator concerned.

For businesses, the practical priority is ensuring that internal procedures are adequate to respond to requests from ANACOM and other competent authorities within the prescribed timeframes. Failure to cooperate is itself an offence under the new regime, making compliance readiness the immediate operational concern.

For users, the law reinforces existing EU protections and provides clearer procedural routes for challenging illegal content.

The effectiveness of the regime will ultimately depend on how authorities calibrate enforcement in practice. A measured, risk-based approach can contribute to a safer and more transparent digital environment; an excessively formalistic or disproportionate application risks generating significant compliance costs, particularly for smaller operators that lack the legal and technical resources of their larger competitors.