See pdf

The European Commission’s “Digital Omnibus” package (COM(2025) 837 final) and the parallel “Digital Omnibus on AI” proposal (COM(2025) 836 final) mark a shift from regulatory expansion towards regulatory consolidation in EU digital governance.

Rather than introducing new substantive duties, the package seeks to reduce duplicative compliance burdens, clarify interfaces between overlapping instruments, and enhance enforcement coherence across the EU’s digital rulebook.

This paper analyses the legal technique and policy rationale of the Digital Omnibus and assesses its implications for three intersecting domains: (i) data regulation (Data Act and the broader data acquis), (ii) data protection and privacy (GDPR and ePrivacy), and (iii) governance of AI systems and platforms (AI Act, DSA, and P2B). It argues that the initiative’s effectiveness will depend on whether simplification is achieved through genuine alignment of procedures and supervisory coordination, while maintaining the level of protection required by the EU Charter of Fundamental Rights.

Keywords: Digital Omnibus; AI Act; GDPR; Digital Services Act; Data Act; enforcement; Portugal..

Introduction

The EU’s “agile digital rulebook” agenda

EU digital regulation has evolved rapidly from sector-specific measures to a dense horizontal framework covering data protection, online platforms, digital markets, cybersecurity and artificial intelligence. Core instruments include the GDPR, the DSA, the DMA, the Data Governance Act (DGA), the Data Act, and the AI Act. While each instrument pursues distinct objectives, their cumulative application has produced overlaps in definitions, documentation requirements, incident reporting and supervisory competences – raising compliance costs and creating legal uncertainty for cross-border operators.

The Digital Omnibus package is framed as a first “targeted” step towards an “agile digital rulebook”. The Commission’s Explanatory Memorandum emphasises that the amendments are technical in nature, seek to lower compliance costs, and aim to preserve underlying policy objectives and standards of fundamental-rights protection. The package also sits alongside a broader “digital fitness check” intended to map cumulative impacts and identify further alignment opportunities during the legislative mandate.

Legal technique, scope, and structure of the package

Legally, the Digital Omnibus follows a classic omnibus technique: a single proposal amending multiple regulations and directives, combined with targeted repeals of instruments deemed redundant or superseded. COM(2025) 837 final proposes amendments to the GDPR (Regulation (EU) 2016/679), the Data Act (Regulation (EU) 2023/2854), and selected cybersecurity and privacy instruments, and repeals, inter alia, the Free Flow of Non-Personal Data Regulation (Regulation (EU) 2018/1807), the P2B Regulation (Regulation (EU) 2019/1150), the DGA (Regulation (EU) 2022/868), and the Open Data Directive (Directive (EU) 2019/1024). In parallel, COM(2025) 836 final proposes amendments to the AI Act (Regulation (EU) 2024/1689) and sectoral legislation (including Regulation (EU) 2018/1139) to facilitate implementation.

The package therefore has a dual character. First, it consolidates and simplifies parts of the data and privacy acquis (including incident reporting). Second, it introduces implementation-focused adjustments for AI governance. For regulated entities, the practical question is whether procedural alignment will enable re-use of compliance artefacts (e.g., risk assessments, reporting templates) and reduce the risk of parallel investigations triggered by the same event or system. 

Table 1. Selected Digital Omnibus Measures

Data regulation: towards “One Data Act”

A central pillar of the Digital Omnibus is the restructuring of the “data legislative acquis”. The Commission identifies legal complexity driven by partially superseded rules and unaligned definitions. COM(2025) 837 final proposes repeal of Regulation (EU) 2018/1807 (Free Flow of Non?Personal Data) on the basis that switching obligations are now addressed in the Data Act. It also proposes repealing the DGA and the Open Data Directive, while integrating their functional content into a restructured Data Act framework. This consolidation has potential benefits: a single normative anchor for data access, sharing and intermediation; reduced interpretive friction across instruments; and simplified compliance mapping for industry.

The Commission’s Staff Working Document anticipates simplification through, inter alia, narrowing scope in specific areas (such as business-to-government access in emergencies), removing or adjusting requirements considered administratively burdensome, and extending proportionality measures beyond SMEs to “small mid?cap enterprises”. The inclusion of model contractual terms and standard clauses seeks to operationalise the framework by providing templates that can be adopted at scale, potentially reducing negotiation and compliance costs in cloud and data-sharing arrangements.

Data protection and privacy: clarifications with high constitutional stakes

The Digital Omnibus is unusual in that it does not only streamline procedures but also proposes targeted adjustments to the GDPR and the privacy rulebook. The Staff Working Document explicitly identifies the definition of personal data and the treatment of anonymisation and pseudonymisation techniques as areas where greater clarity is sought. In addition, it addresses the processing of personal data for the development and operation of AI systems and models, and it proposes streamlining data breach notification and the “notion of high risk” for the purposes of data protection impact assessments.

From a doctrinal perspective, any recalibration of GDPR concepts requires careful assessment against the EU Charter of Fundamental Rights, in particular Articles 7 and 8, and the proportionality principle. Simplification that reduces uncertainty is desirable; however, simplification that materially lowers substantive safeguards may intensify constitutional litigation risk and create divergent enforcement approaches pending Court of Justice clarification. The proposal also addresses “consent fatigue” by modernising cookie consent mechanics and aligning elements of the ePrivacy regime with the GDPR. While improved user experience and reduced banner fatigue are plausible benefits, the compliance impact will hinge on how exemptions are defined and how preference signals are standardised and evidenced.

Platform governance: repeal of P2B and the continuing DSA–DMA duality

For platform operators and business users, the proposed repeal of Regulation (EU) 2019/1150 (P2B) reflects a policy judgment that parts of the platform-to-business transparency regime have been superseded by the DSA’s horizontal framework. Yet the legal and practical consequences of repeal depend on whether DSA coverage fully substitutes for the removed obligations, particularly for smaller platforms not designated as VLOPs or VLOSEs.

More broadly, the Omnibus does not eliminate the structural duality between the DSA (systemic risk and content governance) and the DMA (market power and contestability). Enforcement remains multi-level: the Commission holds exclusive competence over certain VLOP/VLOSE due diligence obligations, while national Digital Services Coordinators supervise other DSA obligations and ensure national coordination. This architecture may generate procedural duplication when platform conduct simultaneously implicates consumer protection, data protection, and competition rules. A key question for the Omnibus agenda is therefore not only alignment of reporting templates, but also alignment of supervisory cooperation and information-sharing rules across authorities.

The “Digital Omnibus on AI”: implementation, proportionality, and institutional capacity

COM(2025) 836 final proposes targeted amendments to Regulation (EU) 2024/1689 (AI Act) to address implementation challenges identified during early application phases, including delays in standards and the establishment of national governance and conformity assessment frameworks. The proposal maintains the AI Act’s risk-based logic but seeks to facilitate smooth and predictable application, including by extending certain support and proportionality measures to “small mid?cap enterprises”. It also amends Regulation (EU) 2018/1139 to integrate high-risk AI requirements into the aviation safety framework, illustrating the broader challenge of embedding AI governance into sectoral safety regimes.

For businesses, the most salient dimension is legal certainty: implementation-focused simplification can reduce the transaction costs of compliance planning, particularly where application dates are linked to the availability of harmonised standards, guidance, and supervisory tools. For authorities, the Omnibus underscores capacity constraints: AI governance is highly technical, and enforcement effectiveness will depend on coordinated guidance and consistent interpretation across Member States.

Enforcement coherence and Portugal: coordination risks in a multi-authority environment

The Digital Omnibus explicitly seeks to reduce fragmentation not only in EU rulemaking, but also in how EU digital law is administered and enforced.

Portugal provides a clear illustration of the coordination challenge because several supervisory “nodes” intersect. GDPR supervision is carried out by the Comissão Nacional de Proteção de Dados (CNPD), an independent administrative authority with powers of authority that operates alongside the Assembleia da República. Platform supervision under the DSA, in turn, requires a designated Digital Services Coordinator; in Portugal, ANACOM, the National Communications Authority, has been appointed as the competent authority and Digital Services Coordinator. ANACOM’s remit has recently expanded further. In 2025, Decree-Law No. 125/2025 designated ANACOM as the National Sectoral Cybersecurity Authority for electronic communications and postal services. Decree-Law No. 2/2025 also designated ANACOM as Portugal’s competent authority for data intermediation services under the Data Governance Act and as Portugal’s representative on the European Data Innovation Board.

These competences will often converge in practice. Depending on the service model and its legal qualification, a single AI-enabled product feature (for example, automated content ranking, biometric onboarding, or targeted advertising optimisation) may engage: (i) GDPR requirements (lawfulness, transparency and DPIAs), (ii) AI Act requirements (risk management, documentation and governance controls), and – where the service falls within the DSA’s scope – (iii) DSA duties (transparency, systemic-risk assessment and mitigation). Absent strong coordination mechanisms, a single incident –such as an algorithmic failure, unlawful biometric processing, or a data breach – can generate multiple notification channels and parallel proceedings across authorities, each operating under different procedural frameworks and timelines.

Recent CNPD intervention regarding biometric data collection underscores the practical importance of rapid supervisory action in Portugal. in March 2024, the CNPD adopted an urgent provisional measure restricting the collection of biometric data (iris/face) associated with Worldcoin’s enrolment activities in Portugal. Importantly, the factual trigger was not “platform content moderation” as such, but the rapid scaling of a high-risk biometric processing operation linked to a digital service ecosystem. The episode shows how interim supervisory action can materially limit exposure while a full assessment proceeds – and why coordination becomes critical when the same underlying product stack can simultaneously engage data protection enforcement, cyber incident response expectations, and (where applicable) digital-service governance obligations.

For regulated entities, the enforcement exposure is therefore not limited to the substantive standards under each instrument. It also includes the procedural burden of concurrent investigations, potentially inconsistent remedial measures, duplicative information requests, and conflicting timelines. Any Omnibus-driven “single reporting point” for incidents will therefore require robust rules on allocation of competence, confidentiality, and onward transmission of information, to avoid both under-enforcement and needless duplication.

Conclusion

The Digital Omnibus signals a mature phase in EU digital regulation: a recognition that an ambitious digital rulebook requires coherent interfaces, proportionate procedures, and enforceable governance structures.

The package’s consolidation of the data acquis into a more unified Data Act framework, its procedural streamlining of privacy compliance, and its implementation-focused adjustments to the AI Act offer plausible pathways to reduce duplicative burdens. Yet the initiative also carries legal risks. Where simplification affects core GDPR concepts or consent structures, constitutional scrutiny and litigation risk may increase.

The success of the Omnibus will therefore depend on precision in drafting and on the quality of supervisory coordination – both at EU level and within Member States such as Portugal.

References

• European Commission, Proposal for a Regulation amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557, and repealing Regulations (EU) 2018/1807, (EU) 2019/1150, (EU) 2022/868 and Directive (EU) 2019/1024 (Digital Omnibus), COM(2025) 837 final, 19 November 2025.
• European Commission, Proposal for a Regulation amending Regulations (EU) 2024/1689 and (EU) 2018/1139 (Digital Omnibus on AI), COM(2025) 836 final, 19 November 2025.
• European Commission, Commission Staff Working Document accompanying the Digital Omnibus proposals, SWD(2025) 836 final, 19 November 2025.
• European Commission, A simpler and faster Europe: Communication on implementation and simplification, COM(2025) 47 final, 11 February 2025.
• Regulation (EU) 2016/679 (General Data Protection Regulation).
• Regulation (EU) 2022/2065 (Digital Services Act).
• Regulation (EU) 2022/1925 (Digital Markets Act).
• Regulation (EU) 2024/1689 (Artificial Intelligence Act).
• Regulation (EU) 2023/2854 (Data Act).
• Regulation (EU) 2019/1150 (Platform-to-Business Regulation).
• Regulation (EU) 2022/868 (Data Governance Act).
• Decree-Law No. 20-B/2024 of 16 February (Portugal) – designation of the competent authorities and the Digital Services Coordinator (DSA).
• Decree-Law No. 2/2025 of 23 January (Portugal) – implementation of Regulation (EU) 2022/868 and designation of ANACOM as the competent authority for data intermediation services.
• Decree-Law No. 125/2025 of 4 December (Portugal) – legal framework for cybersecurity and designation of ANACOM as the National Sectoral Cybersecurity Authority for electronic.
• Comissão Nacional de Proteção de Dados (CNPD), official website and public information portal.
• ANACOM, “Digital services” (DSA) – designation as Digital Services Coordinator in Portugal.
• European Commission, “Digital Services Coordinators” (DSA cooperation framework) – policy page.

See pdf

The year 2025 was marked by significant legislative and regulatory activity in the Portuguese Technology, Media and Telecommunications.

Developments in 2025 focused on the reinforcement of cybersecurity and critical infrastructure resilience through the transposition of the NIS2 and CER Directives, as well as on the development of new infrastructure supporting data transmission and electronic communications, notably through strategic investment in submarine cable systems aimed at strengthening connectivity and international data flows.

Regulatory action addressed key aspects of the electronic communications framework, notably through the approval of the number portability regulation, strengthening consumer protection by allowing end users to change providers more swiftly and at no additional cost, while lowering barriers to effective competition.

Set out below is an overview of the main legislative and regulatory developments adopted in Portugal during 2025 that are of particular relevance to TMT.

National Legislation

Decree-Law No. 2/2025 (23.01.2025)

Implements Regulation (EU) 2022/868 (Data Governance Act) in Portugal, designating the competent national authorities and establishing the applicable sanctioning regime. The decree assigns supervisory powers to ANACOM for data intermediation services, with direct implications for digital platforms and operators involved in controlled data sharing activities.

Ordinance No. 166/2025/2 (28.02.2025)

Establishes procedures for determining revenues relevant to calculating the financial contribution payable by providers of electronic communications networks and services under the general authorisation regime. The ordinance standardises calculation and reporting through a mandatory declaration model, electronically submitted to ANACOM, and enhanced audit mechanisms.

Decree-Law No. 22/2025 (19.03.2025)

Transposes Directive (EU) 2022/2557 (CER) into Portuguese law, establishing a national framework for the identification of critical entities and the enhancement of their resilience. The decree defines the competent authorities, sets out the applicable obligations and procedures, and establishes the supervisory and sanctioning regime applicable to entities providing essential services.

Order No. 5477/2025 (14.05.2025)

Assigns to the Institute for Mobility and Transport (IMT, I.P.) responsibility for overseeing the management of the Atlantic CAM concession agreement between the Portuguese State and Infraestruturas de Portugal, S.A.

Law No. 59/2025 (22.10.2025)

Authorises the Government to establish a new legal framework for cybersecurity through the transposition of Directive (EU) 2022/2555 (NIS2).

The decree sets out the scope and governance structure of the future regime, including risk management and incident notification obligations, supervisory and enforcement powers, and the applicable sanctioning framework, while also allowing for amendments to related legislation and establishing a 180-day period for the exercise of the legislative authorisation.

For more information on this subject, please refer to our newsletter of 24 November 2025.

Council of Ministers Resolutions No. 183/2025,184/2025 and185/2025 (26.11.2025)

Establishes Portugal's strategic framework for submarine cable infrastructure development.

Resolution 183/2025 updates the multi-year expenditure authorisation for the Atlantic CAM system. Resolution 184/2025 mandates preparatory studies for the complementary “Anel Açores” submarine cable system, requiring open wholesale access and enhanced cybersecurity compliance. Resolution 185/2025 authorises Infraestruturas de Portugal to incur multi-year expenditure and to allocate financial commitments relating to the subcontract for the operation, management and maintenance of the Atlantic CAM submarine cable system.

For more information on this subject, please refer to our newsletter of 28 November 2025.

Decree-Law No. 125/2025 (4.12.2025)

Establishes a new national cybersecurity framework through the transposition of Directive (EU) 2022/2555 (NIS2). The decree defines the categories of covered entities and the governance model, identifies the competent authorities, and sets out risk management and incident notification obligations. It also establishes the applicable supervisory powers and sanctioning regime, thereby strengthening Portugal’s overall cybersecurity.

For more information on this subject, please refer to our newsletter of 15 December 2025.

ANACOM rulings and public consultations

Regulation No. 38/2025 (9.01.2025)

Establishes the rules applicable to the number portability regime, ensuring that end users can retain their telephone numbers when switching providers of electronic communications services.

The regulation defines the procedural and operational requirements applicable to providers, including cooperation obligations, processing timelines and technical arrangements necessary to ensure a smooth, timely and uninterrupted switching process. The regime supports consumer protection and promotes effective competition by reducing barriers to changing service providers.

For more information on this subject, please refer to our newsletter of 13 January 2025.

Notice No. 22408/2025/2 (10.09.2025)

Approved the draft regulation setting out the technical instructions applicable to the deployment of reduced-area wireless access points, implementing Decree-Law No. 97/2024, and defining installation requirements to ensure minimal visual impact and compliance with applicable technical standards.

The draft regulation was submitted to a 30-day public consultation, which closed on 22 October 2025.

Notice No. 22543/2025/2 (11.09.2025)

Approves a draft amendment to Regulation No. 86/2007, updating electromagnetic field monitoring and measurement procedures to reflect technological developments, notably the deployment of 4G and 5G networks. The draft introduces specific rules for small-area wireless access points, adjusts decision levels to avoid double counting of measurement uncertainties, and modernises monitoring obligations to align with current technical standards.

The draft regulation was submitted to a 30-day public consultation, which closed on 23 October 2025.

Notice No. 22650/2025/2 (12.09.2025)

Approves a draft amendment to Regulation No. 256/2009, updating the rules on the identification and signage of radiocommunications stations to reflect current regulatory and operational requirements.

The draft regulation was submitted to a 30-day public consultation, which closed on 24 October 2025, and was approved on 23 December 2025.

ANACOM decision on the draft framework for international wholesale traffic carrier services (02.12.2025)

Approves the draft decision setting out the regulatory framework applicable to the international wholesale traffic carrier services, clarifying its qualification under the Portuguese Electronic Communications Law and the criteria for determining when such services fall within the scope of the regulatory framework.

The draft decision was submitted to a 30-day public consultation, which closed on 19 January 2026.

For more information on this subject, please refer to our newsletter of 17 December 2025.

See pdf

The Portuguese Government has approved the National Artificial Intelligence “AI” Agenda[1] (Agenda Nacional de Inteligência Artificial, “National AI Agenda”), together with its governance model and the corresponding Action Plan for the period 2026–2030 (Plano de Ação da Agenda Nacional de Inteligência Artificial).

The National AI Agenda projects that AI will generate GDP gains of €18–22 billion over the decade and an annual productivity increase of up to 2.7 percentage points, addressing Portugal's structural gaps relative to EU averages. Portugal's National AI Agenda aims to foster the development of an AI infrastructure, via the construction of data centres and supercomputing capacity, promotion of AI adoption, regulatory sandboxes, and talent development programmes. These measures promote innovation through R&D incentives, ethical AI deployment, and intellectual property regime reviews, while phased implementation from 2025–2030 ensures scalable benefits.

Background

Portugal has recognised the potential of AI for several years, most notably with the adoption of the AI Portugal 2030 Strategy in 2019. Since then, the rapid rise of generative AI, combined with the EU AI Act, has highlighted the need for a clearer and more comprehensive national approach to AI.

The National AI Agenda builds on a broad preparatory process, including public consultations, expert hearings, academic and industry engagement, and structured contributions from the entire Public Administration.

The agenda is grounded in Portugal’s structural advantages, including a strong network of universities and research centres, a dynamic startup ecosystem, access to competitively priced and largely renewable energy, advanced digital connectivity and international submarine cable infrastructure, and an increasing ability to attract international investment and highly qualified talent. These factors have made Portugal increasingly attractive for AI-enabling infrastructure, particularly hyperscale and high-performance data centres.

According to the projections cited in the resolution, widespread adoption of AI could add €18-22 billion to Portugal’s GDP over the next decade and increase annual productivity growth by up to 2.7 percentage points, addressing a long-standing structural productivity gap relative to the European average.

KEY CONTENT

The National AI Agenda is structured around four main pillars: infrastructure, innovation, skills and ethics.

• The infrastructure and data pillar focuses on ensuring the availability of sufficient computing power and high-quality data resources. Key measures include the expansion of national supercomputing capacity, the implementation of a National Data Centres Plan with simplified licensing procedures, and the creation of shared data spaces for priority sectors such as health, industry, education, and public administration.
• The innovation and adoption pillar aims to translate AI into a practical driver of economic activity. It provides for funding of research and applied projects, the creation of sectoral AI centres, support for corporate AI research and development, and incentives to encourage the adoption of AI solutions by companies and public bodies.
• The talent and skills pillar addresses the shortage of specialised professionals through training programmes, the expansion of advanced education and industry-linked doctoral paths, and measures designed to attract and retain international AI talent.
• The responsibility and ethics pillar ensures that AI is developed and deployed in a safe, lawful, and trustworthy manner. It includes the national implementation of the EU AI Act, the use of regulatory sandboxes for controlled testing, and the provision of guidance and tools to support risk management and compliance.

ACTION PLAN

The National AI Agenda gives practical effect to the agenda through 32 initiatives involving public authorities, universities, research centres, and private companies.

These initiatives include the reinforcement of national supercomputing infrastructure and support for the establishment of a European AI gigafactory in Portugal. The plan also provides for the rollout of focused data spaces and the opening of funding calls for both fundamental and applied AI research projects.

Further measures include the creation of sector specific AI centres, targeted programmes to encourage AI adoption by small and medium-sized enterprises, and the continuation and expansion of the AMALIA Portuguese-language AI model.

The Agenda foresees a review of the intellectual property regime applicable to AI, including patentability criteria and the regulatory framework, expected in the first half of 2026, with the aim of providing clearer standards for research institutions and companies.

In addition, an AI Centre of Excellence will be established within public administration to strengthen governance and support the effective deployment of AI solutions.

Total planned investment exceeds €400 million through 2030, largely financed by EU funds.

IMPLEMENTATION TIMELINE

Implementation follows a phased approach. Preparatory measures began in the second half of 2025 and include the deployment and expansion of supercomputing capacity, the finalisation of the National Data Centres Plan, and early support mechanisms for AI adoption by small and medium-sized enterprises.

The main rollout, however, will take place in the current year, with the rollout of sector-specific data spaces, AI training programmes, public-sector AI governance structures, funding calls for research and applied projects, and operationally ready for service of AI centres.

From 2027 onwards, the focus shifts to scaling, consolidation, and continuous monitoring, with implementation extending through 2030.

Final remarks

The agenda is expected to have its greatest impact on technology companies, AI developers, startups, and data centre operators, which stand to benefit from infrastructure support, funding opportunities, and increased regulatory protection and clarity.

Corporations adopting AI at scale, particularly in the health, manufacturing, industry, and services sectors, will gain access to specialised centres and applied research support.

See pdf

The second half of 2025 saw the adoption of a number of legislative and regulatory measures in Portugal. Among the most relevant was the abolition of the clawback mechanism. Introduced in 2013, the clawback consisted of a financial compensation charged to electricity producers, intended to offset perceived distortions in the Iberian electricity market resulting from differences between Portuguese and Spanish taxation, and which has been widely contested by market players. Its repeal, effective as from the 2025 financial year, puts an end to a long-standing charge on producers and represents an important step towards improved investment conditions in the Portuguese renewable market.

Alongside the end of this long-standing mechanism, national lawmakers and regulators adopted several measures of relevance to renewable energy projects, including the launch of new licensing and competitive procedures for biomass power plants, important clarifications on the environmental and licensing framework applicable to energy storage projects, the approval of a new legal and regulatory framework for electric mobility, as well as initiatives addressing grid capacity constraints, energy efficiency and the mitigation of energy poverty.

Set out below is an overview of the main legislative and regulatory developments adopted in Portugal between July and December 2025 that are of particular relevance to the renewable energy sector.

1. National Legislation

Order No. 8030/2025 (14.07.2025)

Establishes rules, amounts and model for the security deposit to be provided by producers when reserving injection capacity into the national gas grid.

Decree-Law No. 93/2025 (14.08.2025)

Establishes the legal framework for electric mobility, applicable to the organization, access to and exercise of activities related to electric mobility.

For more information on this subject, please refer to our newsletter of 26 August 2025.

Order No. 71/SEAEn/2025 (30.09.2025)

Extends by 12 months the deadlines for (i) projects holding production licenses issued under Decree-Law No. 15/2022, as well as to certificates for generation units of up to 1 MW capacity.

For more information on this subject, please refer to our newsletter of 10 October 2025.

Ordinance No. 323/2025/1 (03.10.2025)

Sets the amounts of the fees payable in connection with the prior administrative control procedures applicable to the activity of electricity and mechanical energy generation and the production of useful heat in cogeneration.

Resolution No. 156/2025 (09.10.2025)

Establishes the governance model for the implementation of the National Energy and Climate Plan 2030, as well as the governmental framework for the monitoring and implementation of the Climate Framework Law.

Ordinance No. 358/2025/1 (13.10.2025)

Establishes the procedural requirements for applications for production and operation licenses of biomass power plants.

For more information on this subject, please refer to our newsletter of 23 October 2025.

Order No. 12554/2025 (27.10.2025)

Sets the final compensation to be applied for the year 2024 per unit of energy injected into the public electricity grid, under the clawback mechanism.

Decree-Law No. 120/2025 (14.11.2025)

Amends Decree-Law No. 80/2023, of 6 September which establishes the exceptional procedure for the allocation of grid connection capacity to electricity consumption installations in high-demand areas.

Ordinance No. 425/2025/1 (27.11.2025)

Establishes the terms of the competitive procedure for the allocation of injection capacity reservation rights in the public service electricity grid for new biomass power plants.

Ordinance No. 442-A/2025/1 (12.12.2025)

Provides for the launch of a financial instrument to support energy efficiency measures in the residential sector, contributing to the reduction of energy poverty in Portugal, under the Recovery and Resilience Plan.

Decree-Law No. 139-B/2025 (30.12.2025)

Abolishes the clawback mechanism established by Decree-Law No. 74/2013 of 4 June and repeals the relevant regulatory framework as from the 2025 financial year.

Ordinance No. 481/2025/1 (31.12.2025)

Establishes a support scheme for investments in equipment and infrastructure in the areas of energy efficiency, energy production and energy storage for the agricultural sector.

2. DGEG rulings

Joint Order No. 1 by DGEG and APA (30.07.2025)

Amends the rules established by the Joint Order of 14 July 2023 governing the Environmental Impact Assessment and Capacity Reservation Title procedures, by providing that network operators may issue the declaration of injection capacity in the Public Service Electricity Grid for applications to Environmental Impact Assessment for standalone storage project

For more information on this subject, please refer to our newsletter of 5 August 2025.

Joint Order No. 2 (31.07.2025)

Addresses and clarifies the procedures for the licensing and environmental assessment of electrical energy storage facilities, determining the situations in which storage projects are not subject to Environmental Impact Assessment nor to a case-by-case analysis.

For more information on this subject, please refer to our newsletter of 5 August.

Clarification Notice No. 5/DG/2025 (29.09.2025)

Clarifies Joint Order No. 2., by providing that the inclusion of a storage installation within a renewable power plant previously deemed exempt from Environmental Impact Assessment or from case-by-case analysis is likewise exempt, provided that it is located within the same project area as originally licensed.

Order No. 1265/2025 (28.10.2025)

Establishes the technical standards to be observed in the installation and operation of closed distribution networks.

Notice No. 28099/2025/2 (12.11.2025)

Call for applications to the Modernisation Fund – Private Sector.

For more information on this subject, please refer to our newsletter of 27 November 2025.

Rectification Notice No. 1101/2025/2 (02.12.2025)

Rectifies Notice No. 28099/2025/2 and extends the deadline for the submission of applications until 15 December 2025.

3. ERSE rulings

Directive No. 8/2025 (30.07.2025)

Approves the network access tariffs applicable to facilities holding electro-intensive customer status.

For more information on this subject, please refer to our newsletter of 29 July 2025.

Regulation No. 987/2025 (13.08.2025)

Approves the Guide on Measurement, Meter Reading and Data Provisioning for the Electricity Sector.

Directive No. 9/2025 (11.09.2025)

Approves the Procedures Manual for the Global System Management of the Electrical Sector.

Directive No. 10/2025 (24.10.2025)

Approves exceptional rules governing the settlement of the electricity market for 28 and 29 April 2025.

Regulation No. 1218/2025 (07.11.2025)

Approves the Tariff Regulation for the electricity sector.

Directive No. 11/2025 (18.11.2025)

Approves the Manual of Procedures for the Activity of Registration and Bilateral Contracting of Electricity, which rules the operation of the OMIP platform for energy bilateral contracting.

For more information about the OMIP platform, please refer to our newsletter of 20 November 2025 and to our paper of 25 June 2025.

Regulation No. 3/2025 (22.12.2025)

Approves the new Electric Mobility Regulation.

Directive No. 12/2025 (29.12.2025)

Approves the tariffs of the Electric Mobility Network Managing Entity for 2026.

Directive No. 12-A/2025 (30.12.2025)

Approves the allocation of funding for the costs of the social tariff for the year 2026, together with adjustments relating to the years 2024 and 2025.

4. Public consultations

Public Consultation on Renewable Energy Targets (25.09.2025)

Partial transposition of Directive (EU) 2023/2413 of the European Parliament and of the Council of 18 October 2023 (RED III Directive), which updates the national targets for the incorporation of renewable energy up to 2030.

The public consultation closed on 25 October 2025, but report and documents not yet available.

For more information on this subject, please refer to our newsletter of 29 September 2025.

Public Consultation on amendments to the National Electricity System Law (03.10.2025)

Partial transposition of Directive (EU) 2023/2413 of the European Parliament and of the Council of 18 October 2023 (RED III Directive), that  introduces amendments to the National Electricity System framework enacted by Decree-Law No. 15/2022, of 14 January.

The public consultation closed on 23 October 2025, but report and documents not yet available.

For more information on this subject, please refer to our newsletter of 20 October 2025.

See pdf

Ministerial Order No. 15/2026/1 established an exceptional procedure for capacity allocation in the Portuguese electricity grid (RESP - Rede Elétrica de Serviço Público) in high-demand areas (“Ministerial Order”). It addresses an urgent infrastructural bottleneck by combining administrative recovery mechanisms with market-based allocation tools, seeking to balance economic growth (namely billion-dollar investments in data centers) with security supply and public interest priorities.

The key points covered are:

• Definition of the scope and timeline of the exceptional procedure;
• Regulation of the security deposit;
• Monitoring compliance with the allocated capacity schedule; and
• Definition of auction lots for the allocation of available capacity.

Background

Portugal has become an attractive destination for hyperscale data centres due to its abundant renewable energy resources, strategic transatlantic connectivity, favourable climate, and investment incentives. However, connection requests have far exceed the available grid capacity in key regions (Lisbon, the Tagus Valley, Sines), with pending data centres requests surpassing Portugal’s historical peak demand. This situation has exposed structural weaknesses in the "first come, first served" allocation model, namely:

• Reservation of unused capacity by delayed or abandoned projects;
• Speculative requests lacking firm investment commitment; and
• Lack of prioritization for projects of public interest.

The exceptional procedure for the allocation of connection capacity to the Public Electricity Grid is based on the prior recognition of “zones of high demand”, as set out in Decree-Law No. 80/2023 and as subsequently  amended by Decree-Law No. 120/2025. A zone is recognised as being of high demand where, within a given area, two or more requests for the connection of new electricity consumption installations cannot be met within the required timeframes, even taking into account the planned grid investments.

In such cases, the grid operator prepares a technical report, subject to an opinion from the Energy Services Regulatory Authority (ERSE), and submits a proposal to the Government for the recognition of the zone of high demand. This recognition triggers the opening of the exceptional procedure and suspends, until its closure, the allocation of new capacity to affected customers outside that regime.

The procedure unfolds through successive phases, which may or may not be triggered depending on the available capacity, namely:

• Expression of interest and provision of a security deposit;
• Identification and recovery of unused capacity;
• Alignment of project timelines with grid reinforcement schedules; and
• Auction for the allocation of available capacity where the supply resulting from grid reinforcements and recovered capacity remains insufficient.

Main features

The new Ministerial Order establishes new rules for the new exceptional procedure, namely:

• Power thresholds for medium - and high-voltage access requests that fall outside the exceptional regime established by Decree-Law No. 80/2023;
• The formula for calculating the financial guarantee required under the exceptional procedure,
• applicable deadlines, and
• Matters such as the public consultation process, compliance with the allocated capacity timetable and the definition of auction lots for capacity allocation.

Power thresholds and scope of the exceptional procedure

The following medium and high-voltage grid access applications are excluded from the scope of the exceptional procedure applicable to high-demand areas, as provided for in Decree-Law No. 80/2023:

• Applications for a power equal to or less than 50 MVA, where intended for (i) the provision of essential public services; (ii) predominantly residential projects, including subdivision developments and urbanisation works; (iii) the operation of charging points for electric vehicles and vessels.
• Applications for a power equal to or less than 20 MVA in all other cases.

These applications are not subject to the suspension of capacity allocation associated with the exceptional procedure and therefore remain ruled by the general grid access regime, under which connection capacity may be allocated to them, subject to and to the extent of available capacity.

To check these thresholds, the values are calculated per high-demand area, taking into account the total power requested by entities under the same ownership or corporate group.

Deadlines

The Ministerial Order establishes the deadlines for all stages of the exceptional procedure, from the public consultation, which must last 20 business days, to the issuance of grid connection capacity titles. While intended to ensure procedural efficiency, these deadlines may be extended once, for an equivalent period, in cases of duly justified complexity.

Public consultation

The public consultation for expressions of interest in the allocation of grid connection capacity is promoted by the grid operator responsible for conducting the exceptional procedure and is published by the Portuguese Energy Ministerial Department (DGEG - Direção-Geral de Energia e Geologia) in the Official Gazette (Diário da República).

Calculation of the security deposit

Applicants seeking the allocation of grid connection capacity in high-demand areas are required to provide a financial deposit at the time of submitting their expression of interest. Under the exceptional procedure established by Decree-Law No. 80/2023, the calculation of this guarantee is based on capacity tiers, as follows:

• € 13,500 per MVA up to 20 MVA;
• € 20,250 per MVA between 20 and 60 MVA;
• € 30,375 per MVA between 60 and 120 MVA;
• € 35,437.5 per MVA between 120 and 240 MVA; and
• € 40,500 per MVA above 240 MVA.

These amounts are automatically updated on an annual basis, every January, in accordance with the consumer price index (excluding housing) applicable in mainland Portugal. The deposit is refunded upon connection of the facility to the public grid.

Compliance with the allocated capacity schedule

To ensure the effective use of allocated grid connection capacity, the Ministerial Order establishes monitoring criteria to verify compliance with the timetable associated with the exceptional procedure. Compliance is assessed on a phase-by-phase basis, by reference to the maximum recorded power drawn from the public grid during the 12 months following the start of each phase. Such power must be equal to or greater than 50% of the cumulative capacity scheduled for that phase and must not exceed the cumulative capacity allocated to that phase or, where already initiated, to the subsequent phase.

Grid operators are responsible for monitoring compliance with these criteria, and non-compliant facilities must be required to comply, with the non-compliance being reported to the Directorate-General for Energy and Geology (DGEG) for monitoring purposes and potential further action.

Auctions

The Ministerial Order also rules the organization of potential auctions for the allocation of available capacity, establishing that the auctions lots must comply with principles of transparency, fairness, competition, and non-discrimination.

Entry into force

The Ministerial Order entered into force on January 10, 2026, except for the security deposit scheme, which will only enter into force on January 1, 2027.

Promoters of large projects in high-demand areas must now prepare for increased scrutiny, financial commitments, and potential competitive processes.

See pdf

Portugal has finally ensured the application of Regulation (EU) 2023/1114 on markets in crypto-assets (“MiCA Regulation”) through Law No. 69/2025, which establishes the framework for supervision and cooperation between national authorities.

This law allocates responsibilities between the Bank of Portugal and the Portuguese Securities Market Commission (Comissão de Mercado de Valores Mobiliários - “CMVM”), regulates authorisation and notification procedures, and sets out specific duties for crypto-asset service providers.

1. Competent authorities in the Portuguese crypto-asset market

The MiCA Regulation entered into force on 30 December 2024 but created a transitional period of 18 months, during which entities authorised under previous legislation could continue their activities. However, new operators needed authorisation from the competent national authority of each Member State.

Until now, Portugal had not designated a national authority to approve authorisation requests for crypto-asset services.

Law No. 69/2025 has addressed this issue by appointing the Bank of Portugal and the CMVM as the competent supervisory authorities in Portugal.

The supervision responsibilities were split as follows:

• Bank of Portugal:

- Authorisation of crypto-asset service providers;

- Acquisition of stakes in crypto service providers;

- Identification of significant crypto-asset service providers;

- Matters related to asset-referenced tokens and electronic money tokens; e

- Prudential requirements, governance arrangements of crypto-asset service providers, as well as outsourcing and orderly wind-down of crypto-asset service providers.

• CMVM:

–      Prevention and prohibition of market abuse related to crypto-asset;

–      Supervision of public offerings and admission to trading of crypto-asset other than Asset-Referenced Tokens and Electronic Money Tokens;

–      Supervision of compliance with obligations applicable to all crypto-asset service providers; e

–      Supervision of compliance with obligations related to specific crypto-asset services.

2. Authorisation and notification procedures

In what concerns authorisations and notifications, the law establishes a coordinated procedure between the two authorities:

• The Bank of Portugal must inform the CMVM within two business days of any notifications or authorisation requests it receives;
• The CMVM has (i) 10 business days to issue an opinion on the completeness of the notification or authorisation request and (ii) 15 business days to issue an opinion on the granting or refusal of the authorisation, after receiving confirmation from the Bank of Portugal that the request is complete.

The new law also requires the Bank of Portugal and the CMVM to publish and maintain an up-to-date list of entities authorised or licensed to provide crypto-asset services in Portugal, specifying the services for which they are authorised.

3. New duties applicable to service providers

The law imposes a set of organisational duties on crypto-asset service providers.

These providers are now required to ensure that employees giving advice have adequate knowledge and skills, and for this purpose must:

• Define the employees’ responsibilities;
• Annually assess the adequacy of their knowledge and skills; and
• Submit documentation to the CMVM upon request.

In addition to these obligations, the legislator appears to intend to extend the requirement to make available a complaints book, as established in Decree-Law No. 156/2005, to crypto-asset service providers, although the wording of the law is not entirely clear.

4. Transicional rules

The law establishes transitional rules for crypto-asset service providers.

Entities already registered with the Bank of Portugal, with their activity started and properly notified, may continue their operations until 1 July 2026 or until authorisation is granted or refused under Article 63 of the MiCA Regulation, whichever occurs first.

On the other hand, with the entry into force of the new law, the following registrations will expire:

• Registration and/or modification requests that were pending under the previous law as of 30 December 2024; and
• The registration of entities that, although already registered by 30 December 2024, had not yet started their activity and properly notified it.

5. Conclusions

Law No. 69/2025 fills a gap in the Portuguese legal system by establishing a clear and operational framework for the application of European rules governing crypto-assets in Portugal, thereby resolving many of the uncertainties that had previously prevented new players from entering the market.

Crypto-asset service providers, as well as entities intending to offer such services in Portugal, must now ensure compliance with the obligations established under this law.

See pdf

Summary

The final version of the 2026 State Budget (2026 SB) approved by the Parliament includes some changes when compared to the Government proposal presented in October 2025.

In addition to the measures included in the Government proposal – update of PIT brackets, reduction of the PIT rates applicable to the 2nd to 5th brackets, and extension of the wage enhancement incentive - the final version of the 2026 SB contemplates new rules on the deduction of teleworking expenses.

State Budget – Tax Measures

Law No. 73-A/2025 approved the State Budget for 2026 (2026 SB). The final version of the 2026 SB includes some additional changes beyond those included in the initial version.

This newsletter summarizes the main tax changes foreseen in the 2026 SB.

Personal Income Tax

Regarding Personal Income Tax (PIT), the proposed changes are as follows:

• PIT brackets update. The PIT brackets will be updated by 3,5%.

• Reduction of PIT rates. Reduction of the PIT rates for the 2nd to the 5th brackets, according to the following table:

• Minimum subsistence amount. The reference value for the minimum subsistence will be increased from €12.180 to €12.880.
• Negative scope of incidence*. The compensations and allowances paid to firefighters for voluntary activity will not be subject to income tax (PIT), up to an annual limit of six times the social support index (€3,222.78) per firefighter.
• Special rates*. The compensations and allowances paid to firefighters for their activity are no longer considered tips for PIT purposes and, therefore, are no longer subject to special rates (up to an annual limit of three times the social support index, i.e., €1,611.39 per firefighter).
• Deductions for high-wear professions*. Expenses for health insurance, personal accident insurance, and life insurance that include coverage for sports injuries and retirement supplements can now be deducted for PIT purposes, provided they relate to individuals in high-wear professions.
• Deduction of VAT*. The deduction of part of the VAT paid on certain expenses will be extended to the purchase of books from specialized stores, tickets for cultural performances (theatre, music, dance, and other artistic activities), visits to museums, historical sites and monuments, as well as expenses for borrowing books and other materials from libraries and archives.

Corporate Income Tax

In relation to the Corporate Income Tax (CIT), the 2026 State Budget includes the following changes:

• Autonomous taxation. Expansion of the list of vehicles eligible for reduced autonomous taxation rates. In addition to plug-in hybrid vehicles with a minimum electric range of 50 km and emissions below 50 gCO?/km, vehicles approved under the “Euro 6e-bis” emissions standard — which allows emissions up to 80 gCO?/km — will also be included.
• Social utility expenditures*. Compensation paid to employees for additional teleworking expenses is now recognised as a tax-deductible expense of the company, up to 15% of personnel costs. Furthermore, these expenses are eligible for a 10% additional relief when calculating taxable profit. Additional teleworking expenses include costs related to IT or telecommunications equipment and systems necessary for work, provided the employees did not already have them prior to the teleworking agreement.

It should be noted that the announced reduction of the CIT rate from 20% to 19% in 2026 was approved by Law No. 64/2025.

Value Added Tax

Regarding Value Added Tax (VAT), the following measures have been approved:

• Exemptions on operations related to suspensive regimes*. VAT exemption now covers not only the sale of tricycles, wheelchairs, and passenger cars for the personal use of people with disabilities, but also sales made to non-profit entities such as associations, sports federations, IPSS, cooperatives, and associations of and for people with disabilities.
• Reduced VAT rate. Application of the reduced VAT rate to:
  • Services related to the processing of olives into olive oil;
  • On the transfer of edible meat and offal, fresh or frozen, from game species of large or small game*; and
  • On the transfer of art objects carried out by registered resellers, in addition to transfers made by the author, heirs, or legatees*.
• Extension of VAT exemption approved by Law No. 10-A/2022*. The exemption on the sale of goods used in agricultural activity, such as fertilizers, seeds, cereals, animal feed, and glass bottles, as well as pet food when supplied to legally established animal protection associations, is extended until 31 December 2026.
• Extension of the extraordinary support scheme for agricultural production costs*. This scheme is extended until 31 December 2026.

Real Estate Transfer Tax

Regarding the Real Estate Transfer Tax (RETT), the 2026 State Budget includes the following change:

• Tax brackets adjustments. Update of RETT brackets by 2%.

Tax Benefits

The 2026 State Budget includes the following amendments to the Tax Benefits Statute:

• Incentive for wage increases: Maintenance in 2026 of the exemption from PIT and social security contributions, up to 6% of the annual base salary, on productivity bonuses, performance bonuses, profit-sharing, and balance-sheet gratifications that are irregular in nature. Reduction of the minimum required salary increase from 4.7% to 4.6% for companies to benefit from the 200% relief in relation to the expenses related to salary raises for employees with permanent contracts.
• Incentive for consolidation of rural properties: Extension of tax incentives for the consolidation of rural properties (exemption from RETT and stamp duty on the transfers of rural properties required for the consolidation).
• Other benefits: Extension of several tax benefits until 31 December 2026, namely:
  • Deductions under social impact bond partnerships;
  • External loans and rental of imported equipment;
  • Financial services from public entities;
  • Swaps and loans from non-resident financial institutions;
  • Deposits from non-resident credit institutions;
  • Repo operations with non-resident financial institutions;
  • Management entities of designations of origin and geographical indications;
  • Entities managing integrated systems for specific waste flow management;
  • Sports, cultural, and recreational associations;
  • Associations and confederations;
  • Tax incentives for forestry activities;
  • Forest management entities and forest management units;
  • Deduction for the determination of taxable profit for companies;
  • Deductions from individual income tax;
  • Value Added Tax (VAT) – transfers of goods and services provided free of charge.

Special Contributions

The 2026 State Budget includes the following measures:

• Special contributions. Continuation of the main extraordinary special contributions, namely:
  • Contribution to the audiovisual sector;
  • Contribution in the banking sector;
  • Contribution in the pharmaceutical industry;
  • Extraordinary contribution by suppliers to the medical devices industry of the National Health Service; and
  • Extraordinary contribution in the energy sector (CESE).
• Solidarity surcharge in the banking sector. Repeal of the solidarity surcharge on the banking sector, following its declaration of unconstitutionality by the Constitutional Court.
• Contribution to the audiovisual sector. No adjustment of the contribution to the audiovisual sector in 2026.
• Extraordinary Contribution in the energy sector. Companies operating in transportation, distribution, or underground storage of natural gas will no longer be subject to this contribution, in accordance with the unconstitutionality rulings by the Constitutional Court. Assets dedicated to the operation of electricity transmission and distribution networks, acquired from 1 January 2026, in new condition, constructed, or expanded will be excluded from the CESE tax base.

Acessory Obligations

Finally, the 2026 State Budget also includes the following measures:

• Inventory. Taxpayers will be exempt from the obligation to value inventories when fulfilling the reporting requirement under Article 3.º-A of Decree-Law No. 198/2012:
  • For the taxable period starting on or after January 1, 2025; and
  • For taxpayers not required to maintain a permanent inventory, for the taxable period starting on or after January 1, 2026.
• SAF-T. Submission of the SAF-T (PT) accounting file, as defined by Ordinance No. 31/2019, will apply to the 2027 and subsequent periods, to be submitted in 2028 or later periods.
• Invoices. Until December 31, 2026, invoices in PDF format will be accepted and electronic invoices for all purposes established in tax legislation.

*Changes introduced during the discussion of 2026 SB at the Parliament.

See pdf

ANACOM has opened a public consultation, following its decision of 2 December 2025, on the draft decision qualifying the wholesale international traffic transport service and its subjection to the Electronic Communications Law in Portugal. The consultation will remain open until 19 January 2026.

Purpose and scope of the draft decision

The draft sets out ANACOM’s interpretation of the statutory definitions of electronic communications networks and electronic communications services. These provisions establish the technical and functional criteria that determine the objective and subjective scope of the law and, consequently, the extent of ANACOM’s regulatory powers.

To address questions raised in administrative and judicial proceedings, the draft describes the wholesale international traffic transport service, examines its qualification under these statutory definitions, and identifies the criteria for determining when its provision falls within the scope of the Electronic Communications Law.

Submission of Contributions

Interested parties may submit their contributions in writing and in Portuguese to enquadramento.carriers@anacom.pt until 19 January 2026, with a maximum size of 20 MiB. A non-confidential version must be submitted simultaneously for publication.
Once the consultation closes, ANACOM will publish the final decision, the contributions received, and a report summarising those contributions together with the Authority’s position on them.

See pdf

The new Cybersecurity Law transposes the NIS 2 Directive to the Portuguese internal law and significantly expands the range of entities subject to cybersecurity obligations. It introduces stronger responsibilities for management bodies, more detailed and harmonised risk management obligations, and new rules on identification, reporting and oversight. It also creates separate supervisory models for Essential Entities and Important Entities, replacing the previous NIS 1 structure, and establishes a significantly stricter sanctioning regime. The new Cybersecurity Law becomes effective on April 4, 2026, and its practical implementation will depend on further technical instructions from the CNCS and sectoral authorities.

A NEW LEGAL FRAMEWORK

The new Cybersecurity Law marks a significant evolution from the previous NIS 1 regime, which imposed less detailed duties and applied to a more limited group of entities. The scope is now substantially broadened to include sectors and subsectors that were not covered under NIS 1. It strengthens the obligations of public and private entities that perform essential or important functions for the economy and society.

Scope and Covered Entities

By contrast with the previous NIS 1 regime applied, only to specific public bodies within narrowly defined critical sectors, the new Cybersecurity Law divides covered entities into three categories:

1. Essential Entities, comprising entities from critical sectors that exceed the thresholds for medium-sized enterprises, medium-sized electronic communications providers, qualified trust service providers, TLD registries and DNS providers. The classification also depends on the entity’s level of exposure to risk and its potential impact;
2. Important Entities, which are entities operating in the same critical sectors that do not meet the criteria for Essential Entities; and
3. Relevant Public Entities, covering public bodies not included in the first two categories and distributed across Groups A and B depending on their size.

But, as under NIS 1, public entities operating in the fields of national security, public security, defence and intelligence services, are excluded.

New Obligations for Companies

Covered entities must register on the CNCS (National Centre for Cybersecurity) electronic platform within 30 days of starting their activity or, for existing entities, within 60 days of the platform becoming available.

The new Cybersecurity Law assigns direct responsibility for cybersecurity risk management to management bodies, whereas the previous regime imposed less explicit and less enforceable duties. Failure to ensure adequate oversight may lead to liability and sanctions for directors.

Management bodies of Essential Entities and of Important Entities now have reinforced obligations to approve and monitor cybersecurity measures, including ensuring regular training.

Risk Management Obligations

Essential Entities and Important Entities must implement technical and organisational measures proportional to their risk exposure and adopt a risk management system covering all assets and systems necessary for service continuity. Such measures must follow CNCS guidelines and risk matrices and reflect relevant technological developments.

For this purpose, the new Cybersecurity Law:

• sets minimum security requirements, including risk management policies, business continuity measures, access controls and multifactor authentication;
• requires the assessment and documentation of residual risk and the prompt adoption of corrective measures;
• imposes upon each entity the obligations to prepare an annual report, to appoint a cybersecurity officer and to maintain a permanent contact point with continuous availability.

The new Cybersecurity Law establishes a national cybersecurity certification system for ICT products and services, allowing entities to demonstrate compliance and streamline conformity processes.

Incident Notification

The new Cybersecurity Law sets shorter deadlines for reporting significant incidents and security breaches. Entities must submit an initial notification within 24 hours, an update within 72 hours and a final report within 30 business days after the impact ends. Under NIS 1, notifications had to be made “without undue delay”, with no fixed deadlines, giving competent authorities considerable discretion.

Role of the National Cybersecurity Centre (CNCS)

The CNCS continues to act as the national coordinator for cybersecurity but now assumes additional supervisory, auditing, inspection and technical guidance functions, substantially expanding the role foreseen under NIS 1.

Supervisory intensity varies according to whether an entity is classified as essential or important. Essential Entities are subject to continuous supervision, including audits, inspections and testing, whereas Important Entities are generally subject to reactive supervision, primarily after incidents or indications of non-compliance.

Significantly higher penalties for serious or very serious infringements will be in place, setting limits of up to €10 million or 2 percent of turnover for Essential Entities and up to €7 million or 1.4 percent for Important Entities.

Entry into Force and Transitional Period

The new Cybersecurity Law enters into force 120 days after publication, which occurred on December 4, 2025. The CNCS and sectoral authorities are currently preparing technical instructions and complementary rules that will operationalise the new obligations.

See pdf

Introduction

As more businesses now operate in multiple countries, the standardisation of contract templates is increasingly important to facilitate legal operations and manage legal risks.

Most international businesses have contract standardisation projects, but these efforts are generally based on a single law's conceptual framework. Only few companies have adopted coherent and integrated global templates that can be adapted to multiple jurisdiction with little effort. The prevailing approach remains American-centric, reflecting the United States standing as the largest economy in the world. This approach persists in many in-house legal departments, even in non-US global companies. The US-centric model is the prototype of a "one-size-fits-all" approach, where local contracts must conform with standards based in the common law and in US culture overlooking important differences of local laws.

In this article, we propose a method for creating global templates that address universal legal issues while recognising the need for adaptation. The proposed method assumes that by identifying the points of convergence and divergence, legal drafters can develop clauses to be applied globally and others that allow for adaptation to meet the requirements of specific jurisdictions. This top-down approach reduces the need for adaptation, improves standards and more easily ensures compliance with local laws and cultures.

BACKGROUND

As business relations developed and expanded over the last 100 years or more, the world has evolved from businesses based and centred in their home countries to multinational businesses with a worldwide reach.

Before 1950, businesses operated mostly in a single country with exports being mere extensions of their local business. After World War II, large multinational businesses emerged, whose international business might at times exceed its domestic markets. More recently, we are seeing businesses whose international components not only exceed the value of their domestic business but are intrinsically global.

The approach to legal and contractual issues followed along the same lines. In a first moment, international companies would conform to the practices of the countries where they had a presence, with only some oversight from general counsels based in the US or elsewhere.

In the first half of the twentieth century, changes occurred in the contractual landscape with attempts by the International Chamber of Commerce (ICC) to standardise legal terms of international commerce. The ICCs Incoterms established in 1936 are one of the most successful set of international contract terms and essential to international trade.

The ICC also created various model contracts and clauses, that include models for joint venture, distribution and franchising agreements, among many others.

The International Trade Centre (ITC), a joint agency of the World Trade Organisation (WTO) and the United Nations (UN), created a series of model contracts directed primarily to small and medium-sized enterprises, which include a corporate joint venture agreement, a commercial sale of goods agreement, a manufacturing agreement and a distribution of goods agreement.

The ICC and the ITC models are offered in many languages and represent an effort to bridge the gap between civil law and common law systems. They are now widely used but did not achieve the same success as the Incoterms, which are prevalent in international trade. International standardisation did not follow the same pace as globalisation and a significant gap exists between successful common law examples, like the ISDA Master Agreement, and the less successful approach of international organisations.

No serious attempt has been made to truly globalise contracts. Most US-based large multinational companies remain closely tied to their home country's laws and bring with them highly detailed common law precedents. In contrast, civil law contract tradition relies on legislation to fill the gaps in contracts. As European businesses expand, their legal departments tend to follow the same US-centric approach and to adopt the same common law precedents, which now dominate international markets.

THE CHALLENGES OF IN-HOUSE COUNSEL

The starting point

The first step for in-house counsel wishing to establish template business agreements and legal documents is to determine the starting point. Should they use the same model agreement used in domestic transactions? Should they use international models, like the ICC or ITC contracts? Or should they prepare new templates from scratch?

In most cases, the starting point will be a combination of the company’s original home template or another internationally recognised model with some adaptations based on the in-house counsel's or their advisers' experience in international contracts.

Rarely, this effort is made by taking a holistic approach to the problem and laying out a plan of action for building models that can be easily adapted to local laws. Often work starts from a common law precedent, which cannot be easily adapted to meet local law requirements. Local lawyers will tend to revert to their own home country models as the sole means of ensuring compliance with their respective laws, clinging to outdated practices that also hinder the creation of cohesive standards. Only the adoption of truly global templates, based on common principles, can facilitate the adaptation to both common law and civil law systems in a consistent manner.

Linguistic barriers

The second obstacle is the linguistic barrier faced in translation work in general.

Ortega y Gasset, the renowned Spanish philosopher, argued in "Misery and Splendour of Translation" that translation was impossible because the nuances of languages and the meanings of words varied; their equivalents in different languages never meant exactly the same thing, as they evoked different realities.

Italians have a saying, "traduttore, traditore" (literally "translator, traitor"), which captures the fundamental problem of translations: all translations somehow betray the original text's meaning.

In legal translations the problem is exponentiated. Many specific legal terms do not have equivalents in other languages because there are no matching legal concepts in those languages and legal systems. For instance, a common law "warranty" has a precise legal meaning that does not match the corresponding word in Portuguese, "garantia", Spanish, "garantía", or French "garantie", which also can be used to translate the English word "guarantee". Meaning can be altered in legal translations.

The problems in translation, as described by Ortega y Gassett and other authors, is also well documented in what regards legal translations in various academic studies.

Although machine translation facilitates the work of translators, it does not solve problems in translation that arise from the fundamental cultural and linguistic differences between languages.

In other cases, syntax and style vary making it harder to have word for word correspondences. This is important for legal texts because the closer the translation is to the original less is lost in the translation. Legal documents aim to be precise and unambiguous. Translation can strip away precision and create ambiguity.

Legal and cultural obstacles

On top of linguistic barriers, specific legal concepts and legal systems internal order vary. Some legal concepts may not exist in one jurisdiction, resulting in translations deviating from the intended purpose of the provision. For instance, the legal concept of "consequential damage" does not exist and should not be used in most civil law countries. "Force majeure", a concept originated in the French Civil Code, now has a different meaning in common law. The concept of "merchantability" of goods is not recognised in civil law countries.

The problem is not with finding the right word to express the concept, the problem lies in the lack of the concept, which makes it impossible to "transplant" it (more than translate it) to a different environment. The ideas behind "consequential damage", "force majeure", "merchantability", "warranty" can be understood, but to give the contract parties the same protection that is intended in a common law contract requires changes that will make the language of the two versions different and raise discrepancies in the text and in its interpretation.

Certain provisions used in common law contracts face strong objections in civil law countries, as is the case of limitation and exclusion of liability.

Cultural differences also account for different forms of drafting that will alter the form and substance of the original text.

Everchanging legislation

Last, in-house counsel will have to face the continuous evolution of laws, with new legislation and new court decisions impacting existing and future documents. Contracts need to be updated on a regular basis to keep up with these changes.

PROCESS FOR SETTING UP GLOBAL CONTRACT TEMPLATES

The objective of global templates is to create a standardised yet adaptable framework that can be translated into multiple languages and tailored to comply with local legal systems. The following is a steps plan for achieving that goal.

Step 1: Define the specific project goals

In-house counsel tasked with creating and deploying firm-approved templates must first define the scope of their task. Creating a single contract differs from drafting a set of documents covering all aspects of a company’s international business.

If the task includes a wide range of matters, such as preparing a model employment agreement, a distribution agreement, a manufacturing agreement, a procurement agreement, and a sales agreement, the resources required will be greater, but, regardless of scope of the assignment, it is advisable to design the process in a manner that ensures future scalability.

When defining the project goals in-house counsel (or its external team assigned with the project) should make a preliminary assessment of how regulated are the subject matters of the model contract or contracts that are to be templated in the jurisdictions where the company operates and how extensive is that regulation. This assessment will serve as a basis for designing the first contract template and reduce the risk of making a template that is biased towards the author's or the company's own country laws.

Step 2: Identify points of convergence and divergence in potentially applicable local laws

The second step is to identify universal clauses that can be used as models for global templates, such as the contract’s object, consideration, place and time of performance, basic elements of default, termination, dispute resolution, and governing law. These elements are generally present in contracts across legal systems.

It is also necessary to determine the level of regulatory pressure for each contract type and its various elements. For instance, employment agreements are generally highly regulated in most countries. Local laws regulate nearly all aspects of the contract, including time and place of work, days off, vacations, social benefits, and termination. Distribution and agency agreements may be subject to local laws, but the parties have greater freedom to stipulate their respective obligations, what constitutes a default, choice of law, and jurisdiction. Sales and services agreements are, in most instances, less regulated, and the parties have an even wider degree of freedom. Conversely, consumer agreements are highly regulated.

Likewise, several contracts may be subject to general or specific laws in the various countries where the contract is to be deployed. For instance, limitation and exclusion of liability provisions are subject to restrictions in many civil law countries. Non-compete and exclusivity clauses may trigger local or multinational competition rules (such as the Treaty on the Functioning of the European Union and derivative regulations or the Sherman Act in the United States).

Upon completion of this task, it will be possible to build a matrix mapping the points of convergence and the points of divergence resulting from legal and regulatory pressure for each contract type and identifying the specific elements affected by contract-specific laws (e.g., employment, distribution, consumer sales, business sales) and general legal restrictions on particular clauses (e.g., warranties, limitation of liability).

Step 3: Create modular building blocks that can be used in multiple jurisdictions

Based on the clause matrix, you can develop a library of modular clauses including not only boilerplate clauses (governing law, jurisdiction, severability, entire agreement, interpretation, etc) but also other contract terms that are expected to be universally accepted (scope of contract, price, non-compete, confidentiality, default, term and termination). These modular clauses loop are the building blocks of individual contracts. It is important to identify the origin of each provision (block) and note related key legal issues that arise in common law and civil law countries. These initial blocks can be based on the company’s home country’s template and in international models.

International contract models (e.g., ICC, ITC) can be used as a starting point because they incorporate inputs from various legal systems and aim to harmonise common law and civil law concepts.

When starting from in-house precedents compare them with international standards to identify local aspects of the in-house precedent, noting points that may need review.

To the extent possible, clause blocks should be written in neutral, non-idiomatic terminology and avoid culturally specific references to minimise difficulties in translation and adaptation. To ensure future adaptation include placeholder clauses and terms for local variations in the places where changes may be needed (e.g., [LOCAL LAW LIABILITY ADAPTED LANGUAGE], [LOCAL LAW WARRANTY LANGUAGE], [LOCAL LAW CARVEOUT], [REFERENCE TO LOCAL LAW SATUTE/REGULATION]).

Step 4: Write first set of draft global templates

The contract building blocks serve to prepare the first set of draft templates. It is advisable to start with less regulated contract types and move up to more regulated and consequently in need of more adaptations to local laws.

To avoid specific laws' biases in existing templates and precedents, designing the contract from scratch is the best option. For instance, employment contracts tend to adopt particular styles of writing, are highly contextual, and contain elements dependent on the specific laws that apply to them. Starting from a blank page will allow the drafting of a more neutral model, which can later be adapted to each local jurisdiction.

Step 5: Finalise first draft global template

To finalise the global template, it is necessary to incorporate the inputs from various jurisdictions. Local law inputs may impact the design of clauses that are intended for global use by limiting or expanding certain terms or by using expressions that are neutral without compromising the meaning and purpose of the provision. Global templates should have a modular structure, separating the clauses that are to apply globally from those that will be localised later.

Step 6: Translate and adapt templates

The final step will be to translate the global template into the relevant languages and identify and resolve translation problems that could result in ambiguities or discrepancies. Translations and adaptations to local laws should be considered in the final draft of the global template. This must be done carefully not to overcomplicate the process. It is not possible to go back and forth considering all the inputs from local lawyers, but it is possible to put issues into buckets by language and legal system, starting from separating civil law and common law countries, Latin origin languages (French, Portuguese, Spanish Italian etc), Germanic languages (English, German, Swedish etc.), etc. When venturing into the Middle East and Asia, the profound differences of local cultures and languages must be considered.

After completing the first set of translations and adaptations, it is useful to compare the various country templates, which will serve to identify problems and points of convergence, for instance, between various common law or civil law countries, and ensure that the final country templates have the fewest variations possible.

Certain clauses can then be customised on a multi-jurisdiction basis using the clause matrix. For example, limitation and exclusion of liability clauses can be adapted to comply with local laws by comparing variations across different jurisdiction to identify regional points of convergence across different jurisdictions. In Europe, EU legislation helps to harmonise contract terms among its member states; civil law countries and common law countries have many points of contact within their respective groups.

CONCLUSIONS

In a globalised world where businesses operate in multiple countries, it is necessary to have a process for developing and deploying global templates in multiple languages and jurisdictions. A "one-size-fits-all" approach based on a single jurisdiction precedents is fundamentally flawed.
The proposed process aims to deal with the complexity of building, translating and adapting global templates, by adopting a top-down approach that takes into account more than one local law and different linguistic and cultural aspects since the beginning of the drafting process; this allows for a swifter implementation, reduce the need for overspecialised local variations, align local contracts with the business' global vision and mitigate the risk of disputes.