Digital Services Act: Implementing Law published in Portugal

Law 12‑A/2026 was published in the official gazette Diário da República on 15 April 2026. It implements the Digital Services Act (“DSA”) in Portugal and establishes the country’s institutional framework for the DSA’s supervision, enforcement and penalty rules. The law came into force on 16 April 2026, the day after its publication.

The enactment of this law consolidates the national regulatory framework applicable to digital service providers in Portugal. It establishes the institutional mechanisms necessary for the effective supervision and enforcement of the Digital Services Act (DSA).

It applies to providers of intermediary services as defined by the DSA, including those offering mere conduit services, caching, web hosting and online platforms, as well as online search engines in certain cases.

In practice, the law’s most significant impact lies not in creating new compliance obligations, which have been in place since 2024, but in strengthening supervisory, investigative and penalty powers. It should be noted that the law: (i) designates the competent national authorities; (ii) defines their powers; (iii) establishes cooperation mechanisms; and (iv) sets out the rules for the application of penalties for non‑compliance with the DSA.

1. Competent Authorities and Digital Services Coordinator

Law 12‑A/2026 designates the National Communications Authority (ANACOM) as both the competent administrative authority and the Digital Services Coordinator in Portugal.

ANACOM acts as the single point of contact for the European Commission, the European Board for Digital Services, and the Digital Services Coordinators of other Member States.

In addition to ANACOM, Law 12‑A/2026 designates the following bodies as having specific powers:

• The Media Regulatory Authority (ERC) is responsible for supervising and enforcing the DSA provisions relating to the protection of minors (Article 14(3)), advertising (Articles 26(1) and 26(2)), and appropriate measures for protecting minors on online platforms (Article 28(1)).
• The National Data Protection Authority (CNPD) is responsible for supervising and enforcing the DSA’s provisions relating to the prohibition of advertising based on special categories of personal data (Article 26(3)) and advertising directed at minors based on personal data (Article 28(2)).

This division of powers requires digital service providers to adopt an integrated view of regulatory risks, given the possible intervention of different authorities depending on the matter in question.

The law strengthens the powers of the Digital Services Coordinator as set out in Article 51 of the DSA by conferring investigative and enforcement powers upon it, namely:

• Investigative powers include (i) requiring information from intermediary service providers and other relevant entities; (ii) requesting the competent judicial authority to carry out inspections of business premises; and (iii) requesting clarification on information relating to alleged infringements.
• Enforcement powers include (i) accepting commitments made by service providers; (ii) ordering the cessation of infringements; (iii) imposing fines and periodic penalty payments; (iv) applying for interim measures to prevent serious harm.
• Additional measures are applicable where the other powers are insufficient to bring an end to infringements causing serious harm. These measures include (i) requiring the submission of an action plan and (ii) requesting the competent judicial authority to temporarily restrict access to the online interface where the infringement occurs if a crime threatening the life or safety of individuals is involved.

Without prejudice to the provisions of national law, very large online platforms (VLOPs) and very large online search engines (VLOSEs) remain subject to direct supervision by the European Commission under the DSA. Nevertheless, national authorities may exercise concurrent powers in certain matters, so this Act remains relevant to those providers as well.

2. Cooperation and Advisory Board

The law also establishes a framework for cooperation between the competent administrative authorities and creates an Advisory Board within the structure of the Digital Services Coordinator.

The Advisory Board is composed of representatives from the scientific community, civil society (including consumer associations) and business associations, with proven experience or knowledge of digital services. Its remit includes, in particular, advising the authorities on important matters, issuing recommendations for the effective implementation of the DSA and alerting the Digital Services Coordinator to issues that warrant further analysis or investigation.

3. Penalties

One of the central aspects of this law is the provision of a system of penalties that classifies infringing conduct and defines the applicable fines, distinguishing them according to the type of intermediary service provider. The following are provided for, in particular:

a. Offences common to all providers of intermediary services

These include, where applicable, (i) the failure to designate a single point of contact for communication with service recipients; (ii) the failure to provide legal representatives; (iii) the failure to provide information to the authorities; (iv) the failure to publish transparency reports; and (v) the failure to cooperate with the authorities.

b. Specific infringements by web hosting service providers

These include, in particular, failure to act diligently to remove illegal content, a failure to provide notification mechanisms, the improper handling of notifications, and a failure to inform the authorities of crimes that threaten people’s lives or safety.

c. Specific infringements by online platforms

These include, in particular, failure to provide complaint‑handling systems, the breach of rules on trust flaggers, the failure to suspend services to users providing manifestly illegal content, the design of interfaces that mislead or manipulate users (dark patterns), and the breach of rules on advertising and recommendation systems.

d. Specific infringements by platforms facilitating distance contracts with traders

These include, in particular, failure to comply with obligations regarding the traceability of traders, failure to suspend services to traders who breach information obligations, and failure to inform consumers about illegal products or services.

The penalty rules establish significant fines, determined according to the seriousness of the infringement and the offender’s turnover, as follows:

• The maximum limits for less serious infringements are 1% of annual income for individuals or 1% of global annual turnover for legal entities.
• For more serious infringements, the maximum limits are 6% of annual income for individuals or 6% of worldwide annual turnover for legal entities. In cases of negligence or attempted infringement, these limits are halved.

In cases of negligence or attempted infringement, these limits are halved.

The Digital Services Coordinator may also impose periodic penalty payments of up to 5% of the intermediary service provider’s average daily worldwide turnover or income in the previous financial year, for each day of non‑compliance, up to a maximum of 30 days. The purpose of these payments is to ensure that infringements cease or guarantee compliance with measures determined during investigations.

4. Other important matters

The law also provides for the establishment of a communication platform to be managed by the Digital Services Coordinator. This will serve as a centralised channel for orders, communications, and the exchange of information between the relevant authorities and digital service providers.

Decisions made by the Digital Services Coordinator can be appealed to the Court of Competition, Regulation and Supervision, and the Lisbon Court of Appeal will make the final decision.

5. Conclusion

The publication of Law 12‑A/2026 is a significant milestone in the implementation of the Digital Services Act (DSA) in Portugal. It establishes the institutional framework necessary for the effective supervision and oversight of digital service providers.

The substantive obligations set out in the DSA have been in force since 25 August 2023 for very large online platforms and search engines (VLOPs/VLOSEs) and since 17 February 2024 for other intermediary service providers. However, companies operating in this sector should bear in mind that the entry into force of the national implementing law signals the beginning of an era of rigorous and enhanced enforcement of the DSA in Portugal.

Compliance with the DSA is more than just a legal obligation; it represents an opportunity to strengthen user confidence and demonstrate alignment with regulatory best practices in the European digital ecosystem.

Call to action: Digital service providers are advised to review their internal compliance and governance mechanisms, and to assess their regulatory risk in light of the enhanced investigative and enforcement powers now granted to national authorities.