Blockchain

Developers should consider applicable EU-level regulations – particularly the Markets in Crypto-assets Regulation (MiCA), which sets out detailed requirements for crypto-asset issuers and service providers – as well as national law. MiCA has been implemented in Portugal through Law no. 69/2025 of 22 December (“MiCA Implementing Law”), which designates the competent authorities, defines supervisory powers, establishes the sanctioning framework and provides transitional regimes for entities previously registered.

Developers should also consider consumer protection rules and data protection laws (notably the General Data Protection Regulation (GDPR) – and possibly e-commerce regulations.

Securities law is another area of focus: if tokens are issued with characteristics that would deem them to be classified as financial instruments, developers should be aware of the Securities Code and related EU directives and regulations (e.g., the Second Markets in Financial Instruments Directive – “MiFID II”). Moreover, the EU Distributed Ledger Technology (DLT) Pilot Regime, in effect from 23 March 2023, provides a legal framework for trading and settling crypto-assets that qualify as financial instruments, enabling new types of market infrastructure such as:

• DLT multilateral trading facilities;
• DLT settlement systems; and
• DLT trading and settlement systems.

Although currently no specific legislation in Portugal governs smart contracts, developers should consider how smart contract terms align with standard contractual principles under the Civil Code.

For public, permissionless blockchains, compliance with anti-money laundering (AML)/countering the financing of terrorism (CFT) and data protection are more challenging due to the anonymity or pseudonymity of users. Developers should consider privacy-by-design features that still allow for compliance tools, transaction monitoring and governance structures that – at least conceptually – support adherence to regulatory standards (e.g., zero-knowledge proofs).

For private, permissioned blockchains, compliance is more easily managed. Here, all participants are known and can undergo know-your-customer checks, enabling the enforcement of AML/CFT obligations and more straightforward data protection measures. Contractual arrangements among participants may allow for the allocation of responsibilities and liabilities, making it simpler to implement compliance and governance policies.

Users should consider whether the protocol or application complies with applicable financial, consumer protection and AML/CFT regulations. They must be aware that the European Securities and Markets Authority has identified key risks such as:

• fraud;
• cyberattacks;
• money laundering; and
• market manipulation.

From a practical standpoint, users should ensure that they protect their crypto-assets and understand that, while they can seek legal recourse through the civil and criminal courts if their rights or interests are harmed, the pseudonymous nature of blockchain may complicate enforcement. Users should:

• look for transparent disclosures, terms of service and consumer protection compliance; and
• be mindful that capital gains arising from investments crypto-assets and, in some scenarios, their transfer may trigger tax obligations.

The MiCA Implementing Law establishes a functional allocation of supervisory powers over crypto-asset service providers (CASP) between the Bank of Portugal and the Portuguese Securities Market Commission (CMVM) within a framework of mandatory cooperation and procedural coordination.

Individuals and companies can resort to the civil and criminal courts if legally protected rights and interests are violated.

The National Commission for Data Protection supervises compliance with the GDPR.

The Portuguese Securities Market Commission (CMVM) regulates and supervises financial markets and entities under the Securities Code and related legislation, with powers including:

• requesting disclosures;
• approving prospectuses; and
• imposing sanctions for non-compliance.

The Insurance and Pension Funds Supervisory Authority oversees insurance and pension aspects potentially involving crypto-assets.

The Tax Authority can:

• audit activities;
• impose fines; and
• issue binding rulings to ensure compliance with tax obligations.

The regulators in Portugal have adopted an open and constructive stance, promoting innovation while maintaining a focus on:

• investor protection;
• financial stability; and
• the prevention of illicit activities.

Under the MiCA Implementing Law, the CMVM is the competent authority responsible for supervising:

• Title II – regarding public offerings and admission to trading of crypto assets other than ART (Asset-Referenced Tokens) or EMT (Electronic Money Token);
• Title VI – regarding prevention and market abuse related to crypto assets;
• Chapter 3 of Title V – obligations relating to specific crypto-asset services;
• Articles 66 and 70 to 72 – obligations for all CASPs.

On the other hand, the Bank of Portugal is the competent authority responsible for supervising:

• Title III – regarding Asset-Backed Cryptocurrencies;
• Title IV – regarding Electronic Money Tokens;
• Chapters 1, 4 and 5 of Title V – authorisation and revocation of authorisation of CASPs (Crypto-Asset Service Providers), as well as acquisition of CASPs and significant providers of crypto-asset services;
• Articles 67 to 69, 73 and 74 – obligations for all CASPs.

We have seen the CMVM and the Bank of Portugal follow EU guidelines, taking a cautious ‘wait and see’ approach to avoid stifling technological growth.

Blockchain initiatives already span various sectors, including the public sector. Authorities participate in innovation hubs such as Portugal FinLab and plan to implement technological free zones to test blockchain-based solutions in controlled environments. A thriving entrepreneurial ecosystem – encompassing academia, startups, corporates, accelerators, venture capital firms and the public administration – supports this innovation-friendly regulatory attitude.

Several associations are significant in the Portuguese blockchain ecosystem. Organisations such as the following are key players:

• the New Economy Institute;
• Portugal Fintech;
• the Portuguese Blockchain Alliance;
• the Blockchain Lawyers Group; and
• the Portuguese Association of Blockchain and Cryptocurrencies.

Additionally, the financial industry is increasingly involved, influencing the direction and standards within the blockchain space.

In Portugal, blockchain applications have primarily taken root in:

• decentralized payments;
• DeFi protocols;
• cryptocurrency exchanges;
• custodial services; and
• investment platforms.

The most common type, however, are development companies, typically subsidiaries, that employ developers in Portugal to provide services to a parent company or foundations.

The supportive entrepreneurial community has also attracted digital asset entrepreneurs and fostered a user base engaged in crypto-asset trading. Non-fungible tokens have also gained traction, particularly in digital art, collectibles and gaming.

Real-world asset tokenisation is a prominent area of exploration. Decentralised finance (DeFi) applications are also garnering interest, offering prospects for innovative financial products and services on-chain. As the regulatory environment clarifies, it is expected that institutions will increase their engagement with DeFi protocols.

Specialised venture capital firms and prominent angels lead in blockchain-related investment. The public sector has likewise begun to make substantial (small scale) investments, recognising blockchain as a technology with potential for efficiency and transparency.

Yes. The “Descentralizar Portugal com Blockchain” initiative aims to develop a national blockchain ecosystem. Approximately €59 million has been invested in order to:

• train qualified professionals;
• strengthen the national industry;
• boost credibility; and
• position Portugal as a global leader in blockchain technology.

It is expected that technological free zones and regulatory sandboxes will be established, enabling environments in which new solutions can be tested without immediately facing the full regulatory burden and thereby accelerating innovation and adoption.

In Portuguese law, a ‘crypto-asset’ is defined as any digital representation of value or rights that can be transferred or stored electronically using distributed ledger technology (DLT) or similar technology.

The Bank of Portugal is responsible for supervision relating to the issuance of stablecoins (asset-referenced tokens and e-money tokens), for authorising CASPs, and for overseeing their prudential requirements and governance arrangements. It is also responsible for assessing acquisitions of CASPs and for supervising significant CASPs (i.e., CASPs with at least 15 million average users per year).

The CMVM, in turn, supervises the issuance of crypto-assets other than stablecoins (and not excluded from MiCA’s scope under Article 2), as well as market abuse, particularly in relation to trading platforms. It is also responsible for supervising CASPs’ conduct-of-business obligations vis-à-vis their clients.

Law 83/2017, which partially transposes EU Directives 2015/849 and 2016/2258, sets out measures to combat money laundering and terrorist financing.

General consumer protection and e-commerce laws apply, requiring entities offering crypto services to ensure:

• transparent disclosures;
• fair advertising; and
• compliance with information obligations.

In addition to general consumer protection rules, MiCA introduces harmonised disclosure, marketing and conduct of business obligations aimed at ensuring a high level of consumer and investor protection across the EU.

Furthermore, if tokens are deemed securities, the Securities Code provides additional investor protections, including disclosure and market integrity rules.

Since 2024, Portugal has clarified the tax treatment of crypto-assets.

Individuals may be taxed on capital gains from crypto-asset transactions, with distinctions based on holding periods:

• Crypto-assets held for longer than 365 days may be tax exempt unless classified as securities; and
• Gains from shorter holding periods are taxed at a flat rate (currently 28%).

For companies, income derived from crypto-asset activities is subject to standard corporate income tax (19% in 2026).

Gratuitous transfers of crypto-assets may be subject to stamp duty at a rate of 10%.

Value added tax generally does not apply to crypto-to-fiat exchanges, following the precedent set by the Court of Justice of the European Union in Hedqvist and the Tax Authority’s binding rulings.

Cryptocurrency exchanges operating in Portugal that engage in exchange, transfer or custodial wallet services must obtain formal authorisation as CASPs. Mere AML/CFT registration is no longer sufficient to lawfully operate, save for transitional arrangements expressly provided for the MiCA Impementing Law. Entities previously registered remain subject to a transitional regime, but must ultimately conform to MiCA authorisation requirements.

Accordingly, under the MiCA Impementing Law, any entity wishing to provide crypto-asset services in Portugal must apply for authorisation from the Bank of Portugal. The CMVM also participates in the authorisation process and must be notified by the Bank of Portugal whenever an application for CASP authorisation is submitted.

Upon receipt of the application and notification, the CMVM must issue an opinion assessing whether the information that is submitted is complete. The CMVM has between 10 and 15 business days to issue such an opinion. Failure to do so is deemed to indicate that the CMVM has no objection to the granting of authorisation by the Bank of Portugal.

The Bank of Portugal must also inform the CMVM of any changes to the business activities of authorised CASPs, as well as of any cross-border provision of services. It may also request information from the CMVM concerning the market conduct of authorised CASPs.

If tokens represent rights or interests that fit the broad definition of ‘securities’ under the Securities Code, they fall under securities law and may require a prospectus approved by the CMVM unless an exemption applies. The CMVM has issued guidance reminding issuers that investor protection, disclosure and market integrity rules apply when tokens resemble traditional securities.

If tokens are not deemed securities, these must:

• be offered in accordance with the rules in MiCA; and
• follow any guidelines approved by the CMVM and the Bank of Portugal.

Furthermore, they may still be subject to consumer protection rules.

Under Portuguese law, there is no inherent legal barrier to classifying smart contracts as contracts. A smart contract can meet the legal requirements if it includes the following essential elements:

• offer;
• acceptance;
• an intention to be legally bound;
• capacity; and
• a lawful object with definite terms.

The courts will examine both the code and any accompanying documentation to ascertain the parties’ intent to create enforceable rights and obligations.

However, challenges arise in cases where formalities are required (e.g., a public deed or authenticated document) and the absence of such formalities may result in the contract’s nullity.

Currently, there are no specific national regulatory or governmental guidelines dedicated solely to smart contracts. Parties must rely on general principles in the Civil Code.

Smart contracts can automate terms can be definitively encoded and executed without discretion such as straightforward, conditional performance triggers like:

• payment releases;
• transfers of value under certain conditions; or
• the settlement of standardised financial products.

Smart contracts struggle with provisions requiring:

• interpretation;
• discretion;
• legal formalities; or
• complex subjective judgement.

Clauses addressing unforeseen circumstances, good-faith requirements, fairness principles or dispute resolution involving nuanced legal analysis do not lend themselves to purely automated execution. As such, these subjective or interpretive components remain challenging to fully replicate in code.

Judicial enforcement may be complicated by the immutability and irreversibility of blockchain transactions. If a smart contract’s code is flawed or exploited, courts may need to determine remedies, but reversing on-chain transactions can be technologically challenging. Identifying pseudonymous parties and proving contractual intent may also be difficult. Courts may require technical experts to interpret and contextualise smart contract code.

Parties should plan for error handling, upgrades and modifications over time, possibly through proxy smart contracts.

Also, incorporating a dispute resolution mechanism to address ambiguities or unforeseen issues if necessary is advisable.

In a private (permissioned) blockchain, participants are known and governance frameworks can more easily handle disputes, revisions and upgrades. Enforcement is more straightforward since parties have pre-existing contractual arrangements and identities.

On a public (permissionless) blockchain with anonymous participants, irreversibility, code immutability and difficulty identifying the parties involved pose more significant legal and practical challenges.

Blockchain’s immutability and distributed nature can conflict with GDPR principles such as the right to erasure or data minimisation. It can also be difficult to:

• identify data controllers;
• determine applicable jurisdictions; and
• ensure compliance with data protection standards.

Blockchain can ensure:

• data integrity;
• authenticity; and
• tamper-proof audit trails.

Technologies such as zero-knowledge proofs allow users to prove certain attributes without revealing full personal data. If implemented thoughtfully, protocols can enhance trust, security and privacy, while still maintaining compliance with underlying data protection principles.

Blockchains can be exposed to attacks if a malicious entity gains control over the majority of the network’s computing power. Smart contracts may contain exploitable vulnerabilities leading to financial losses. Users also risk phishing attacks or private-key theft.

Blockchain’s decentralised architecture enhances resilience by eliminating single points of failure. Cryptographic techniques ensure data authenticity and make unauthorised alterations easily detectable. The transparent nature of many blockchains facilitates early detection of suspicious activities, increasing overall accountability and security.

Measures include:

• rigorous code audits;
• formal verification of smart contracts; and
• continuous security testing.

Using reputable custodians, hardware wallets or multi-signature wallets can protect users’ private keys. Adhering to established cybersecurity best practices – encryption, multi-factor authentication, intrusion detection systems and incident response plans – is critical. Insurance policies can further mitigate liability risks.

• The enforcement of IP rights on a blockchain can be difficult when infringing content is irreversibly recorded on the ledger (although storing large files on-chain is costly, reducing the likelihood of widespread IP infringement via direct on-chain content).
• The identification of responsible parties may be challenging if participants are pseudonymous.

Blockchain developers can use existing forms of IP protection:

• Copyright laws protect source code;
• Patent protection may be available for novel technical solutions; and
• Developers can rely on trade secrets if their code is not disclosed publicly.

Blockchain technology can provide immutable proof of creation, priority and authorship.

Open-source platforms with permissive licences (e.g., MIT or Apache 2.0) can guide conditions for use, distribution and modification. These platforms and licences confirm that any derived works comply with certain conditions, balancing openness with legal safeguards against misappropriation.

Blockchain can serve as a transparent, tamper-proof ledger of rights, licences and transactions, aiding in resolving IP disputes. Using cryptographic proofs and timestamps, it can streamline licensing arrangements and automate royalty payments through smart contracts, improving efficiency and trust in IP management.

The Portuguese regulatory landscape is currently being reshaped by the implementation of MiCA in national legislation, which is expected to bring greater legal certainty and harmonisation, benefiting both local and international market participants. The inception of technological free zones and additional guidance on decentralised finance and tax frameworks will further help in the ecosystem’s development.

The adoption of balanced AML/CFT procedures for banks when onboarding or dealing with businesses and individuals in the blockchain and crypto ecosystem would be incredibly beneficial.

Furthermore, streamlined innovation testing procedures through technological free zones would reduce barriers for startups and established entities alike. Greater integration of blockchain solutions into public services and registries could set a positive example for private sector adoption, fostering robust best practices and improving trust in blockchain technologies.

The greatest impediments are bureaucratic hurdles, administrative complexity and the lack of an innovative drive from the regulators (especially when compared to other EU jurisdictions).

A proactive approach is crucial. Engaging legal and regulatory experts early on helps in:

• ensuring compliance with the rules on anti-money laundering/countering the financing of terrorism;
• understanding the tax implications; and
• properly classifying tokens from the start.

Maintaining open communication with regulators and industry associations is also highly beneficial. For example, the FinLab initiative offers an excellent pathway for market entry, allowing companies to gain valuable insights from the regulator on their business model. This process results in a detailed report that can be shared with investors and potential partners, addressing any compliance-related concerns.

Potential sticking points include:

• navigating evolving regulations;
• ensuring data protection compliance; and
• reconciling the irreversibility of blockchain transactions with traditional legal remedies.