.jpg?v=2)
Decree-Law No. 25/2026, of 28 January was published, adapting the domestic legal framework to Regulation (EU) 2021/784 on combating the dissemination of terrorist content online, and establishing the national framework for the implementation, supervision and enforcement of the obligations set out therein.
The Decree-Law seeks to ensure the proper functioning of the Digital Single Market and to align the fight against the dissemination of terrorist content online with the National Strategy for Combating Terrorism, reconciling a repressive and preventive approach with freedom of expression and the legal certainty of service providers.
The Decree-Law provides, in particular, for three key aspects:
(i) Designation of competent authorities
The Judicial Police (Polícia Judiciária – PJ) is designated as the competent authority for issuing decisions to remove or block terrorist content, as well as for analysing and enforcing cross-border decisions issued by other Member States. The National Communications Authority (ANACOM) is responsible for supervising compliance with the obligations applicable to virtual hosting service providers and for imposing the corresponding sanctions.
(ii) Strengthening judicial oversight safeguards
Decisions to remove or block content adopted by the PJ are communicated to the Public Prosecutor’s Office at the Central Department of Investigation and Criminal Action (DCIAP), which, if it concurs, must submit them for validation by the investigating judge within a maximum period of 48 hours, failing which the decision shall cease to have effect.
The Decree-Law further provides for judicial appeal mechanisms (to the Court of Appeal, in the case of judicial decisions, and to the Competition, Regulation and Supervision Court, in the case of sanctioning decisions adopted by ANACOM), thereby ensuring effective judicial protection of the rights of service providers and content providers.
(iii) Establishment of a specific sanctions framework
Administrative offences are defined for non-compliance with the obligations laid down in Regulation (EU) 2021/784, including failure to remove or block terrorist content within the prescribed time limit, non-compliance with cross-border removal orders, and breaches of transparency and data retention obligations.
The Decree-Law distinguishes between serious and very serious administrative offences, reflecting the significance of the obligations concerned and the risks associated with their breach. Fines vary according to the seriousness of the infringement and the size of the offender, and can reach, in the case of large companies, up to EUR 1,000,500 (serious infringements) and EUR 5,000,500 (very serious infringements). In the event of repeated serious infringements, the maximum fine may amount to 4% of the provider's total worldwide turnover in the preceding financial year, in line with the criteria expressly set out in Regulation (EU) 2021/784.
In terms of administrative liability, virtual hosting service providers, content providers and, in certain cases, the legal representatives of virtual hosting service providers that do not have their main establishment in the European Union may be subject to sanctions. Legal persons are liable for infringements committed in their name or on their behalf, including those committed by corporate bodies, managers and employees in the performance of their duties.
It should also be noted that negligence is punishable, without the need to prove intent, in which case the minimum and maximum limits of the applicable fine are reduced by half.
Decree-Law No. 25/2026 shall enter into force 60 days after its publication on 29 March 2026.
