Fintech 2025

PORTUGAL Law and Practice Contributed by: João G Gil Figueira, Rodrigue Devillet Lima and Catarina Andrade Miranda, GFDL Advogados

From an employment law perspective, restric - tions apply to outsourcing functions to an ex- employee who was terminated during the previ - ous 12 months. Portugal also has the transfer of undertaking rules that may impact outsourcing arrangements. 2.9 Gatekeeper Liability There is no legal concept of gatekeeper nor a specific liability regime for fintechs. Therefore, the characterisation or imposition of a service provider to act as a gatekeeper varies. Differ - ent market participants may be subject to dis - tinct types of liability or scrutiny by regulators depending on the effective role played. In par - ticular, obligations to report suspected money laundering activities apply across most sub- industries of fintech. 2.10 Significant Enforcement Actions Portuguese regulators may often deploy routine inspections and audits to legacy and fintech par - ticipants. Depending on the seriousness of any breach found by the regulator, different penalties may apply, ranging from a mere administrative notice to hefty fines and, finally, to licence or authorisation suspension or revocation. Upon finding a breach of the compliance of reg - ulatory provisions by the regulator, the outcome of the proceeding may be settled between the fintech participant and the regulator or disputed administratively and, upon conclusion, argued in the competent court. All supervisors have offi - cial websites where the fines imposed, and the results of enforcement actions can be accessed. 2.11 Implications of Additional, Non- Financial Services Regulations Several non-financial regulations may apply to fintechs.

Considering the scope of the activities devel - oped by many fintech industry participants, the DORA Regulation, which fully entered into force on 17 January 2025, may also apply. This regu - lation imposes the requirement to implement security measures to protect ICT systems in use. GDPR will likely apply as many fintechs process personal data as part of their business model. The Portuguese supervisory authority is the National Data Protection Commission. MiCA requires crypto-asset service providers to comply with the GDPR. This applies to all pub - lished information, including data made avail - able on their websites. In addition, MiCA sets specific requirements for publications and marketing communica - tions, including those on social media. Service providers must ensure compliance with these standards and take measures to prevent the dis - semination of false or misleading information in crypto-asset white papers, as well as fraudulent or scam practices. Under Law No 46/2018 of 13 August, which transposed the EU Network and Information Systems (NIS) Directive (2016/1148) into the domestic legal framework, fintech participants are required to have robust security measures in place against cyber threats. Encryption, access control, incident response, disaster recovery, and business continuity plans are essential con - tingencies that require implemented measures. 2.12 Review of Industry Participants by Parties Other than Regulators Besides regulators, fintech industry participants often use two types of audits, namely internal and external audits.

686 CHAMBERS.COM

Powered by