EU AI Act in Portugal: ANACOM, Designated Authorities, and Business Obligations

Portugal moved faster than most EU Member States on one of the Regulation's key requirements. While the EU AI Act — Regulation (EU) 2024/1689 — entered into force across the Union on 1 August 2024 and applies directly in Portugal without transposition, Member States still had to do something the Regulation could not do for them: designate the national competent authorities who would actually enforce it. Portugal completed that designation in 2025, with its framework confirmed around September 2025, placing it among the earlier movers in the EU.

The architecture Portugal chose is coordinated rather than fragmented. ANACOM — the Autoridade Nacional de Comunicações, Portugal's national communications authority — sits at the centre as the market surveillance authority, the single point of contact for the EU AI Office, and the coordinator of fourteen designated public authorities covering different sectors and fundamental-rights domains. For companies operating in Portugal, that means there is a clear front door to the enforcement regime and a knowable set of sector-specific counterparts behind it.

---

A Regulation, Not a Directive: No Portuguese Transposition Required

The EU AI Act is a Regulation adopted under Article 288 TFEU. That means it has direct effect — it applies in Portugal as written, without Portugal needing to pass a national implementation law. Companies in Portugal do not wait for a Portuguese AI statute before obligations bite. They never did.

Article 5's prohibited practices — biometric categorisation by sensitive characteristics, social scoring, subliminal manipulation, exploitation of personal vulnerabilities, and real-time remote biometric identification in public spaces outside the law-enforcement carve-outs — have applied since 2 February 2025. GPAI model obligations under Chapter V have applied since 2 August 2025. The Article 99 penalty framework has been live since the same date.

What Portugal has done through its designation process is determine who enforces these obligations nationally — not create new obligations or a different timeline. The substance of what is required comes entirely from Brussels.

---

Portugal's Coordinated Supervisory Model

Portugal designated fourteen public authorities to supervise and enforce the EU AI Act across their respective domains. ANACOM holds three overlapping roles within this structure.

As the national market surveillance authority (MSA), ANACOM is responsible for monitoring AI systems placed on the Portuguese market, conducting enforcement investigations, gathering information from operators, and imposing corrective measures and fines under Article 99. As the single point of contact (SPoC), it is Portugal's formal interface with the EU AI Office in Brussels, through which GPAI-related information flows and cross-border enforcement is coordinated. As the national coordinator, ANACOM is responsible for aligning the work of the fourteen designated authorities — ensuring that where AI systems fall within a regulated sector, the sector-specific authority's expertise informs enforcement without creating contradictory requirements.

This model mirrors the logic of Article 70 of the Regulation, which gives Member States flexibility in how they organise national competence while requiring designation of at least one authority and a single point of contact.

Portugal's early and comparatively settled designation is notable for practical reasons. Companies can identify their primary regulator, engage early, and plan submissions. In countries where designation is still pending or disputed, companies face uncertainty about who they are building compliance programmes for. In Portugal, that question has been answered.

---

Who Enforces the EU AI Act in Portugal?

ANACOM: Market Surveillance and Coordination

ANACOM takes the lead for general AI Act enforcement, handling market surveillance for AI systems that do not fall squarely within another authority's regulated domain. Its remit covers the obligations that apply across the board: reviewing technical documentation under Article 11, checking conformity assessment records under Article 43, monitoring post-market records under Article 72, and issuing corrective orders or referring penalties where obligations have been breached.

For companies placing general-purpose software products or AI-enabled services on the Portuguese market, ANACOM is likely to be the primary authority they encounter.

Sectoral Authorities

Where AI systems operate in regulated sectors, the relevant sectoral authority works alongside ANACOM. Three are worth specific attention for most compliance programmes.

Banco de Portugal supervises AI deployed by banks, payment institutions, and credit providers. Credit-scoring systems, loan-origination models, and fraud-assessment tools in the financial sector sit within its purview. Annex III point 5(b) — creditworthiness and credit-scoring for natural persons, excluding fraud detection — is a high-risk category, and Portuguese financial institutions using such tools should treat the Banco de Portugal as the relevant counterpart when questions arise about classification or compliance.

CMVM (Comissão do Mercado de Valores Mobiliários, the Portuguese Securities Market Commission) supervises AI deployed within securities markets. For investment firms, asset managers, and trading venues regulated by CMVM, AI Act obligations layer onto MiFID II and market-integrity requirements; CMVM's existing supervisory relationship with these firms is the natural channel for AI Act matters within its domain.

CNPD (Comissão Nacional de Proteção de Dados) is Portugal's data protection authority. Its role in the AI Act framework arises wherever high-risk AI systems process personal data — which, in practice, covers nearly every Annex III system. The GDPR and EU AI Act run in parallel; the CNPD does not lose its supervisory competence over personal-data processing merely because an AI Act obligation also applies. Companies should expect the CNPD to take a close interest in high-risk deployments that involve profiling, biometrics, or large-scale processing of personal information.

EU AI Office: GPAI Model Oversight

Portugal-based companies that develop and place general-purpose AI models on the market — foundation models, large language models, multimodal systems — are supervised not by ANACOM but directly by the EU AI Office in Brussels. The AI Office holds exclusive competence over GPAI model obligations under Articles 53 and 55, including the technical documentation requirements, downstream information duties, copyright policies, and — for systemic-risk models — adversarial testing and incident reporting. ANACOM acts as the SPoC for coordination purposes, but GPAI model providers should engage with the EU AI Office's codes of practice process rather than treating GPAI compliance as a national matter.

---

How Portugal's Framework Interacts with the GDPR

The CNPD has been Portugal's data protection authority since the GDPR came into force in 2018. It administers the GDPR — as well as Portugal's national implementing law, Lei n.º 58/2019 — and has accumulated supervisory practice across financial services, healthcare, telecommunications, and public administration. That institutional knowledge directly shapes how the GDPR-AI Act intersection will be handled in Portugal.

The most immediate practical overlap concerns impact assessments. Under GDPR Article 35, a Data Protection Impact Assessment (DPIA) is mandatory before high-risk processing of personal data — and almost every Annex III AI system qualifies. Under EU AI Act Article 27, certain deployers must complete a Fundamental Rights Impact Assessment (FRIA) before putting a high-risk AI system into service. Both instruments require documented pre-deployment analysis of risks to individuals, and both assessments must be made available to supervisors on request.

The two assessments are not duplicative if they are coordinated properly. Article 27(4) of the EU AI Act explicitly allows the FRIA to build on an existing DPIA — the factual foundation, the data flows, the risk analysis — without repeating work already done. For a Portuguese public body or a company deploying a creditworthiness system or a health/life insurance risk model (the two non-public-authority categories where Article 27 FRIA applies), the practical approach is to run the DPIA first, then extend it to cover the FRIA's fundamental-rights scope. The CNPD's DPIA guidance provides the baseline; the AI Act FRIA adds the broader rights analysis.

A second interaction concerns logs and records. Article 12 of the EU AI Act requires high-risk AI systems to produce logs automatically. Where those logs capture personal data — as they routinely will in employment, credit, and public-benefit contexts — GDPR Article 22's requirements on automated decision-making also apply. GDPR Article 22 requires that individuals subject to solely automated decisions with significant effects have the right to human review, an explanation, and the ability to contest the outcome. The AI Act's Article 14 human oversight requirement points in the same direction. A Portuguese lender running an automated credit decision model must meet both simultaneously: Article 26 deployer duties (including Article 14 oversight) and GDPR Article 22 safeguards. Documenting how the human review step works, and how it is triggered, satisfies elements of both.

---

The EU AI Act Timeline as It Applies in Portugal

Article 5 is already enforceable. ANACOM has authority today to act on prohibited practices — and any Portuguese company or public body whose AI systems involve biometric categorisation by sensitive characteristics, social scoring, or manipulation of persons exploiting vulnerabilities should have completed its Article 5 review already.

The high-risk deadline is no longer August 2026. Under the Digital Omnibus — the Commission amendment package for which Parliament and Council reached political agreement on 7 May 2026, with formal adoption expected before 2 August 2026 — stand-alone high-risk Annex III systems now have until 2 December 2027, and high-risk AI embedded in Annex I regulated products have until 2 August 2028. That is additional time; it is not additional slack. Assembling an Article 9 risk management system, completing Annex IV technical documentation, establishing Article 14 human oversight controls, and preparing for conformity assessment under Article 43 takes most well-resourced organisations six to twelve months of dedicated work. The time to start is now, not mid-2027.

---

Penalties: What Companies in Portugal Face

Penalties are set by Article 99 of Regulation (EU) 2024/1689 and applied nationally by ANACOM and the other designated authorities. There are three tiers, each "whichever is higher" between a fixed amount and a percentage of total worldwide annual turnover in the preceding financial year:

• €35,000,000 or 7% — for violations of the Article 5 prohibitions. This tier has been available to authorities since 2 August 2025.
• €15,000,000 or 3% — for non-compliance with most other obligations: high-risk AI requirements under Articles 9–15, provider obligations under Article 16, deployer obligations under Article 26, and Article 50 transparency duties.
• €7,500,000 or 1% — for supplying incorrect, incomplete, or misleading information to notified bodies or competent authorities.

For smaller companies, Article 99(6) provides a proportionality protection: fines are capped at the lower of the fixed amount or the percentage. A Portuguese company with €4 million annual turnover cannot face a €15 million fine for a high-risk obligation breach — 3% of €4 million is €120,000, and that is the ceiling for this company. This cap is worth knowing; it meaningfully changes the risk calculus for smaller operators.

Fines are maximums, not starting points. ANACOM will apply proportionality factors — duration, degree of fault, cooperation, and prior infringements — before arriving at a figure. The €35M/7% ceiling for Article 5 breaches applies from the moment of the violation; companies persisting with prohibited practices should not assume that the high-risk deferral offers any shelter here.

GPAI-specific fines are a separate instrument: up to €15 million or 3%, imposed by the Commission directly on GPAI model providers under Article 101.

---

Portugal-Specific Compliance Considerations

ANACOM as the Single Front Door

Portugal's coordinated model — one lead authority coordinating fourteen sectoral partners — gives companies a more navigable starting point than supervisory frameworks that distribute competence across multiple equal-ranking authorities with contested boundaries. For most compliance queries, document requests, or early engagement meetings, ANACOM is the right first contact. It will route matters involving banking AI to the Banco de Portugal, securities to CMVM, and data protection to the CNPD.

In practice, this means companies should invest in understanding ANACOM's approach to technical documentation review and market surveillance. Guidance published by ANACOM — and, at the EU level, by the EU AI Office — will set the practical standard against which documentation packs are assessed.

Regulatory Sandbox: Available from 2 August 2026

Article 57(1) of the Regulation requires each Member State to establish at least one regulatory sandbox by 2 August 2026. Sandboxes give companies — with priority and free access for smaller companies under Article 58 — a supervised space to develop and test AI systems before general market release, with a degree of regulatory flexibility for innovative use cases that do not yet sit cleanly within the existing framework.

For Portuguese start-ups and scale-ups developing AI systems in regulated sectors — fintech, health, public services — the sandbox route is worth tracking. Engagement with ANACOM on sandbox eligibility can begin before the formal launch date.

Public-Sector Deployers: Mandatory FRIA Under Article 27

Portuguese public bodies deploying high-risk AI systems must complete a FRIA under Article 27 before putting those systems into service. This applies to government agencies, municipalities, public health services, and public employment bodies. The FRIA must document the AI system's intended purpose, the fundamental rights potentially affected, how risks are mitigated, and how affected persons can seek redress. It must be made available to ANACOM on request and updated when the deployment context changes materially.

Public-sector AI deployments in areas like benefits eligibility, public-employment matching, immigration processing, or education administration sit squarely in Annex III high-risk territory. The FRIA requirement is not optional, and ANACOM's initial enforcement focus is likely to land on public-sector deployments — they are visible, they affect large numbers of people, and they set the compliance standard others watch.

The Article 25 Role-Shift for Portuguese Customisers

Many Portuguese companies — including technology firms, public-sector IT integrators, and sector-specific software vendors — do not build AI systems from scratch but customise and integrate AI capabilities from upstream providers. That practice can shift a company from the deployer role under Article 26 into the provider role under Article 16.

Article 25 sets out when this happens: if a company places a high-risk AI system on the market or puts it into service under its own name or trademark; substantially modifies a high-risk AI system; or modifies the intended purpose of a system in a way that makes it high-risk. In all three cases, the company must complete a fresh conformity assessment under Article 43, assemble the full Annex IV technical documentation, and issue an Article 47 / Annex V Declaration of Conformity. The deployer duties under Article 26 are replaced by the heavier provider stack.

Portuguese companies that have fine-tuned a model on proprietary data, wrapped a third-party AI system in their own product, or configured a general-purpose AI for a specific high-risk use should run the Article 25 analysis before assuming deployer status.

---

How Confir Helps Companies in Portugal

Portuguese compliance teams building their EU AI Act programmes face a documentation-heavy task: an AI inventory, Article 9 risk management records, Annex IV technical documentation, Article 27 FRIAs for applicable deployers, conformity assessment preparation under Article 43, Article 47 / Annex V Declarations of Conformity, and Article 72 post-market monitoring records.

Confir is an EU-hosted compliance tool designed specifically for this work. Its classification engine is rule-based and deterministic — it encodes Articles 5 and 6 with Annex III logic in explicit rules, so the same intake always produces the same finding, with a human-readable explanation of which rule fired. The output is audit-defensible: no hallucination, no variability, reproducible by design.

The structured assessment covers four areas: AIRC (risk classification under Articles 5, 6, 43, and 50), AITR (data and technical robustness under Articles 10, 11, and 15), AITO (transparency and human oversight under Articles 13, 14, 27, and 50), and AIGM (governance and post-market monitoring under Articles 9, 72, and 73). From that assessment, Confir generates the full Annex IV technical documentation pack, the Article 47 / Annex V Declaration of Conformity, and the Article 27 FRIA. Self-serve from €600 per year, no consulting engagement required, EU-hosted.

---

What Companies in Portugal Should Do Now

Immediately (Article 5 obligations already apply): Audit any AI system that might involve biometric categorisation by sensitive characteristics, social scoring, subliminal manipulation of decision-making, exploitation of personal vulnerabilities, or real-time biometric identification in public spaces. The Article 5 prohibition has been enforceable since 2 February 2025. ANACOM has authority to act. If a system fits a prohibited category with no applicable exception, the remedy is not documentation — it is discontinuation or redesign.

Before 2 August 2026 (general application and Article 50): AI systems that interact with natural persons — chatbots, virtual assistants, AI-generated content tools, emotion-recognition interfaces — must comply with Article 50 transparency requirements. Users must know when they are interacting with AI, when content is synthetically generated, and when emotion recognition or biometric categorisation is in use. Article 50 applies from 2 August 2026; this date was not deferred.

2026–2027 (high-risk preparation, Annex III systems): Companies with stand-alone Annex III systems have until 2 December 2027. Use the time systematically: build the AI inventory, classify each system applying the Article 6(3) filter, determine provider or deployer roles, and begin the documentation stack. For systems involving personal data, coordinate the GDPR Article 35 DPIA and Article 27 FRIA work. For public-body deployers, the FRIA is mandatory and should be prioritised.

Ongoing: Monitor ANACOM's guidance and enforcement communications. Watch for the EU AI Office's GPAI codes of practice, which are being developed in 2025–2026 and will set expectations for GPAI model providers regardless of where they are based. If your company develops AI systems in banking or securities, maintain engagement with the Banco de Portugal and CMVM, whose existing supervisory expectations for AI will inform how they apply the Act within their domains.

---

Frequently Asked Questions

Which authority is responsible for EU AI Act enforcement in Portugal?

ANACOM (Autoridade Nacional de Comunicações) is Portugal's national market surveillance authority, single point of contact for the EU AI Office, and coordinator of the fourteen designated public authorities. For most companies, ANACOM is the primary enforcement contact. Sectoral authorities — including the Banco de Portugal for banking AI, CMVM for securities, and CNPD for data-protection matters — operate within their own regulated domains under ANACOM's coordination.

Did Portugal need to pass a national law to implement the EU AI Act?

No. The EU AI Act is Regulation (EU) 2024/1689, directly applicable under Article 288 TFEU. It applies in Portugal without transposition. Portugal's obligation was to designate competent authorities — which it did, with ANACOM confirmed as lead authority around September 2025 — not to create new substantive obligations through national legislation.

When does the EU AI Act's high-risk compliance deadline apply in Portugal?

Under the Digital Omnibus (political agreement reached 7 May 2026), stand-alone high-risk AI systems listed in Annex III have until 2 December 2027. High-risk AI embedded in Annex I regulated products has until 2 August 2028. The original 2 August 2026 date was deferred. Article 5 prohibitions applied from 2 February 2025 and are enforceable now; Article 50 limited-risk transparency applies from 2 August 2026.

What fines can companies in Portugal face under Article 99?

Three tiers apply: €35 million or 7% of worldwide turnover for Article 5 prohibition breaches; €15 million or 3% for most other obligations including high-risk AI requirements and provider/deployer duties; €7.5 million or 1% for supplying incorrect or misleading information to notified bodies or competent authorities. Under Article 99(6), fines for smaller companies are capped at the lower of the fixed amount or the percentage.

Does Portugal's CNPD have a role in EU AI Act supervision?

Yes. The CNPD retains its GDPR supervisory competence and is one of the fourteen designated authorities in Portugal's framework. It is most relevant where high-risk AI systems process personal data at scale. The practical interaction is primarily around the GDPR Article 35 DPIA and the EU AI Act Article 27 FRIA — both required before deployment for high-risk systems processing personal data — and around GDPR Article 22 obligations on automated decision-making.

What is the Article 27 FRIA and which deployers in Portugal must run one?

The FRIA (Fundamental Rights Impact Assessment) is a pre-deployment assessment required under Article 27 of the EU AI Act. It applies to public bodies deploying high-risk AI systems, and to deployers of creditworthiness/credit-scoring systems (Annex III point 5(b)) or life/health insurance risk systems (Annex III point 5(c)). Private employers deploying recruitment or workforce-management AI do not automatically owe a FRIA. The assessment must document the system's purpose, the fundamental rights at risk, and the mitigation measures, and must be made available to ANACOM on request.

How does the Article 25 role-shift affect Portuguese companies that customise AI tools?

A company that takes a third-party AI system and places it on the market under its own name, substantially modifies it, or changes its intended purpose to make it high-risk becomes the provider under Article 25 — inheriting the full Article 16 provider stack, including Annex IV technical documentation, Article 43 conformity assessment, Article 47 / Annex V Declaration of Conformity, and Article 49 registration. Portuguese technology firms, integrators, and software vendors that customise or wrap AI capabilities from upstream suppliers should verify their role classification before assuming deployer status.

---

Related guides

• EU AI Act in Spain
• EU AI Act in Germany
• What is the EU AI Act?
• EU AI Act summary
• EU AI Act penalties explained
• EU AI Act timeline
• AI risk classification guide
• Annex III high-risk use cases
• Conformity assessment under Article 43
• Fintech AI compliance
• Market surveillance authority glossary