Banking & Finance Guide 2025: Portugal

At a national level, the main sources of banking and finance law in Portugal are:

• The General Regime for Credit Institutions and Financial Companies approved by Decree‑Law No. 298/92, dated December 31 (RGICSF, according to its Portuguese initialism);

• The Securitisation Law approved by Decree‑Law No. 453/99, dated November 5 (Lei da Titularização de Créditos);

• The Portuguese Securities Code approved by Decree‑Law No. 486/99, dated November 13 (Código dos Valores Mobiliários); and

• The Asset Management Regime approved by Law No. 16/2015, dated February 24.

The national authorities responsible for the supervision and enforcement of each framework are:

• The Banco de Portugal (BoP);

• The Portuguese Securities Market Commission (CMVM); and

• The Insurance and Pension Funds Supervisory Authority (ASF).

Portuguese banks follow the EU Capital Requirements Regulation (CRR) and the Capital Requirements Directive (CRD) framework. Portuguese banks also undergo stress testing and publish the European Banking Authority’s (EBA’s) pillar three disclosures. Outsourcing must comply with the EBA rules, while ICT and cyber resilience are regulated under the EU Digital Operational Resilience Act (DORA). Recovery and resolution apply via the EU Bank Recovery and Resolution Directive (BRRD) and single resolution mechanism (SRM), including minimum own funds and eligible liabilities requirements.

AML and ESG risks are embedded in governance and risk management. Entities operating in the payment services field follow the EU’s Second Payment Services Directive (PSD2), which governs payment services and e-money.

Portuguese conduct of business rules blend EU frameworks with national standards.

For credit activity and deposits, the BoP supervises transparency and advertising rules, standard pre‑contract information, affordability/creditworthiness checks, and taxa anual de encargos efetiva global (TAEG), the Portuguese equivalent of the annual percentage rate.

Payment-related matters follow PSD2 transparency guidelines and strong customer authentication requirements.

Portugal aligns its national framework with EU law through implementing acts and supervisory notices. The EU banking package (CRR3/CRD6) began to be phased in on January 1 2025. DORA became applicable on January 17 2025. The EU Markets in Crypto-Assets Regulation (MiCA), including crypto-asset service provider licensing and national transitional regimes, is live through 2025, with supervisors issuing regulatory technical standards/guidance. The EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism was established on July 1 2025, and the EU’s Third Markets in Financial Instruments Directive (MiFID III), which has yet to be transposed into Portuguese legislation despite the set deadline of September 29 2025.

At a national level, Decree-Law No. 103/2025 was approved in September, which aims to harmonise access to, and the exercise of, non-performing bank credit management and defines requirements for credit purchasers.

Banks require European Central Bank (ECB) authorisation (with the BoP’s assessment), minimum capital, suitable owners, fit‑and‑proper management, sound governance and risk frameworks, and a programme of operations.

Other financial institutions must meet activity-specific regimes. Investment firms (which are supervised by the CMVM) comply with the EU Investment Firms Regulation and the EU Investment Firms Directive.

Payment and e‑money institutions (supervised by the BoP) require initial capital/own funds, safeguarding, AML/countering the financing of terrorism (CFT), ICT/outsourcing controls, agent oversight, and governance and fit‑and‑proper requirements.

The processes typically involve a pre‑filing dialogue with the regulators and require a complete and detailed application (including a business plan, and information concerning policies, capital, owners, and governance) and ongoing supervisory review.

Statutory timelines are generally between 6 and 12 months from the date upon which a complete file has been submitted. However, experience suggests that in practice these processes take much longer.

There is no general cap on foreign ownership, although qualified holdings are subject to fit-and-proper and know-your-customer analysis by the regulators, which may be time consuming and complex, particularly when the qualified holdings involve several shareholding chains.

Financial institutions that are authorised within the European Economic Area (EEA) may passport services or establish branches under the CRD, MiFID II, and PSD2. Non‑EEA firms generally need Portuguese authorisation to operate (or authorisation from other EEA states to then passport services/establish branches). Reverse solicitation is narrowly applied. Digital delivery can still trigger local licensing and conduct/advertising and language requirements.

Portugal has no exchange controls, as EU capital movements are free. However, cross‑border flows may trigger balance‑of‑payments/statistical reporting to the BoP, AML/sanctions screening obligations for the entities involved, and tax reporting, while cash‑use restrictions and source‑of‑funds verification also apply.

The key Portuguese frameworks relate to EU passporting (CRD, MiFID II, and PSD2), the single supervisory mechanism/SRM, the Single Euro Payments Area for payments, the European Market Infrastructure Regulation for derivatives, and the Prospectus/PRIIPs/Sustainable Finance Disclosure Regulation (SFDR) regimes. There are no special bilateral banking passports; third‑country access relies on activity‑specific EU and national regimes.

The main hurdles are:

• Licensing requirements and timings for obtaining authorisation;

• Stringent AML/CFT expectations and thorough fit-and-proper assessments;

• DORA technology and operational risk management requirements;

• Strong consumer protection regulations and disclosure rules;

• Security/perfection formalities in lending;

• Stamp duty on loans;

• Language/local law; and

• Sanctions compliance.

It is advisable to engage local counsel with a view to assessing at the outset whether passporting is possible or local licensing will be required. The following measures are also recommended:

• Anticipating the adaptation of customer-facing and contractual materials to Portuguese legal and supervisory requirements;

• Implementing robust AML/sanctions and DORA‑aligned ICT controls;

• Ensuring General Data Protection Regulation (GDPR)‑compliant data handling, and planning for tax and stamp duty; and

• Maintaining proactive engagement with the BoP/CMVM supported by experienced local counsel.

In Portugal, the principal types of security interests are mortgages over real estate and pledges over movable assets and rights.

Receivables and bank accounts are usually secured by pledges of credit rights, with debtor/account‑bank notice. Receivables may also be taken by assignment by way of security or, for income generated by immovables or other registrable assets, assignment of revenues. Inventory and other tangible movable assets are also commonly pledged.

Financial collateral arrangements and, in commercial contexts, commercial pledges with appropriation are frequently used, subject to their specific formalities.

Portugal does not have a single notice-filing registry. Instead, security is perfected through specific registries. Mortgages on real estate only take effect once they are registered with the Land Registry. Ranking is determined by the time of presentation.

Pledges over companies’ shares require annotation of share certificates and in the issuer’s share ledger for certificated shares, or entries in the relevant securities account for book-entry shares. In contrast, pledges over quota companies must be registered with the Commercial Registry by filing the relevant deed or private instrument.

Portugal’s fintech regulation depends on the legal status of firms, products, and services. It blends EU law with national supervision by the BoP, the CMVM, and the ASF. The core regimes include PSD2 and the legal framework for payment services and e‑money. These cover payment/e‑money institutions, payment initiation services/account information services, strong customer authentication, and, from 2025, DORA provisions.

AML/CFT duties arise under Law No. 83/2017 and sectoral rules, with heightened expectations for crypto providers. EU regulatory baselines in crypto are set by MiCA and the Transfer of Funds Regulation. There are also two draft laws (not yet approved) to implement the EU crypto package nationally:

• Draft Law 31/XVII/1 aims to transpose changes linked to Regulation (EU) 2023/1113; and

• Draft Law 32/XVII/1 aims to implement MiCA and empowers the BoP on authorisation, disclosure, reporting, and transitions.

Portugal’s sandbox framework creates cross‑sector “Technological Free Zones” as controlled environments to test innovative products, services, and business models. Applicants file an application or a declaration of interest through the National Innovation Agency and follow the formal procedure defined for each zone.

In late 2023, the CMVM launched Market4Growth, a simulation‑based programme that helps innovative companies prepare for capital markets access by mirroring regulatory processes. A second edition in 2025 reinforced the CMVM’s commitment to fostering capital market innovation.

An additional example is Portugal FinLab, a joint innovation hub run by the BoP, the CMVM, and the ASF.

Remote onboarding must meet AML/CFT rules under Law No. 83/2017 and BoP/CMVM guidance, allowing non‑face‑to‑face verification with robust document checks, liveness checks, evidence retention, and risk‑based controls. The GDPR and Law No. 58/2019 require a lawful basis, transparency, purpose limitation, data minimisation, privacy‑by‑design/default, data protection impact assessments for high‑risk processing, and safeguards for international transfers.

For payments and account access, PSD2 and strong customer authentication/secure communication standards govern credential security and fraud controls. From 2025, DORA layers in ICT governance, critical third‑party risk management, incident reporting, and resilience testing.

Portugal’s crypto rules sit on two clear pillars: anti‑money laundering and securities law. Currently, the BoP is the primary gatekeeper for crypto‑asset service providers, while the CMVM steps in whenever a token qualifies as a security. That division of regulatory responsibilites remains in place as MiCA rolls out: MiCA is already in force at EU level, with its core obligations taking effect across 2024–25 and a Portuguese draft law designating the BoP and the CMVM as national competent authorities.

In Portugal, as across the EU, financial institutions face major ESG regulatory changes driven by EU law. The Corporate Sustainability Reporting Directive (CSRD) requires expanded ESG disclosures from 2025, while the SFDR and EU Taxonomy Regulation impose stricter sustainability reporting and classification rules. Portuguese banks must also comply with intensified ECB/EBA expectations to integrate climate risks into governance and risk management frameworks.

Banks are required to systematically assess and disclose climate-related financial risks in accordance with EU and ECB/EBA supervisory requirements. Governance frameworks must embed oversight of both physical and transition climate risks into board responsibilities, risk appetite, and business strategy. Portuguese banks must include climate-related risks in their internal capital adequacy assessment process and liquidity planning, and are subject to ECB/EBA requirements to run scenario analyses and stress tests, often using Network for Greening the Financial System-aligned scenarios, to assess the quantitative impact on risk-weighted assets and capital.

Disputes between banks and customers may vary, depending on the nature of the customer (i.e., whether they are deemed a “consumer”). Consumers benefit from consumer protection rules as well. Several legal frameworks in Portugal have also been transposed to extend consumer protections to microenterprises that generally benefit from these added safeguards.

Disputes between banks and customers can be settled through:

• Internal complaints;

• The BoP complaints ombudsman or CMVM complaints platform;

• Arbitration and mediation;

• Judicial proceedings; and

• Regulatory actions.

Banks are jointly regulated by the BoP and the CMVM and may face regulatory actions from both, depending on the type of services being offered. Their investigative and enforcement powers are quite extensive and generally include:

• Conducting investigations and inspections;

• Ordering corrective measures;

• Imposing administrative sanctions;

• Suspending or revoking authorisations; and

• Publishing sanctions and warnings to the public.

Recent examples of enforcement and supervisory actions by the BoP include fines imposed on banks for failures in AML controls, breaches of conduct rules, and insufficient consumer information. The BoP has also concluded an overall supervisory exercise on all payment institutions that resulted in the application of regulatory fines.

Recent fines have also been imposed by the CMVM against investment firms for breaches of securities regulations.

The Portuguese insolvency regime for banks and financial institutions deviates from the insolvency rules that generally apply to other companies. Banks are instead subject to the special resolution and bail-in regime resulting from the BRRD, as transposed to the RGICSF.

Under this framework, where a bank is determined to be failing or likely to fail, the BoP may intervene and implement the resolution measures deemed relevant at each moment, rather than traditional winding-up proceedings, with the ultimate focus on maintaining financial stability and protecting depositors.

The Portuguese banking resolution regime is aligned with the EU’s BRRD framework, which sets out special resolution mechanisms for all credit institutions, but with a particular focus and additional safeguards for systemically important institutions. These summarily include:

• Resolution planning mechanisms;

• Early intervention and resolution tools; and

• Cooperation at the EU level.

Outside formal insolvency/resolution measures, lenders in Portugal may enforce their rights through:

• Out-of-court settlements;

• Special recovery plan proceedings;

• Enforcement of security; and

• Set-off.

Secured creditors enjoy priority over the proceeds of the secured assets. In a bank resolution or insolvency, security interests are generally accounted for when creditors’ rankings are defined by the enforcement courts, and secured creditors can generally enforce against the collateral, with their claims paid in preference to unsecured creditors from the asset’s value.

However, the resolution authority (the BoP) may impose temporary stays on enforcement of security rights during the resolution process.

Institutions face margin compression as ECB rates ease, while managing persistent credit risks, especially among vulnerable households and SMEs. The evolving capital framework (CRR3/CRD6) and macroprudential buffers set by the BoP strain capital planning. With DORA applying from January 2025, substantial investment in ICT risk management and third-party oversight is required to meet new supervisory priorities on operational resilience.

Significant regulatory developments for Portuguese banks over the coming years include the final implementation of Basel III/CRR3/CRD6 from 2025. DORA entered into force in January 2025, requiring robust ICT risk governance and incident reporting. The full implementation of MiCA will tighten crypto-asset regulation, and incoming EU AML reforms will heighten expectations in this area.

Sustainable finance rules will intensify, with expanded CSRD/European Sustainability Reporting Standards climate disclosures, possible SFDR revisions, and stricter ESG data/reporting obligations.

The EU AI Act is beginning to be phased in from 2025, and further updates to EU payments and data frameworks are expected in due course.