Ecosystem: datacenters.pt·centrosdedados.com·centrosdedados.pt
HomeApplicable Regulation

Applicable Regulation — EU Framework & Portuguese Transposition

Systematic mapping of the EU and Portuguese regulatory instruments applicable to data centers in Portugal. Each regime is presented in two columns — EU framework and Portuguese transposition or specifics — with scope, deadlines, obligations, sanctions and implementation notes. Portuguese diplomas are preserved in Portuguese on first occurrence with English translation in parentheses.

The EU regulatory stack applicable to data centers is the densest in the world and is converging rapidly over the 2026-2027 horizon. Portugal has transposed key directives with local specificities that investors and operators must factor into decision-making. This page provides a consolidated reference, with each regime presented in a double-column layout designed for comparative reading.

1. Energy Efficiency Directive — EED

EU Framework

Directive (EU) 2023/1791, Article 12 — mandatory annual reporting for data centers with IT power capacity of 500 kW or more. 18 KPIs including PUE, WUE, ERF, REF. Official template defined by Delegated Regulation (EU) 2024/1364. Additional Energy Efficiency Package for data centers expected for adoption in Q2 2026.

Portuguese Transposition & Specifics

The Portuguese transposition aligns closely with the EU text; the 500 kW threshold applies. Binding deadline: 15 May each year for data covering the previous calendar year. Submission via the EU database. No additional national thresholds have been set at the time of writing.

2. NIS2 Directive — Cybersecurity

EU Framework

Directive (EU) 2022/2555 classifies data centers as essential or important entities. Operators must adopt technical and organisational risk-management measures including network segmentation, encryption, multi-factor authentication, incident response and business continuity. Amendments proposed by the European Commission in January 2026 aim to simplify compliance.

Portuguese Transposition & Specifics

Transposed by Decree-Law 125/2025 (Decreto-Lei n.º 125/2025), in force since 3 April 2026. The Centro Nacional de Cibersegurança (CNCS) is the competent authority. Incident notification within 24 / 72 hours. First enforcement actions expected in 2026.

3. Digital Operational Resilience Act — DORA

EU Framework

Regulation (EU) 2022/2554, in force since 17 January 2025. Applies to financial entities and, by extension, to critical ICT third-party providers including data center operators. Requirements include an immutable third backup, physically and logically segregated, data recovery within two hours, and at least one manual test per year. European Supervisory Authorities notified critical ICT providers in July 2025.

Portuguese Transposition & Specifics

DORA is a directly applicable EU regulation; no transposition is required. The Portuguese financial regulator (Banco de Portugal) supervises compliance for financial sector clients. Data centers serving Portuguese banks, insurers and payment institutions must assess whether they qualify as critical providers.

4. Artificial Intelligence Act — AI Act

EU Framework

Regulation (EU) 2024/1689 imposes transparency, risk assessment and documentation requirements on AI systems and hosting infrastructure. For data centers: identification and classification of AI workloads, documentation of isolation and monitoring mechanisms, demonstration of data-flow controls. High-risk AI system obligations apply from 2 August 2026. Sanctions up to 7% of global turnover.

Portuguese Transposition & Specifics

Directly applicable EU regulation. National authority designation is under finalisation. The Portuguese data center sector — with 80% of committed investment earmarked for AI-intensive capacity — is particularly exposed to AI Act obligations via its client workloads.

5. Corporate Sustainability Reporting Directive — CSRD

EU Framework

Directive (EU) 2022/2464 requires large companies, including data center operators above defined thresholds, to report impacts, opportunities and risks under the European Sustainability Reporting Standards (ESRS). After the Omnibus I amendments approved in December 2025, scope narrows to companies with more than 1,000 employees and turnover above EUR 450 million.

Portuguese Transposition & Specifics

Transposed into Portuguese law with adaptations to the national Accounting Standardisation System (SNC). Interaction with Portuguese operators typically arises either when they exceed the scope thresholds or when they are part of a consolidated group subject to CSRD.

6. General Data Protection Regulation — GDPR

EU Framework

Regulation (EU) 2016/679 remains the foundational framework for personal data protection, with direct implications for data centers as processors and, in certain cases, controllers. Data sovereignty, intensified by the AI Act, reinforces data localisation and transfer requirements. Sanctions up to 4% of global turnover.

Portuguese Transposition & Specifics

Executed nationally by Law 58/2019 (Lei n.º 58/2019) for general GDPR application and Law 59/2019 (Lei n.º 59/2019) for competent authorities in the criminal investigation context. CNPD (Comissão Nacional de Protecção de Dados) is the national supervisory authority.

7. Portuguese National Data Center Plan & Fast-Track Licensing

EU-level Context

EU-level Cloud and AI Development Act expected for adoption alongside the Strategic Roadmap for the Digitalisation and AI in the Energy Sector. Member States, including Portugal, aligning national plans with these wider EU policies.

Portugal-Specific Framework

Council of Ministers Resolution 70/2026 (Resolução do Conselho de Ministros n.º 70/2026, RCM 70/2026) approved on 13 April 2026, defines 15 initiatives across four strategic axes (Regulation & Governance, Energy & Infrastructure, Demand & Positioning, Territory & Ecosystem). Decree-Law 80/2023 (Decreto-Lei n.º 80/2023) establishes the exceptional licensing regime for data centers. AICEP acts as the single point of contact for international investors.

8. International Technical Standards

ISO/IEC 27001:2022

Information Security

  • Baseline ISMS reference
  • Strengthened 2022 update
  • Annex A: 93 controls
ISO 50001

Energy Management

  • Increasingly required
  • Articulation with EED
  • Third-party certification
EN 50600

European DC Standard

  • Design and operation
  • Availability, physical security
  • Energy efficiency
NIST CSF 2.0

Cybersecurity Framework

  • Published Feb 2024
  • Added Govern function
  • Corporate governance
JRC Framework

EU Taxonomy

  • Activity 8.1 Climate Delegated Act
  • Evidence engineering
  • Conformity demonstration
EU Code of Conduct

DC Code of Conduct

  • Voluntary participation
  • European best practices
  • Basis for internal policies

Timeline of binding deadlines · 2026

3 April 2026

DL 125/2025 (NIS2) enters into force

Portuguese transposition of NIS2. CNCS as competent authority. First enforcement actions during the year.

13 April 2026

RCM 70/2026 (PNCD) published

15 initiatives across four strategic axes for the 2026-2027 horizon.

15 May 2026

EED Article 12 reporting deadline (2025 data)

Mandatory submission for data centers with IT power capacity of 500 kW or more.

2 August 2026

AI Act high-risk provisions apply

High-risk AI system obligations come into force, with impact on data centers hosting such workloads.

Q2 2026

EU Energy Efficiency Package for DCs

Expected adoption of complementary legislative package by the European Commission.

Navigate this matrix with a dedicated partner

Request a free diagnostic of your current regulatory posture.

Request Diagnostic