In turn, Decree-Law 2/2025, which we will analyse here, establishes a set of basic provisions for the effective implementation of Regulation (EU) 2022/868 in Portugal. It is applicable to events that take place on Portuguese territory, regardless of the nationality of the agent.
Introduction
Decree-Law 2/2025 of 23 January “Decree-Law 2/2025”) incorporates into the Portuguese legal system Regulation (EU) 2022/868, which amended Regulation (EU) 2018/1724 on European data governance (“Data Governance Regulation” or just “Regulation”).
The Data Governance Regulation was the first regulation adopted as part of the European Union's (“EU”) data strategy. Its objective was to maximise the potential of data by promoting not only its circulation, but also its management and sharing in a secure way between public and private entities and citizens, taking into account the fundamental role of data in the digital age.
Regulation (EU) 2022/868 essentially (i) establishes the conditions for the re-use within the EU of certain categories of data held by public sector organisations; (ii) provides for a notification and supervision system to provide data intermediation services; (iii) establishes a system for the voluntary registration of entities that collect and process data made available for altruistic purposes; and (iv) provides for the establishment of a European Data Innovation Board.
In turn, Decree-Law 2/2025, which we will analyse here, establishes a set of basic provisions for the effective implementation of Regulation (EU) 2022/868 in Portugal. It is applicable to events that take place on Portuguese territory, regardless of the nationality of the agent.
Key aspects of Decree Decree-Law 2/2025
Decree-Law 2/2025 aims to ensure compliance with the obligations imposed on Member States by the Regulation and to define the system of penalties arising from the provisions of the Data Governance Regulation.
We will now take a closer look at some of the key national implementation measures.
Designation of competent authorities
Decree-Law 2/2025 designates different national competent authorities for data intermediation services and for the registration of data altruism organisations:
Re-use of public sector data
Mechanisms are defined to facilitate the re-use of data held by public entities, especially those that cannot be made available as open data due to legal or confidentiality restrictions. The Decree-Law sets out clear procedures so that third parties can request and use this data transparently and securely, ensuring innovation and the development of new services.
Data intermediation service providers
The law regulates the activities of service providers who act as intermediaries in the exchange of data between different organisations. Rules will be established to ensure the neutrality, transparency and independence of these providers in order to protect the interests of data subjects and to promote trust in the data market.
Promoting data altruism
The Decree-Law promotes data altruism, allowing individuals and organisations to voluntarily make their data available for purposes of general interest, such as scientific research, improvement of public services, social benefit or development of public policies.
Structures will be put in place to facilitate this voluntary sharing, while ensuring that the rights of data subjects are protected.
Penalties
Articles 7 and 8 of Decree-Law 2/2025 define the acts and activities that constitute administrative offences (serious, very serious or minor) in the provision of data intermediation services and in the context of data altruism. Article 10 specifies the penalties applicable to them:
- Very serious administrative offences are punishable by a fine of between €2,500 and €3,740 for natural persons and between €20,000 and €44,589 for legal persons.
- Serious administrative offences are punishable by a fine of between €500 and €2,500 for natural persons and between €5,000 and €20,000 for legal persons.
- Minor administrative offences are punishable by a fine of between €100 and €1,000 for natural persons and between €1,000 and €5,000 for legal persons
In addition to the fine, very serious administrative offences may be subject to additional penalties, depending on the seriousness of the offence and the culpability of the offender. Additional penalties apply in accordance with the provisions of the applicable legislation on administrative offences, which is applicable on a subsidiary basis.
These penalties apply to breaches of (i) the obligations relating to the transfer of non-personal data to third countries; (ii) the notification requirements applicable to data intermediation service providers, as well as (iii) the conditions for the provision of data intermediation services and the conditions for registration as a recognised data altruism organisation.
Impact and challenges of the new law
It is expected that the implementation of Decree-Law 2/2025 will have a significant impact on the digital economy and this will be felt by public and private entities. There is also the prospect of greater efficiency and security in the use of data to formulate public policies and the development of new services and innovative solutions based on data.
Despite the obvious benefits, the implementation of the Regulation in Portugal will certainly face significant challenges. Its effective implementation will depend on cooperation between public and private organisations, so that Portugal can position itself competitively in the European digital landscape. It will also be necessary to ensure a balance between data sharing and the protection of privacy and security. It will also be essential to promote the development of appropriate technical infrastructures to support the data ecosystem, enabling the effective and secure application of the new guidelines, while relying on companies and public institutions to comply with the new data governance rules.