Whistleblower law in Portugal #
Portugal implemented Directive (EU) 2019/1937 through Lei n.º 93/2021, de 20 de dezembro. The core private-sector trigger follows the familiar 50-worker line, but external reporting remains authority-specific rather than centralized around one universal whistleblowing office.
Applicable law #
Who must establish an internal channel #
- Legal entities with 50 or more workers (including the State and public-law entities).
- Financial / AML, transport-safety, and environmental entities — regardless of headcount.
- Medium entities (50-249 workers) may share resources for receiving and following up reports; municipalities under 10,000 inhabitants are excluded.
Penalties and enforcement #
Portugal fixes an explicit fine for not having a channel. Failing to maintain a compliant internal channel is a contraordenação grave under Art. 27(3)(a) — verbatim, “Não dispor de canal de denúncia interno, nos termos previstos no artigo 8.º…” The most severe tier is reserved for conduct against reporters.
| Offence tier (Art. 27) | Legal persons | Natural persons |
|---|---|---|
| Grave — no internal channel (Art. 27(3)(a)), inadequate safeguards, no designated officer | €1,000–125,000 | €500–12,500 |
| Muito grave — obstruction (art. 7), retaliation (art. 21), breach of confidentiality (art. 18), knowingly false disclosure (Art. 27(1)) | €10,000–250,000 | €1,000–25,000 |
An honest assessment of enforcement. The no-channel fine is real and reaches €125,000 for a company. In practice, though, enforcement against whistleblowing-channel breaches has not yet materialised: as of November 2025 MENAC had opened 11 contraordenação proceedings — but those concern the separate corruption-prevention regime (RGPC), not the Lei 93/2021 channel obligations, and no fine has been imposed for whistleblowing-channel non-compliance to date. The obligation and the fine are firmly on paper; the enforcing authority (MENAC, under Art. 29) is operational but has not yet sanctioned a channel breach.
External reporting authority #
Portugal does not use one single catch-all external whistleblowing authority. The Ministry of Justice guidance directs reporters to the competent authority for the subject matter.
Data protection authority #
For GDPR and confidentiality complaints, the relevant authority is the Comissão Nacional de Proteção de Dados (CNPD) .
Key compliance points #
- Portuguese official guidance treats external reporting as authority-specific, so the correct regulator depends on the subject matter.
- The law is framed around secure, confidential intake and protection against retaliation.
- For most private employers, the practical deployment question is still whether the organization has reached the 50-worker threshold.
Official sources #
- Lei 93/2021 — official text
- Ministry of Justice — general regime for whistleblower protection
- MENAC — whistleblower regime FAQ (enforcing authority)
- Lei 93/2021 — consolidated text (PGDLisboa)
- CNPD — complaints and participations
Deploy your reporting channel →
Last updated: