National Digital Strategy Action Plan for 2026–2027 and National Artificial Intelligence Agenda for 2026–2030

National Digital Strategy Action Plan for 2026–2027 and National Artificial Intelligence Agenda for 2026–2030

Concrete legal impacts for directors and investors

I. Object and scope

This information aims to identify, from a strictly legal and operational perspective, the concrete impacts arising from the approval of the National Digital Strategy Action Plan 2026–2027 and the National Artificial Intelligence Agenda 2026–2030, with particular focus on directors’ duties and risk assessment by institutional investors, private equity, venture capital and lenders.

II. Legal nature of the instruments and their practical normative value

Both instruments constitute public policy acts approved by Resolution of the Council of Ministers and do not create direct legal obligations for private parties. However, they generate relevant indirect legal effects, namely because they:
(i) bind the conduct of Public Administration;
(ii) ncreasingly form part of eligibility criteria for public and EU funding programs;
(iii) influence technical standards required in public procurement;
(iv) contribute to the densification of the concept of the duty of care required from directors under Article 64 of the Portuguese Companies Code.

III. Impact on directors’ duty of care (Article 64 Portuguese Companies Code)

The duty of care of directors is assessed by reference to the standard of a diligent and orderly manager, considering the circumstances and technical context. Once the State formally designates data governance, cybersecurity and responsible use of artificial intelligence as strategic and structural priorities, the objective standard of diligence evolves. In practical terms, the complete absence of internal structure in these areas (policies, responsible officers, minimum documentation) may, in certain contexts, be legally regarded as negligent management.

IV. Data governance and legal exposure (Articles 5, 24, 25 and 32 GDPR)

The national focus on data reuse, interoperability and digitalisation of public services intensifies scrutiny regarding organisations’ compliance with the GDPR. The accountability principle (Articles 5 and 24 GDPR) requires controllers to be able to always demonstrate compliance. In practice, organisations lacking documented internal policies, decision records, risk assessments and adequate organisational measures are structurally vulnerable in the event of audits, inspections or disputes.
In practice, organizations lacking documented internal policies, decision records, risk assessments, and adequate organizational measures are structurally vulnerable in the event of an audit, inspection, or litigation.

V. Artificial Intelligence and applicable legal framework (Regulation (EU) 2024/1689)

The use of AI systems must be assessed considering Regulation (EU) 2024/1689 (AI Act). Systems used in recruitment, credit assessment, behavioral scoring or automated decision-making are likely to qualify as high-risk systems, triggering specific obligations regarding risk management, technical documentation, human oversight and transparency. The absence of any inventory of AI systems used or internal policy governing their use may generate significant legal risk.

VI. Direct impact on investment and financing transactions

In investment, financing and M&A transactions, these matters are increasingly incorporated into due diligence processes, through requests for:
• Data protection and cybersecurity policies;
• Description of the technological architecture;
• Identification of AI systems in use;
• Record of past security incidents.

The lack of minimum internal structure typically results in valuation adjustments, additional conditions precedent or strengthened representations and warranties.

VII. Identifiable concrete legal consequences

From the combined analysis of these instruments and the binding legal framework, the following concrete legal risks are already observable in practice:
(i) increased exposure to civil liability for organisational failure;
(ii) heightened risk of directors’ liability in the event of foreseeable incidents;
(iii) greater regulatory and contractual scrutiny in matters of data and technology;
(iv) direct impact on the company’s negotiating position in structured transactions.

Conclusion

The impact of these instruments does not lie in the creation of immediate formal obligations, but in the substantial shift in the legal standard of diligence expected from organisations. For directors and investors, the absence of minimum organisational structure in digital governance is no longer merely an operational weakness, but a material legal risk.