SRIJ
AI Regulation in Portugal iGaming
Servico de Regulacao e Inspecao de Jogos (SRIJ) — regulatory overview for AI use cases in Portugal's gambling market.
Regulator Overview
Portugal regulates online gambling through Decree-Law 66/2015 (DL 66/2015), which established a licensing framework administered by the Servico de Regulacao e Inspecao de Jogos (SRIJ), operating under the Ministry of Economy. The regime requires all operators offering online gambling to Portuguese residents to hold a valid SRIJ licence, covering sports betting, poker, casino games, and fixed-odds betting. SRIJ conducts ongoing technical compliance audits and imposes strict requirements on platform integrity, fair play, and responsible gambling measures.
Data protection in Portugal is enforced by the Comissao Nacional de Protecao de Dados (CNPD), which applies the EU General Data Protection Regulation (GDPR) with particular vigilance around automated decision-making and profiling. Operators deploying AI systems that process player behavioural data for segmentation, personalisation, or risk scoring must ensure GDPR Article 22 compliance, including meaningful human oversight and the right to contest automated decisions. CNPD has issued guidance emphasising transparency obligations for data controllers using algorithmic systems.
As an EU Member State, Portugal is subject to the EU AI Act (Regulation 2024/1689), which entered into force in August 2024 with phased implementation through 2027. Operators using AI in high-risk contexts such as creditworthiness-adjacent affordability checks or player vulnerability profiling will need to comply with the Act's requirements for risk management, data governance, transparency, and human oversight. Portuguese authorities are expected to designate a national competent authority for AI Act enforcement, coordinating with SRIJ and CNPD on gambling-sector applications.
Key AI & Data Rules
SRIJ Technical Standards for Online Platforms
All online gambling platforms licensed by SRIJ must meet rigorous technical standards covering random number generation, game fairness, and platform security. Any AI or algorithmic system integrated into the platform — including recommendation engines, risk models, or automated customer interactions — must be documented and made available for SRIJ audit upon request.
Player Protection and Responsible Gambling
DL 66/2015 mandates comprehensive responsible gambling measures, including self-exclusion mechanisms, deposit limits, and session time controls. AI systems used for player risk assessment or early intervention must operate transparently and must not be used to circumvent player protection measures or to target vulnerable players for commercial purposes.
CNPD Data Protection Enforcement
The CNPD enforces GDPR requirements on all data processing activities, including those involving AI. Operators must conduct Data Protection Impact Assessments (DPIAs) before deploying AI systems that profile player behaviour. Automated decisions with legal or similarly significant effects require explicit consent or a lawful basis, and players must be informed of the logic involved.
Advertising and Marketing Restrictions
Portuguese gambling advertising is regulated under DL 66/2015 and subsequent SRIJ directives, with strict rules on targeting minors, time-of-day restrictions, and content standards. AI-driven personalised advertising and CRM segmentation must comply with both advertising regulations and GDPR requirements for consent-based marketing communications.
Anti-Money Laundering and Identity Verification
Operators must comply with Portugal's AML framework (Law 83/2017, transposing the EU's 4th and 5th Anti-Money Laundering Directives). AI systems used for KYC verification, transaction monitoring, or fraud detection must maintain auditable decision trails and cannot replace the regulatory obligation for human review of suspicious activity reports.
Regulatory Sources
Decree-Law 66/2015 — Legal Framework for Online Gambling
SRIJ / Government of Portugal
SRIJ Licensed Operators and Regulatory Guidance
SRIJ
CNPD — Guidelines on Automated Decision-Making and Profiling
Comissao Nacional de Protecao de Dados
EU AI Act — Regulation (EU) 2024/1689
European Parliament and Council
Law 83/2017 — Prevention of Money Laundering and Terrorist Financing
Government of Portugal / Banco de Portugal
Frequently Asked Questions
Do I need SRIJ approval before deploying AI features on my licensed platform?
SRIJ does not currently require pre-approval for AI features, but all algorithmic systems integrated into licensed platforms must be documented and available for regulatory audit. Any material change to platform functionality — including the introduction of AI-driven features — should be reported to SRIJ as part of ongoing compliance obligations under DL 66/2015.
How does Portugal's CNPD treat AI-based player profiling under GDPR?
The CNPD applies GDPR Article 22 strictly to automated profiling with significant effects. Operators must conduct a DPIA before deploying AI profiling systems, provide clear information to players about automated processing, and ensure meaningful human oversight. Players have the right to contest automated decisions and request human intervention.
When will the EU AI Act affect Portuguese gambling operators?
The EU AI Act entered into force in August 2024, with prohibited practices bans applying from February 2025 and high-risk system obligations phasing in through August 2027. Portuguese operators using AI for player vulnerability assessment, affordability checks, or similar high-risk applications should begin compliance planning now, as Portugal will designate a national competent authority to oversee enforcement.
Can I use AI for personalised gambling advertising in Portugal?
AI-personalised advertising is permitted but heavily constrained. Operators must comply with SRIJ advertising directives (including time-of-day restrictions and content standards), GDPR consent requirements for behavioural targeting, and the prohibition on targeting minors or self-excluded players. AI systems used for ad personalisation must be auditable and transparent.
What AML obligations apply to AI-powered fraud detection in Portugal?
Under Law 83/2017, operators must implement robust AML controls including customer due diligence and transaction monitoring. AI-powered fraud detection systems can supplement these controls but cannot replace the legal requirement for human review and filing of suspicious transaction reports. All AI-assisted AML decisions must maintain a full audit trail.
Assess your AI use case in Portugal
Check whether your AI use case is low, medium, or high risk under SRIJ regulation — with source-backed guidance.
Start Free AssessmentOperational guidance, not legal advice.