As the European Union implements its landmark Markets in Crypto-Assets Regulation (MiCA) and navigates complex new rules around smart contracts and data protection, international crypto businesses face unprecedented challenges and opportunities in accessing the European market. Portugal, once hailed as the "California of Europe" for crypto entrepreneurs, now finds itself at a critical juncture as it works to balance its crypto-friendly reputation with EU compliance requirements.
In this exclusive Q&A, we speak with Luiza Rey, Partner and Head of Corporate & Web3 at FiO Legal, one of Portugal's leading innovative law firms specializing in global citizens, startups, and Web3 projects. With extensive experience across corporate law, M&A, and international regulatory frameworks, Luiza has been at the forefront of Portugal's crypto ecosystem development and has advised numerous international clients on European market entry strategies.
As a frequent speaker at global Web3 conferences and a recognized expert in blockchain regulation, Luiza brings unique insights into how the intersection of traditional corporate law and emerging crypto regulations is creating both opportunities and pitfalls for international businesses seeking European market access.
FiO Legal, Portuguese for "thread," connects global entrepreneurs and investors to tailored legal solutions in Portugal, with a particular focus on bridging the gap between cutting-edge technology and regulatory compliance. The firm's modern, tech-savvy approach has made it a go-to advisor for crypto projects navigating the complex European regulatory landscape.
In this comprehensive discussion, Luiza addresses three critical areas: Portugal's implementation of MiCA and what it means for EU market access strategies, the practical implications of the EU Data Act's "kill switch" requirements for DeFi protocols, and the unique challenges facing cross-border M&A transactions in the crypto space. Her insights provide essential guidance for any international crypto business considering European expansion or seeking to understand the evolving regulatory environment.
Question 1: MiCA Implementation and EU Market Access
Portugal has been positioning itself as a crypto-friendly jurisdiction within the EU framework. With MiCA now in effect across the European Union, how is Portugal's implementation approach creating opportunities or challenges for crypto businesses? What strategic advantages does Portugal offer for companies seeking EU market access under the new regulatory regime, and how should international crypto firms approach their European expansion strategy?
Until 2022, Portugal stood out as one of the leading crypto hubs worldwide, attracting high-profile entrepreneurs from across the industry to what many called the “California of Europe.”
The appeal was clear: a favourable personal tax policy — largely the result of government inaction on crypto taxation — created an extremely attractive environment for individual market participants.
However, more than six months after the EU deadline for Member States to implement the necessary national measures for the Markets in Crypto-Assets Regulation (MiCA), Portugal has yet to act. Out of 27 Member States, only three remain non-compliant.
What does this mean in practice?
If you want to launch a crypto-asset business in Portugal — whether offering services, issuing, or conducting an offering — you are effectively blocked. There is no designated competent authority, no clear licensing process, and therefore no way to obtain the authorisations required under MiCA. In practical terms, Portugal is “outside MiCA” and therefore outside the EU’s single crypto-asset market.
Even if Portugal eventually legislates — inevitably late — the key question remains: what real advantage is there today for a crypto project to set up here, when it could establish in another MiCA-compliant Member State and immediately benefit from EU passporting rights?
Portugal still has a significant pool of highly skilled talent that relocated here in recent years, attracted by favourable personal tax treatment. Yet this same community remains unable to create crypto businesses domestically — not due to a lack of regulation, but because of a corporate tax system that offers no strategic incentives. Corporate income tax (IRC) and social security burdens are effectively uniform across all sectors, leaving no tailored framework for emerging or high-growth industries like crypto.
As a result, many projects are incorporating in other EU jurisdictions, obtaining their MiCA licence there, and then passporting into Portugal — without creating jobs, paying taxes, or building operational capacity in the country.
Portugal has, metaphorically, built half the road and stopped. The missing half requires not only urgent MiCA implementation but also a strategic review of corporate taxation for innovative sectors. Without both, the country will remain stuck in a limbo of untapped potential, with capital and talent on standby but no real incentive to deploy them here.
Strategic advice for international crypto firms:
If EU market access is your priority under MiCA, you should consider launching in a jurisdiction that is already MiCA-compliant, where you can secure licensing swiftly and benefit from passporting into all Member States — including Portugal. Portugal’s talent pool and lifestyle advantages remain attractive for team relocation, but as of now, it should be approached as a secondary base of operations rather than your primary regulatory entry point.
That said, Portugal could be an exceptional long-term jurisdiction for crypto businesses, given the strong ecosystem (hub) that already exists here and the high level of preparedness within the CMVM (Portugal’s securities regulator). The CMVM has demonstrated a deep understanding not only of the technology, but also of the MiCA framework and the crypto market itself. This creates a rare environment for constructive dialogue between businesses and regulators. For companies that do not need to launch immediately, a viable strategy could be to secure MiCA compliance in another jurisdiction now, and wait to apply in Portugal once the framework is in place — gaining the benefit of working in a country that remains open to crypto and with an authority that truly understands both the market and the law.
Question 2: Smart Contract Regulation and the EU Data Act
You've written about the EU Data Act's "kill switch" requirements for smart contracts and the legal uncertainties this creates. How are you advising Web3 projects and DeFi protocols to navigate these requirements while maintaining the decentralized nature that makes their technologies valuable? What practical solutions have you developed to help clients comply with EU data regulations without compromising their core blockchain functionality?
On 14 March 2023, the European Parliament passed the Data Act, aimed at protecting data privacy while fostering innovation. However, one provision — Article 30 — has become a focal point of debate in the blockchain community. This article requires that all smart contracts include a “termination or interruption mechanism,” commonly referred to as a kill switch.
Under Article 30, a smart contract must have a clearly defined way to either destroy the contract or pause its operation in the event of a major bug, security breach, or similar emergency. The intent is to prevent the continued execution of potentially harmful transactions and to allow a reset or halt to avoid further accidental executions. The law also calls for these conditions to be transparently defined within the contract.
While this may sound like a sensible security measure, the provision has raised strong concerns within the Web3 and DeFi sectors. The core worry is that such mechanisms, if poorly designed or centrally controlled, could undermine decentralisation by concentrating too much power in the hands of an administrator or even a regulator. Critics see a potential slippery slope toward centralised control, while supporters view it as a necessary safeguard — a way to prevent catastrophic incidents like the 2016 DAO hack.
The challenge is compounded by the fact that the Data Act itself is, in many respects, a confusing and flawed piece of legislation. Its drafting leaves wide margins for interpretation, creating uncertainty not only around enforcement but also around core concepts such as what constitutes a “kill switch” in different technical contexts. This is precisely why the European Commission’s FAQs, updated on 3 February 2025, are so important: they offer much-needed clarifications and help organisations fine-tune their compliance strategies. However, the kill switch provision was notably absent from these clarifications. This means that while the legal requirement is clear in principle, uncertainty persists at the market level — around how it will be applied, interpreted by Member States, and perceived by users and investors.
How we advise clients to navigate this
Our approach is to help projects comply with the Data Act without compromising the decentralised principles that make their technologies valuable. Key strategies include:
Decentralised Governance for the Kill Switch: Embedding the pause/termination authority into a multi-signature or DAO-governed process, ensuring no single individual or entity can act unilaterally.
Split-Key Architecture: Using separate cryptographic keys for pausing and unpausing a contract, stored securely offline, to minimise attack surfaces.
Scoped Permissions: Designing kill switch functions that are narrowly defined — for example, only pausing certain functions rather than the entire contract, or automatically triggering based on pre-agreed on-chain conditions.
Transparent On-Chain Rules: Encoding clear, immutable rules in the smart contract code to define exactly under what conditions the mechanism can be activated, avoiding discretionary or opaque decision-making.
Jurisdictional Alignment: Considering where the contract is deployed and which regulator will have oversight, as enforcement and expectations may vary across the EU despite the harmonised framework.
Practical takeaway for Web3 and DeFi teams
For projects already operating in the EU or targeting EU users, it is wise to start incorporating compliant kill switch mechanisms now — not as centralised admin backdoors, but as security features embedded within decentralised governance structures. This approach satisfies Article 30 requirements, aligns with GDPR and consumer protection obligations, and reassures both regulators and users, all while preserving core blockchain principles.
Ultimately, the Data Act’s kill switch provision will be judged not only on how it is legislated but on how it is implemented in practice. Those who design with both compliance and decentralisation in mind will be best placed to maintain trust, mitigate legal risk, and continue innovating in the EU market.
Question 3: Cross-Border M&A in the Crypto Space
Given your expertise in both M&A transactions and crypto law, what unique legal challenges are you seeing in cross-border acquisitions and investments involving crypto companies? How do traditional corporate law principles need to adapt when dealing with tokenized assets, DAOs, and decentralized protocols, and what due diligence considerations are critical for investors entering the European crypto market through Portuguese entities?
Mergers and acquisitions in the crypto sector are unlike any other deal type. The combination of fast-moving technology, evolving regulation, and decentralised governance means that traditional corporate law needs to adapt — and due diligence needs a whole new playbook.
Below, we break down the unique legal challenges, how corporate law must evolve, and what investors should focus on when entering the EU through a Portuguese vehicle.
1. Unique Legal Challenges in Crypto M&A
Regulatory perimeter and licensing
MiCA creates a single EU rulebook for crypto‑asset service providers. Licences are granted in one Member State and can be passported. In a cross‑border deal you must verify what activities the target actually performs, which MiCA permissions it holds or needs, and whether change‑of‑control notifications or reauthorisations are required. During Portugal’s transition, confirm which authority supervises the activity and whether the licence sits in another EU state.
Token classification and securities triggers
You must map every token the business touches. Asset‑referenced tokens, e‑money tokens, utility tokens and any tokens that qualify as financial instruments will drive which regimes apply. This affects marketing rules, white papers, market abuse rules, custody standards and disclosure.
Control of digital assets
Ownership of private keys equals ownership of assets. Diligence must confirm how treasury wallets are governed, who can sign, how quorum works, whether there are time‑locks, what emergency controls exist and how an acquirer will take control at closing. Plan a key handover ceremony, update multisig policies, rotate keys, and document the full wallet inventory, including cold, warm and hot storage.
AML, sanctions, and the Travel Rule
Test the target’s KYC and KYB quality, blockchain analytics coverage, Travel Rule compliance, sanctions screening and record‑keeping. Check historic exposure to mixers, sanctioned addresses and high‑risk jurisdictions. Validate policies and training and pull samples.
Data, privacy, and the EU Data Act
Review GDPR posture, lawful bases, data mapping and processor contracts. For smart contracts that process data, check how termination or interruption mechanisms are designed and governed to avoid centralised backdoors while meeting legal requirements.
Consumer and market integrity
If tokens are traded, assess market manipulation risk, disclosure controls, listing practices and communications. Where tokens fall under financial instruments, align with market abuse and MiFID‑style rules.
Technology and security risk
Audit reports, severity backlogs, bug bounty scope, incident history, dependency on oracles and bridges, upgradeability patterns, proxy admin rights and any admin functions that can pause contracts. Look for single‑maintainer risk on critical repos.
IP and open source
Confirm ownership of code, contributor agreements, third‑party license compliance and any copyleft risks. Verify rights to brand assets, domains, social accounts and front‑end code that serves the protocol.
Accounting and tax for tokens
Assess how tokens are valued, booked, and taxed — including revenue recognition for staking, lending, or trading activities.
People and governance
Review key-person risks, token vesting, DAO governance structures, and community voting requirements.
2. How Corporate Law Needs to Adapt
- Defining what’s being bought: Deals must capture not just shares or assets, but also on-chain control, domain names, cloud admin rights, and governance privileges. A classic share or asset deal rarely captures all control levers. You must also secure on‑chain control, off‑chain infrastructure, domain and app store ownership, cloud consoles, analytics accounts and governance rights.
- Crypto-specific warranties: Add reps on code provenance, audits completed, absence of undisclosed admin keys, truthful token supply disclosures, absence of undisclosed airdrops or obligations, sanctions and AML compliance on historic flows, keys generated and stored under stated policies, no backdoors, oracle and bridge dependencies disclosed.
- Closing mechanics: Include regulator notifications, bank and custodian consents, exchange and stablecoin issuer consents, DAO vote approvals where applicable, successful key rotation and multisig reconstitution, completion of an on‑chain “pause and upgrade” if needed.
- Fiduciary duties: Directors appointed by tokenholders face conflicts that are different from classic shareholder dynamics. You need clear conflict policies and disclosure for treasury‑impacting decisions.
- Dispute resolution: Smart contract‑linked obligations should include clear governing law, forum and evidence standards that reference on‑chain data and signed messages.
3. Due Diligence Playbook for EU Entry via Portugal
Corporate & regulatory: Cap table, group chart, MiCA permissions, AML registrations, and passporting plans.
Tokenomics & cap table (on-chain): Total and circulating supply, vesting schedules, treasury policies, and investor rights.
Smart contracts & security: Audit reports, admin keys, upgrade paths, incident logs, and monitoring.
Wallets & custody: Address inventory, signing policies, insurance, and proof-of-reserves.
Commercial & partners: Banking, custodians, fiat ramps, market makers, and oracle providers.
Compliance stack: AML, GDPR, Travel Rule, risk assessments, and marketing approvals.
Data & privacy: Data maps, retention policies, and processor contracts.
IP & brand: Ownership of repositories, trademarks, and domains.
Financials & tax: Revenue recognition, token accounting, VAT footprint, and withholding risk.
People & culture: Key talent retention, token/equity incentives, and alignment with post-deal goals.
4. Portugal-Focused Strategy
In a nuthell, the most common strategy when currently talking Portugal is:
- Use a Portuguese Lda or S.A. as your EU operating hub for tgalent and back‑office.
- If you need a MiCA licence quickly, obtain it in a compliant Member State and passport services in Portugal once local implementation is live.
- Engage early with CMVM to align on scope and expectations. Maintain substance in Portugal to support banking, hiring and future authorisations.
- Separate IP holding and operating risk where sensible, and document intercompany flows, including token transfers, under clear transfer pricing.
Bottom line: Cross-border crypto M&A demands a blend of traditional deal discipline and crypto-native risk management. Those who integrate regulatory foresight, technical diligence, and on-chain control into their acquisition strategy will be best positioned to capture value in Europe’s evolving digital asset market.
Want to contribute to our Q&A series? If you're a legal expert in the web3/AI space and would like to share your expertise by joining our Q&A series, please reach out to hi@databirdjournal.com
.png)