The start of a new year is traditionally a time for taking stock. In the field of information security and document production, this assessment is particularly relevant today. Between European regulations that have come into force, directives in the process of being transposed into national law, and new requirements with a phased timetable, the legal context has become more complex—and also more consistent.

 There is a clear common thread: digital documents and data are no longer just operational support. They are now consideredcritical assets, subject to explicit requirements for legal validity, security, resilience, accessibility, and governance.

European eIDAS Regulation – tax validity of digital documents: a path laid out, still in transition

Within the scope of theeIDAS Regulation, there has been discussion about strengthening the mechanisms that ensure the authenticity and integrity of electronic documents with tax relevance, namely through qualified electronic seals or signatures.

Although this requirement has been announced on several occasions, its mandatory application has been repeatedly postponed. To date, and in accordance with the legal framework in force,there is still no general obligation, applicable in 2026, to use qualified electronic seals on invoices or equivalent documents in PDF format. These continue to be accepted provided they comply with the other legal requirements.

Nevertheless, the direction of legislative developments is clear: European and national legislators are moving towards a model in which the fiscal validity of digital documents is based on strong technical guarantees, aligned with qualified standards. The main concern for organizations should be the progressive preparation of their systems and processes, avoiding dependencies on solutions that will be difficult to adapt in the future.

European Digital Operational Resilience Act (DORA) Regulation – Digital operational resilience as a regulatory obligation

TheDORAregulation came into force onJanuary 17, 2025, introducing a common framework for digital risk management in the financial sector and in the entities that support it technologically.

 DORA does not focus solely on cybersecurity, but on the ability of organizations towithstand, respond to, and recoverfrom technological incidents. This includes systems, data, processes, and, inevitably, critical documents that support essential operations.

From a practical standpoint, the regulation requires greater visibility into information flows, technological dependencies, and external suppliers. Document management is no longer a peripheral issue and has become central to operational resilience.

European Accessibility Act Directive – Digital accessibility: documents usable by all

The national legislation transposing theEuropean Accessibility Actentered into force onJune 28, 2025, establishing accessibility requirements for a wide range of digital products and services.

 In many cases, these services include electronic documents made available to customers, users, or citizens. Accessibility is therefore no longer just a concern related to user experience, but now has a concrete legal dimension.

 For organizations, this means rethinking how documents are generated, structured, and distributed, ensuring compatibility with supporting technologies and compliance with recognized standards.

European NIS 2 Directive: more entities, more responsibility for critical information

The NIS 2 directive, transposed into Portuguese law by Decree-Law No. 125/2025 of December 4, will enter into force on April 3, 2026. This directive strengthens cybersecurity in critical and important sectors, significantly expanding the number of entities covered compared to the requirements of the previous NIS1.
These obligations include appropriate technical and organizational measures, incident management, and senior management responsibility. Although not "documentary" legislation in the classic sense, NIS 2 has a direct impact on how information is protected, shared, and controlled.
Documents that support critical processes are now implicitly included in the required security perimeter.

European Data Act: governance and control over data and information flows

TheData Act, in force sinceSeptember 2025, introduces new rules on data access, sharing, and use, particularly in B2B and digital service contexts.

 The regulation reinforces the need for clarity about who can access data, under what conditions, and with what security guarantees. For many organizations, this raises challenges in terms of interoperability, traceability, and information governance—including documents that aggregate or represent such data.

European AI Act Regulation: transparency and control when artificial intelligence enters the document process

Passed in 2024, theAI Actwill be phased in by 2026 and aims to ensure compliance with specific transparency, control, and explainability requirements whenever artificial intelligence systems are used to create, classify, extract, or validate information.

 This is particularly relevant in document automation contexts. The concern is no longer just efficiency, but also includes the ability to explain decisions, ensure traceability, and avoid legal risks associated with opaque processing.

The same movement, the same challenge

 Although distinct, these six legal frameworks point in the same direction:greater rigor, greater accountability, and greater structure in the digital realm. Documents and data are no longer just the results of processes—they are now central elements of compliance, trust, and operational continuity.

For organizations, the real challenge is not to react to each piece of legislation individually, but to adopt a consistent approach to information management. When document processes are designed in an integrated manner—from creation to preservation, from security to accessibility—legal compliance ceases to be a reactive effort and becomes a natural consequence of well-structured communication flows.