Changes to the RCBE – What’s new?

Legal Brief by Bruno Magalhães

Summary

Decree-Law No. 115/2025 of 27 October adjusts the RCBE regime in line with new EU requirements: public access now depends on demonstrating a legitimate interest, audit logs are strengthened, and future integration through a digital wallet is foreseen. Minimum disclosable data remain available when legitimate interest is established.

What changes in practice?

Access to RCBE information

• The previous general access based on simple authentication ends. Users must demonstrate a legitimate interest to consult beneficial-ownership data of entities subject to the RCBE.
• All accesses must be logged for 5 years, including the justification of the legitimate interest invoked.
• Access continues to require authentication in the RCBE system, under rules to be set by a joint order of the Finance and Justice ministries.
• Information may also be made available through a digital-wallet service, to be regulated separately.

Alignment with the European Union

The amendments implement the EU requirement (amending Articles 30 and 31 of Directive (EU) 2015/849), which introduces the legitimate-interest standard for accessing beneficial-ownership information, ensuring data protection and supporting anti-money laundering and counter-terrorism objectives.

Impact for companies and other entities

• To obtain RCBE extracts for due-diligence, contracting, financing, or audit purposes, entities must clearly identify the basis for legitimate interest and ensure proper authentication and logging.
• Potential future operational gains may arise from digital-wallet mechanisms enabling controlled and traceable data-sharing.

VFA recommends:

• Reviewing internal Know Your Counterparty and procurement procedures;
• Updating data-protection policies and record-retention rules related to RCBE information;
• Revising information-request templates to improve the justification of legitimate interest.

Immediate good practices

• Mapping typical organisational scenarios involving “legitimate interest” (e.g., supplier onboarding, credit granting, M&A).
• Updating contractual clauses and internal policies to reflect:
  • Conditions for accessing RCBE information;
  • Retention of access records for at least 5 years;
  • Principles of data minimisation and purpose limitation.
• Preparing supporting documentation for access requests, including purpose, legal basis, and proportionality.

Next regulatory steps

A ministerial order from the Finance and Justice areas is expected to define:
(i) the method of access and identification data of users;
(ii) technical rules for authentication, auditing, and potential digital-wallet data flows.

Also noteworthy:

• The decree clarifies the minimum data to be collected on legal representatives of beneficial owners who are minors or legally incapacitated, in accordance with the principle of data minimisation in Article 9.
• Estates are expressly excluded from RCBE obligations.
• If an estate holds shares in RCBE-subject entities, the entity itself must update the RCBE once the effective holders resulting from the succession/partition are determined, respecting the new legitimate-interest access regime and audit controls.

Reminder

Even though 2025 is now underway, do not forget that the annual RCBE confirmation is mandatory for all entities and must be completed by 31 December each year, even if no data have changed.

This confirmation is waived if the entity has already updated its RCBE information during that calendar year.

Questions? Contact us.