Portugal has updated its cybercrime law to exempt cybersecurity researchers and ethical hackers from prosecution.
The change was made public in the Portuguese Official Journal (Diário da República) on December 4.
The amendment, titled “Acts not punishable due to public interest in cybersecurity,” creates a legal exception for actions that would have been considered illegal under prior law, on the condition that these actions help identifying vulnerabilities or contribute to cybersecurity.
To fall under this exemption regime, security researchers must meet conditions, including:
- They must not act with the purpose of obtaining economic advantage
- They must not violate personal data protected under applicable data protection laws
- The must not use a denial-of-service (DoS) attack, social engineering techniques, phishing or data theft or data alteration to achieve their vulnerability research goal
- Their action must be proportionate and strictly limited to their stated purpose
- Their action must not cause disruption or interruption of the system or service, deletion, deterioration or unauthorized copying of computer data or any harmful, damaging or adverse effects on the affected people and organizations
Additionally, the amendment states that security researchers must report their findings to both the owner or designated manager of the system or product affected and the data protection regulator but keep this data confidential beyond these two stakeholders throughout the process.
Security researchers must also delete this data within 10 days of the vulnerability being fixed.
UK Explores Statutory Defense for Ethical Hackers
In recent years, both Germany and the US have made similar moves to safeguard security researchers from legal liability when responsibly reporting vulnerabilities.
In November 2024, Germany’s Federal Ministry of Justice introduced a draft law offering legal protections to researchers who disclose flaws to vendors in good faith.
In May 2022, the US Department of Justice (DoJ) revised its prosecution policies under the Computer Fraud and Abuse Act (CFAA), explicitly carving out an exemption for "good faith" security research.
More recently, British Security Minister Dan Jarvis announced the UK government’s intention to amend the country’s Computer Misuse Act to add similar exemptions for ethical security research actions.
Speaking at the Financial Times’ Cyber Resilience Summit: Europe on December 3, Jarvis said the government has “heard the criticisms about the Computer Misuse Act and how it can lead many cyber security experts feeling constrained in the activity that they can undertake.”
“These researchers play an important role in increasing the resilience of UK systems and securing them unknown vulnerabilities. We shouldn't be shutting these people out. We should be welcoming them and their work,” he explained.
The UK government is looking to create a statutory defense added in an upcoming update of the Computer Misuse Act.
This new regime “would protect security researchers from prosecution as long as they meet certain safeguards,” Jarvis added.
Read now: UK Ransomware Payment Ban to Come with Exemptions, Security Minster Say