Portugal Enacts Cybercrime Law Update, Protecting Security Researchers

Landmark Legal Update for Cybersecurity

Portugal has officially updated its cybercrime legislation, introducing significant exemptions for cybersecurity researchers and ethical hackers. The amendment, made public in the Portuguese Official Journal (Diário da República) on December 4, establishes a legal 'safe harbor' for individuals engaged in good-faith vulnerability research. This move aims to distinguish legitimate security testing from malicious cyber activities, fostering a more secure digital environment.

The changes are enshrined in Article 8.º-A of the existing cybercrime law (Law 109/2009, of September 15), titled 'Acts not punishable due to public interest in cybersecurity.' This new provision exempts actions that would have previously been classified as illegal system access or data interception, provided they meet a stringent set of conditions.

Conditions for Exemption

To qualify for this legal protection, security researchers must adhere to several strict criteria. These conditions are designed to ensure that research activities are conducted responsibly and solely for the benefit of cybersecurity. Key requirements include:

• The research must aim exclusively at identifying vulnerabilities not created by the researcher and contribute to improving cybersecurity through disclosure.
• Researchers must not seek or receive any economic benefit beyond normal professional compensation.
• Immediate reporting of any identified vulnerability is mandatory to the system owner, any relevant data controller, and the National Cybersecurity Centre (CNCS).
• Actions must be strictly limited to what is necessary to detect the vulnerability, without causing disruption of services, alteration or deletion of data, or any other harmful effects.
• The research must not involve any unlawful processing of personal data under applicable data protection laws, including GDPR.
• Prohibited techniques include Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks, social engineering, phishing, password theft, intentional data alteration, system damage, or malware deployment.
• Any data obtained during the research must remain confidential and be deleted within 10 days of the vulnerability being fixed.

Furthermore, acts performed with the system owner's consent are also exempt from punishment, though any vulnerabilities found must still be reported to the CNCS.

International Context and Future Implications

Portugal's updated law places it among a growing number of nations recognizing the critical role of ethical hacking in national security. Similar protections have been introduced or are under consideration in other countries. Germany's Federal Ministry of Justice introduced a draft law offering legal protections to researchers in November 2024, and the U.S. Department of Justice (DoJ) revised its prosecution policies under the Computer Fraud and Abuse Act (CFAA) in May 2022 to include an exemption for 'good faith' security research.

This legislative development is seen as a significant step towards fostering a more collaborative and secure digital landscape, providing legal clarity and protection for professionals dedicated to identifying and mitigating cyber threats.