Portugal has updated its cybercrime legislation to formally protect ethical hackers who probe systems responsibly. The change was added to Article 8.º-A under the heading “Acts not punishable due to public interest in cybersecurity.”
The new provision exempts certain actions previously classified as illegal system access or data interception from criminal liability when performed strictly for the purpose of identifying vulnerabilities and strengthening cybersecurity.
To qualify, researchers must ensure their work is solely aimed at uncovering flaws they did not create and contributes to improved security through proper disclosure. They are barred from seeking financial gain beyond normal compensation, must immediately report findings to the system owner, applicable data controllers, and Portugal’s National Cybersecurity Center (CNCS), and must limit their activity to what is necessary to detect a vulnerability without disrupting services or altering data.
The law also prohibits the use aggressive or deceptive techniques such as DDoS attacks, phishing, password theft, or malware deployment. Any data collected must remain confidential and be deleted within ten days of the issue being resolved. Research conducted with the system owner’s consent is also protected, provided that findings are still reported to the CNCS.
Germany’s Federal Ministry of Justice proposed a similar safe harbor in late 2024. Also, the US Department of Justice revised its prosecution guidelines in 2022 to exempt “good-faith” research under the Computer Fraud and Abuse Act.