Portugal’s Updated Cybercrime Law: Protecting Security Researchers

Portugal Updates Cybercrime Law to Safeguard Security Researchers

Portugal has recently made significant changes to its cybercrime legislation to provide legal protection for security researchers engaging in good-faith efforts and to decriminalize hacking under specific conditions.

An important amendment in Article 8.o-A, titled “Acts not punishable due to public interest in cybersecurity,” now offers a legal exemption for activities that were previously considered illegal, such as system access and data interception.

The exemption criteria apply exclusively to security researchers conducting vulnerability assessments and contributing to cybersecurity enhancement. To avoid criminal prosecution, researchers must adhere to the following key conditions:

1. The research should focus on identifying vulnerabilities not introduced by the researcher and enhancing cybersecurity through disclosure.
2. No economic gain beyond standard professional compensation should be sought or received by the researcher.
3. The researcher must promptly report the identified vulnerability to the system owner, relevant data controller, and the CNCS.
4. Activities must be limited to vulnerability detection without disrupting services, altering data, or causing harm.
5. Research activities must comply with GDPR regulations and not involve unlawful processing of personal data.
6. Prohibited techniques like DoS attacks, social engineering, phishing, password theft, intentional data alteration, system damage, or malware deployment should not be used.
7. Data obtained during the research must remain confidential and be deleted within 10 days of the vulnerability being resolved.
8. Acts performed with the consent of the system owner are also immune from punishment, but any identified vulnerabilities must still be reported to the CNCS.

This new legal provision clearly delineates the boundaries of security research while affording legal protection to well-intentioned hackers.

In a similar vein, in November 2024, the Federal Ministry of Justice in Germany proposed a law that extends similar protections to security researchers who responsibly disclose security flaws to vendors.

Earlier, in May 2022, the U.S. Department of Justice (DOJ) revised its federal prosecution policies related to the Computer Fraud and Abuse Act (CFAA), introducing an exemption for “good-faith” research.

These legal frameworks not only acknowledge the importance of security research but also create a safe environment for researchers to proactively identify vulnerabilities and report them without fear of legal repercussions.

Broken IAM isn’t just an IT problem – the impact ripples across your whole business.

This practical guide explores why traditional IAM practices struggle to keep pace with modern demands, showcases examples of effective IAM strategies, and offers a simple checklist for developing a scalable strategy.

Get the guide