513/68 Tuesday, December 9, 2025
Portugal has announced a major update to its computer crime legislation by adding a new provision, Article 8.o-A, titled “Acts Not Considered Offenses Due to Public Interest in Cybersecurity.” The amendment establishes a legal safe harbor for cybersecurity researchers or white-hat hackers who perform system testing with good intentions. Actions that were previously considered offenses-such as unauthorized access or data interception—may now be exempt from punishment if carried out solely to identify vulnerabilities and strengthen the security of public information systems.
However, this protection applies only under strict and clearly defined conditions. Researchers must focus exclusively on discovering vulnerabilities they did not create themselves and are prohibited from seeking financial gain beyond normal professional compensation. Crucially, they must report the vulnerabilities immediately to the system owner and Portugal’s National Cybersecurity Center (CNCS). Researchers are forbidden from using harmful attack techniques such as DoS/DDoS, phishing, social engineering, or deploying malware, and must minimize data access in compliance with GDPR. Any data obtained during testing must be deleted within 10 days after the vulnerability has been fixed.
This development aligns with a global trend recognizing the importance of civil society in enhancing cybersecurity. Similar legislative initiatives have been proposed in Germany in November 2024, and the U.S. Department of Justice (DOJ) revised its policy in 2022 to protect good-faith security research. Such legal reforms help legitimize the role of security researchers, enabling them to identify and report flaws openly without fear of prosecution—an essential mechanism for strengthening long-term cyber defense.
