Portugal’s New Cybercrime Law Shields Security Researchers
▼ Summary
– Portugal has amended its cybercrime law to create a legal exemption for cybersecurity researchers, provided their actions help identify vulnerabilities.
– To qualify, researchers must not seek economic gain, violate data protection laws, use disruptive attacks, or cause harm to systems or data.
– Researchers must report findings confidentially to the system owner and data regulator, then delete the data within 10 days of a fix.
– Other countries like Germany and the US have implemented similar legal protections for good-faith vulnerability disclosure.
– The UK government has announced its intention to amend its Computer Misuse Act to add a statutory defense for ethical security research.
Portugal has enacted a significant legal update to its cybercrime legislation, formally creating a safe harbor for cybersecurity professionals and ethical hackers. This amendment, published in the nation’s official journal, establishes clear conditions under which vulnerability research is exempt from prosecution, recognizing its critical role in strengthening digital defenses. The move aligns Portugal with a growing international trend of providing legal clarity to security researchers who operate responsibly.
The new provision, formally titled “Acts not punishable due to public interest in cybersecurity,” carves out an exception for activities that would otherwise be illegal. The core requirement is that the actions must aid in identifying security weaknesses or otherwise contribute to improving cybersecurity. To qualify for this protection, researchers must adhere to a strict set of rules. They cannot seek any economic benefit from their actions and must avoid violating data protection laws. Prohibited methods include launching denial-of-service attacks, employing social engineering or phishing tactics, and engaging in data theft or alteration.
Furthermore, any investigative action must be proportionate and narrowly focused on the stated goal of finding vulnerabilities. It cannot cause system disruption, data loss, unauthorized copying, or any harmful effects on the affected organizations or individuals. The law also mandates a specific reporting procedure. Researchers must confidentially disclose their findings to both the system owner or manager and the national data protection authority. Once a vulnerability is patched, the researcher is required to delete all related data within ten days.
This legislative shift in Portugal mirrors developments in other major economies. Germany recently proposed a draft law to protect researchers who report flaws to vendors in good faith. In the United States, the Department of Justice revised its prosecution policy under the Computer Fraud and Abuse Act to create an explicit exemption for good-faith security research.
The United Kingdom is now exploring a similar path. The UK government has announced its intention to amend the longstanding Computer Misuse Act to include a statutory defense for ethical security research. Speaking at a recent cybersecurity summit, Security Minister Dan Jarvis acknowledged that the current law can make experts feel constrained in their work. He emphasized that these researchers are vital for uncovering unknown vulnerabilities and boosting national resilience, stating they should be welcomed, not shut out.
The proposed UK regime would shield researchers from prosecution provided they operate within a framework of agreed safeguards. This growing consensus among nations underscores a fundamental shift: recognizing that legal protection for responsible security research is a cornerstone of modern cyber defense, encouraging the discovery and remediation of flaws before malicious actors can exploit them.
(Source: InfoSecurity Magazine)