Portugal Legalizes Ethical Hacking with New Safe Harbor for Security Researchers

Portugal has amended its cybercrime law to establish a legal safe harbor for good-faith security researchers. The new provisions allow ethical hacking and vulnerability research without criminal liability, provided strict conditions are met.

The changes are enshrined in Article 8.º-A, titled “Acts not punishable due to public interest in cybersecurity.” It exempts actions previously classified as illegal system access or data interception.

Research activities are permitted only if they:

• aim solely to identify pre-existing vulnerabilities and improve cybersecurity;

• do not seek financial gain beyond standard professional compensation;

• involve immediate disclosure to the system owner, data controller, and the National Cybersecurity Centre (CNCS);

• are strictly limited and do not disrupt services or alter data;

• comply fully with GDPR requirements;

• exclude prohibited techniques such as DDoS attacks, phishing, social engineering, malware deployment, password theft, or system damage.

Any data obtained during research must remain confidential and be deleted within 10 days after the vulnerability is fixed.

Portugal joins a growing list of jurisdictions formally recognizing the value of security research. Similar protections have been introduced in:

• Germany through draft legislation in 2024;
• the United States via DOJ policy changes to the CFAA;
• multiple EU initiatives supporting responsible disclosure and bug bounty programs.

This reflects a broader shift toward recognizing ethical hacking as a public-interest activity.

The new law clearly defines the boundaries of acceptable research while removing legal uncertainty for professionals. Portugal effectively acknowledges that proactive vulnerability testing is a cornerstone of modern cybersecurity, not a criminal act.