Portugal has expanded its legal framework in the realm of digital security, formally establishing protections for good-faith specialists who examine vulnerabilities in information systems. The updated provision answers a longstanding request from the cybersecurity community, which has sought the ability to work openly and without the risk of facing criminal charges for technical actions performed in the public interest.
The amendments revise Article 8.º-A, introducing a clause that recognizes the societal value of strengthening digital infrastructure. It exempts from punishment those who access systems or data solely for the purpose of identifying weaknesses and responsibly notifying the appropriate parties. The rules, however, are articulated with strict precision.
Such actions are permitted only for discovering vulnerabilities not created by the researcher, and without receiving any benefit beyond ordinary compensation. Any identified issues must be promptly reported to the resource owner, the entity responsible for data processing, and the National Cybersecurity Centre (CNCS).
The work must be limited exclusively to what is necessary for diagnosis, without interfering with service functionality, altering information, or causing harm. The use of techniques involving denial-of-service attacks, social engineering, password theft, data modification, or the distribution of malicious software is expressly forbidden. All acquired information must be deleted within ten days after the issue is resolved. It is separately clarified that even with the system owner’s consent, discovered vulnerabilities must still be reported to the CNCS.
In doing so, the country delineates the boundaries of acceptable methods while simultaneously providing legal guarantees to those acting in the public interest. Similar initiatives have recently appeared in Germany, where the Ministry of Justice introduced draft legislation with comparable provisions, and in the United States, where the Department of Justice revised its approach to prosecutions under the CFAA.
Together, these measures create conditions in which ethical specialists can work openly with vulnerabilities and disclose them without fear of criminal repercussions.