**Portugal Updates Cybercrime Law to Exempt Security Researchers**

In a significant move towards promoting responsible cybersecurity practices, Portugal has amended its cybercrime law to provide a safe harbor for security researchers who engage in good-faith activities. The updated legislation aims to encourage the discovery and reporting of vulnerabilities, thereby strengthening the country's cybersecurity posture.

The changes were first spotted by Daniel Cuthbert, and they revolve around Article 8.o-A, titled "Acts not punishable due to public interest in cybersecurity." This new provision carves out an exemption for actions that previously fell under the umbrella of illegal system access or data interception. However, this exemption only applies when security researchers act with the intention of identifying vulnerabilities and contributing to the betterment of cybersecurity.

To qualify for protection from criminal liability, researchers must meet specific conditions. These include:

  • Acting in good faith
  • Identifying vulnerabilities with the intention of contributing to cybersecurity
  • Not causing harm or disrupting services

The updated article provides a clear definition of the limits of security research while also offering legal protection for well-intentioned hackers. This development is part of a broader trend towards recognizing and supporting responsible cybersecurity practices.

**Global Developments in Cybersecurity Law**

Portugal's move follows similar initiatives from other countries. In November 2024, the German Federal Ministry of Justice introduced a draft law providing protections for security researchers who discover and responsibly report security flaws to vendors.

In May 2022, the U.S. Department of Justice (DOJ) announced revisions to its federal prosecution policies regarding Computer Fraud and Abuse Act (CFAA) violations. The updated guidelines include an exemption for "good-faith" research, allowing security researchers to proactively probe systems, uncover vulnerabilities, and report them without fear of legal consequences.

These developments demonstrate a growing recognition of the importance of responsible cybersecurity practices in preventing cyber threats and protecting digital assets.