A new provision in Portugal’s cybercrime law, specifically Article 8.o-A, establishes a legal safe harbor for cybersecurity research, effectively defining certain hacking acts as non-punishable under specific, strict conditions. Titled “Acts not punishable due to public interest in cybersecurity,” the article provides an exemption for actions that previously fell under illegal system access or data interception. This modification recognizes the public benefit of proactive security testing when performed in good faith and with the sole objective of improving system security.
The legal exemption for security researchers is only granted when their actions are strictly for the purpose of identifying vulnerabilities and contributing to cybersecurity. To be protected from criminal liability, the research must aim solely at identifying existing vulnerabilities (not self-created) and improving cybersecurity through disclosure. Furthermore, the researcher cannot receive any economic benefit beyond their normal professional compensation, ensuring the intent remains non-malicious and focused on public interest.
Crucially, the new law imposes mandatory reporting requirements and limits on the research activity. The researcher must immediately report the vulnerability to the system owner, any relevant data controller, and the CNCS (the national cybersecurity authority). The actions taken must be strictly limited to what is necessary for detection, and the research must not disrupt services, alter or delete data, or cause any harm. The researcher must also avoid any unlawful processing of personal data, specifically under GDPR rules.
The provision also prohibits the use of specific, harmful techniques, such as DoS or DDoS attacks, social engineering, phishing, password theft, intentional data alteration, system damage, or malware deployment. Any data obtained during the research must be treated as confidential and deleted within 10 days of the vulnerability being fixed. Acts performed with the system owner’s explicit consent are also exempt from punishment, though vulnerabilities still require reporting to the CNCS.
Reference
