New Portuguese Law Shields Ethical Hackers from Prosecution

Portugal has recently taken a significant step forward for online safety by updating its cybercrime law. This change, which was made public in the official Portuguese Journal (Diário da República) on December 4th under Decree Law No. 125/2025, basically gives cybersecurity researchers and ethical hackers (experts who use their skills for good) a ‘safe harbour’ from prosecution.

The change was first spotted and publicised by security expert Daniel Cuthbert, the Global Head of Cyber Security Research for the Santander Group and co-chair of the UK Government’s Cyber Security Advisory Board.

Portugal: not just a country of amazing Pasteis de Nata’s but now solid cyber laws too. They’ve amended their Cybercrime Law by adding Article 8-A to Law 109/2009.https://t.co/7CNpTe70vx

E daí?

— Daniel Cuthbert (@dcuthbert) December 5, 2025

****What the New Law Means****

This new rule is enshrined in Article 8.º-A and titled “Acts not punishable due to public interest in cybersecurity,” which makes an exception for actions that previously could have been considered illegal, like unauthorised access to a computer system or data interception. The purpose is to allow experts to find security holes/vulnerabilities and help make our computer systems safer.

However, this protection comes with strict rules to prevent misuse; the researcher must be acting solely to identify flaws and contribute to better cybersecurity, with no intention of making money beyond their normal professional pay. Also, they are strictly forbidden from causing harm, such as disrupting a service or stealing personal information.

Furthermore, they must not use aggressive or deceptive methods like Denial-of-Service (DoS) attacks (overwhelming a system to shut it down), phishing, password theft, or malware deployment.

The law also requires researchers to quickly report their findings to the system’s owner, the data protection regulator, and Portugal’s National Cybersecurity Centre (CNCS). Any data they collect during their work must be kept secret and deleted within 10 days after the security hole is fixed.

****A Growing International Trend****

Portugal is not alone in recognising the value of these ethical hackers. Other countries are looking to follow suit to avoid shutting out people who are vital to our digital resilience. In the UK, for example, Security Minister Dan Jarvis said on December 3rd that the government intends to update the country’s Computer Misuse Act.

He explained that the current law makes security experts feel limited in their work and that they should be welcomed, not constrained. The UK is exploring adding a “statutory defence” to shield researchers from legal trouble, provided they follow certain rules.

As we know it, our digital world relies on finding and fixing vulnerabilities before criminals exploit them. These legal changes reflect a growing understanding that ethical hacking is a public-interest activity that is key to defending everyone’s online security.