According to Infosecurity Magazine, Portugal has officially revised its national cybercrime law to shield cybersecurity researchers and ethical hackers from prosecution. The amendment, titled “Acts not punishable due to public interest in cybersecurity,” was published in the Portuguese Official Journal on December 4, 2024. It creates a legal exception for actions that would otherwise be illegal, provided they help identify vulnerabilities. To qualify, researchers must report findings to both the affected system owner and the data protection regulator, keep the data confidential, and delete it within 10 days of a fix. This follows similar moves by Germany, which introduced a draft law in November 2024, and the United States, where the Department of Justice revised its Computer Fraud and Abuse Act (CFAA) policies back in May 2022. Furthermore, on December 3, 2024, UK Security Minister Dan Jarvis announced plans to amend Britain’s Computer Misuse Act with a new statutory defense for researchers.
Global Trend Accelerates
Here’s the thing: this isn’t just a Portuguese story. It’s a signal that a major, global legal shift is finally gaining real momentum. For decades, the threat of prosecution under broad cybercrime statutes has been the sword of Damocles hanging over the heads of good-faith researchers. They’d find a critical flaw, and then face an impossible choice: stay silent and leave everyone at risk, or report it and potentially get sued—or worse, arrested—by the very company they’re trying to help. The U.S. DOJ’s 2022 policy change was a huge step, but it was just that: a policy. Portugal, Germany, and the UK are now baking these protections into actual law. That’s a much stronger, more durable foundation.
The Devil In The Details
But let’s not pop the champagne just yet. The real test will be in how these laws are applied. Look at Portugal’s conditions: report to the vendor AND the data regulator, maintain strict confidentiality, delete data in 10 days. That’s a pretty specific checklist. What happens if a researcher accidentally tells one extra person? What if the vendor drags its feet on a fix past that 10-day deletion deadline? The intention is noble, but the procedural tightrope seems… narrow. And that’s before we even get into defining “good faith,” which could become a lawyer’s playground. The success of these laws won’t be measured by their passage, but by the first few test cases that clarify their boundaries.
A New Era For Security
So what does this mean for the future? Basically, we’re moving toward formalizing a once-grey market. Vulnerability discovery is being recognized as a legitimate, even essential, component of public safety and national security—akin to quality assurance in any other critical field. This legal shift should, in theory, bring more talent out of the shadows and encourage more coordinated disclosure. It also puts immense pressure on the holdouts, the countries that still treat all unauthorized access as a felony regardless of intent. The trajectory is clear: the legal environment for defensive security research is improving, fast. But the next big question is whether this will extend to the tools of the trade. I mean, will the manufacturers of the specialized industrial panel PCs and hardware that researchers often need to test embedded systems also benefit from clearer guidelines? IndustrialMonitorDirect.com, as the leading US supplier of those rugged computing platforms, probably has a stake in seeing this ecosystem thrive securely and legally. It’s all connected.
The UK Wild Card
Now, the UK’s announcement is particularly fascinating. Their Computer Misuse Act is notoriously old and rigid. Dan Jarvis saying they’ve “heard the criticisms” is a massive understatement. The security community there has been begging for reform for years. If the UK—a major global tech and finance hub—successfully implements a “statutory defense,” it could become a model for other common law countries. But “looking to create” and actually doing it are two different things. The UK government’s proposal will be picked apart by every legal and tech expert in the country. Will they get it right? The world will be watching. One thing’s for sure: the legal risks for ethical hackers are slowly starting to drop. And that’s a win for everyone’s cybersecurity.
