New legislation exempts good-faith security researchers from prosecution, marking a significant shift in national cybersecurity strategy to encourage vulnerability disclosure.
LISBON - In a decisive move to modernize its digital defense infrastructure, the Portuguese government has enacted significant amendments to its cybercrime legislation, effectively decriminalizing ethical hacking under specific, controlled circumstances. The updates, confirmed by reports from major information security outlets in early December 2025, establish a long-awaited "safe harbor" for security researchers who identify and report vulnerabilities in good faith. This legislative shift addresses a longstanding legal gray area that has often placed cybersecurity professionals at risk of prosecution for activities intended to bolster national security.
The reform, identified as Decree Law 125/2025, modifies existing penal codes to distinguish clearly between malicious cyber intrusions and investigative security research. By removing the threat of criminal liability for authorized vulnerability discovery, Portugal aims to incentivize the disclosure of critical security flaws before they can be exploited by malicious actors. The move places Portugal at the forefront of a growing European trend to align legal frameworks with the technical realities of modern cyber warfare.
Table of contents [Show]
According to reports from BleepingComputer and Infosecurity Magazine, the core of the new legislation is the exemption of security researchers from prosecution, provided their actions adhere to strict ethical guidelines. The law stipulates that for hacking activities to be considered non-punishable, the researcher must not have malicious intent and must follow established protocols for reporting their findings to the affected entities or national cybersecurity authorities.
Historically, under Article 6 of Law No. 109/2009, unauthorized access to computer systems-regardless of intent-could constitute a criminal offense. This blanket approach often discouraged "white hat" hackers from reporting vulnerabilities for fear of legal retaliation. The 2025 update fundamentally alters this dynamic by prioritizing the objective of the activity (security improvement) over the method of access, provided no damage is caused and data privacy is respected.
"Portugal has modified its cybercrime law to establish a legal safe harbor for good-faith security research and to make hacking non-punishable under certain strict conditions." - BleepingComputer
The road to this legislative update has been paved with years of incremental changes and strategic planning. The Portuguese government's National Strategy for Cyberspace Security, initially covering the period of 2019-2023, laid the groundwork by emphasizing the need for robust cybercrime prevention alongside defense measures. However, early iterations of the law focused heavily on penalization.
In November 2021, Law No. 79/2021 was introduced to transpose Directive (EU) 2019/713 into national law. While this addressed the combating of fraud and counterfeiting of non-cash means of payment, it maintained a rigid stance on unauthorized access. Legal experts at CMS noted that these earlier frameworks clarified compliance but did not explicitly protect researchers. The 2025 reforms appear to be a direct response to the limitations of those previous statutes, acknowledging that effective cybersecurity requires the cooperation of the technical community rather than its alienation.
This move brings Portugal into closer alignment with broader European recommendations. As noted in research published by Taylor & Francis regarding ethical hacking regulations in Spain and Europe, experts have long called for the "protection of security researchers so that they can continue their work without being subject to criminal prosecution." The CEPS Task Force Report had previously outlined the necessity of such protections to foster a healthy ecosystem for Coordinated Vulnerability Disclosure (CVD). By adopting these measures, Portugal is implementing best practices that have been debated at the EU level for several years.
For businesses operating in Portugal, the implications of Decree Law 125/2025 are immediate and operational. Companies will likely need to revise their internal security policies to accommodate legitimate vulnerability reports. Chambers and Partners highlights that under the Portuguese Corruption Prevention Framework, companies with more than 50 employees already have obligations to implement Codes of Conduct. The new cybercrime exemptions will likely necessitate updates to these codes to define how organizations interact with external researchers.
From a technological standpoint, this legal certainty is expected to increase the number of reported vulnerabilities. Without the fear of legal retribution, researchers are more likely to inspect critical infrastructure and software used within the country. This crowdsourced approach to security-often referred to as "many eyes" theory-can significantly reduce the window of opportunity for malicious actors to exploit zero-day vulnerabilities.
The reaction from the cybersecurity community has been largely positive. Hackread describes the law as granting a "safe harbour," a term that carries significant weight in the industry. However, legal experts caution that the "strict conditions" mentioned in the law must be clearly understood. The distinction between "ethical" and "malicious" often relies on intent and the handling of data. The Safe Communities Portugal organization has previously emphasized the role of judicial authorities in the investigation and prosecution of cybercrimes; the new law will likely require these authorities to develop new competencies in evaluating the intent behind digital intrusions.
As Portugal implements Decree Law 125/2025, the focus will shift to the practical application of the law. Key questions remain regarding the standardization of reporting channels. Will the government establish a central clearinghouse for vulnerability reports, similar to CERTs (Computer Emergency Response Teams) in other nations? The effectiveness of the safe harbor will depend heavily on the clarity of these reporting mechanisms.
Furthermore, this legislative change may exert pressure on other EU member states to modernize their own penal codes. With digital borders becoming increasingly irrelevant, a fragmented legal landscape across Europe complicates cross-border security research. Portugal's bold step could serve as a catalyst for a unified European directive on ethical hacking protections, ultimately strengthening the continent's collective digital resilience.
Federal regulators have launched a sweeping investigation into nearly 3 million Tesla vehicles, citing concerns over traffic violations and performance in low visibility, marking a critical turning point for autonomous driving oversight.
As 2025 draws to a close, Seattle solidifies its rank as a global AI superpower. However, the region's tech sector is undergoing a massive reboot, trading speculative hype for 'boring' back-end efficiency and agentic workflows.
At CES 2026, the tech industry pivots from cloud dependence to on-device intelligence. New chips from Qualcomm, Intel, and AMD promise a revolution in privacy and performance.
