Portugal has enacted a significant amendment to its cybercrime legislation, establishing a legal safe harbor for security researchers acting in good faith. This change, introduced via Decree-Law 125/2025 which adds Article 8.o-A to Law 109/2009, aims to protect researchers from prosecution under strict conditions while they work to identify and report vulnerabilities1. Security expert Daniel Cuthbert described the move as a “positive” step, expressing hope that other nations would adopt similar protections1. This proactive legal reform occurs against a backdrop of a rapidly evolving and enforcement-driven cybersecurity landscape in Portugal, where critical infrastructure sectors show alarming gaps in basic security preparedness despite facing overlapping regulations from the GDPR, the impending NIS 2 Directive, and sector-specific laws like DORA.
For Chief Information Security Officers (CISOs) and security leaders, this development presents a dual narrative. On one hand, it signals a government that values and seeks to enable responsible security research. On the other, detailed market reports from Portugal’s National Cybersecurity Centre (CNCS) reveal that many entities, especially in critical sectors, are poorly prepared for existing and upcoming regulatory obligations. The CNCS itself is shifting from a pedagogical to a more supervisory and enforcement-ready posture4. The safe harbor for researchers may increase scrutiny on organizational defenses, making compliance and robust security hygiene more urgent than ever.
TL;DR: Key Takeaways for Security Leaders
- New Safe Harbor: Portugal’s amended cybercrime law now exempts good-faith security research from punishment if strict conditions are met, including non-disruption, no economic benefit, and immediate reporting to the CNCS and system owner1.
- Regulatory Onslaught: Organizations face a complex web of GDPR, advancing NIS 2 rules (final law due by April 2026), DORA for finance, and national laws, with severe fines and personal liability for administrators2, 3.
- Critical Sector Gaps: CNCS data shows severe deficiencies: over half of digital infrastructure firms lack security and incident response plans; 45% of energy sector staff lack basic training despite high digital tool usage4.
- Enforcement Shift: The CNCS is moving from educator to enforcer, using detailed sector data to assess compliance. Lack of mandated documentation (plans, logs) is now presumed non-compliance4.
The Anatomy of Portugal’s Security Researcher Safe Harbor
The newly enacted Article 8.o-A provides a legal exemption, but its protections are narrowly defined and come with a stringent set of conditions that researchers must follow meticulously. The core requirement is that the research must be conducted solely to identify vulnerabilities not created by the researcher, with the goal of improving cybersecurity through disclosure1. Crucially, the researcher cannot seek or receive any economic benefit beyond their normal professional salary or remuneration, a clause designed to separate ethical research from activities with financial motives. All actions taken must be strictly proportionate and limited to confirming the existence of the vulnerability; they must not disrupt services, damage or alter data, create harmful effects, or breach personal data protection rules.
Furthermore, the law explicitly prohibits a range of activities even under the guise of research. These include denial-of-service (DoS) attacks, social engineering, phishing, password theft, intentional data deletion or alteration, system damage, and the installation or distribution of malware1. The final and critical obligation is the immediate reporting mandate. Upon discovering a vulnerability, the researcher is required to report it without delay to both the owner of the affected system and Portugal’s national cybersecurity authority, the CNCS. This formalizes a responsible disclosure channel and ensures the regulator is aware of potential systemic risks. This framework provides a clear, albeit restrictive, legal pathway for security testing that was previously a gray area, offering researchers a defined “safe harbor” against prosecution under the cybercrime law.
A Complex Web of Cybersecurity and Data Protection Laws
Portugal’s regulatory environment for cybersecurity and data is multi-layered, built on directly applicable EU regulations and supplemented by national laws. The General Data Protection Regulation (GDPR) forms the cornerstone, enforced by the National Data Protection Commission (CNPD), which can impose fines of up to €20 million or 4% of global turnover2. Nationally, Law No 58/2019 ensures GDPR execution, though the CNPD has declared some of its provisions inapplicable for contradicting the GDPR itself. Specific rules govern areas like electronic marketing, which requires opt-in consent from individuals, and data breach notification, for which the CNPD provides specific online forms2.
On the cybersecurity front, the landscape is defined by the National Cybersecurity Centre (CNCS) as the central authority. The existing national framework, Law No 46/2018, already imposes strict incident reporting obligations on operators of essential services: an initial notification to the CNCS must be made within two hours of knowledge of a significant incident, followed by a final report within 30 working days after its conclusion3. This is now being superseded by the ongoing transposition of the EU’s NIS 2 Directive. After a critical delay, Portugal published Law no. 59/2025 in October 2025, authorizing the government to enact final implementing acts within 180 days (by 21 April 2026)3. The draft proposal expands the scope of covered entities and introduces new obligations, including appointing a cybersecurity officer and a permanent point of contact to notify to the CNCS.
The Compliance Reality: High Reliance, Low Preparedness
While the legal frameworks advance, the operational reality within Portuguese critical sectors, as revealed by CNCS market reports, paints a concerning picture of widespread non-compliance and inadequate security hygiene. The data indicates a stark mismatch between high digital dependence and low security preparedness. For instance, in the Energy sector, 56% of companies report that 75-100% of their staff use digital tools daily, yet 45% of these same companies have less than a quarter of their staff trained in basic cybersecurity4. This gap represents a substantial human risk factor.
The deficiencies are structural and widespread across key sectors. In Digital Infrastructure, 54% of entities lack both a cybersecurity plan and an incident response plan. The Healthcare sector shows similar weaknesses, with 54% lacking a cybersecurity plan and 38% lacking an incident response plan. Even the typically robust Banking/Finance sector is not immune, with 13% lacking a cybersecurity plan4. Other statutory good practices are inconsistently applied: regular vulnerability checks range from being performed by only 20% of Digital Infrastructure firms to 100% of Banking firms. Perhaps most alarming for forensic readiness and threat hunting, 50% of companies in the Transport and Healthcare sectors do not maintain logs necessary for post-incident analysis4.
Relevance and Actionable Steps for Security Professionals
For security practitioners, Portugal’s new safe harbor law and the accompanying regulatory scrutiny have direct implications. The safe harbor may lead to an increase in responsible vulnerability disclosure reports, particularly to the CNCS. Security teams should ensure their external vulnerability disclosure policies and contact channels are clear, operational, and aligned with the new legal reporting expectations. The CNCS’s shift towards enforcement, armed with detailed sector data, means that “check-box” compliance is insufficient. Regulators will look for evidence of implemented security programs, not just policy documents.
Based on the CNCS’s highlighted deficiencies and upcoming NIS 2 requirements, organizations, especially in critical sectors, should prioritize several key areas. First, implementing comprehensive and role-based security awareness training is non-negotiable. The data shows this is the most widespread gap. Second, developing, testing, and maintaining a formal incident response plan and a cybersecurity policy is a fundamental obligation whose absence is a red flag for regulators. Third, establishing and validating log management and retention processes is critical for both operational security and demonstrating compliance during an audit. Finally, with NIS 2 implementation on a clear timeline, organizations should begin scoping exercises to determine if they will be classified as essential or important entities under the new rules and start planning for the appointment of mandated cybersecurity roles.
Conclusion: A Watershed Moment for Portuguese Cybersecurity
Portugal’s amendment to create a safe harbor for security researchers is a progressive step that aligns legal frameworks with the practical needs of improving national cybersecurity. However, this reform exists within a broader context of significant regulatory evolution and concerning operational gaps within the country’s critical infrastructure. The CNCS’s move from an educational to an enforcement-focused stance, supported by concrete sectoral data, signals that the period of guidance is giving way to a period of accountability. For organizations operating in Portugal, the message is clear: the time for proactive preparation and investment in foundational security controls is now. The converging pressures of a more active research community, stringent overlapping regulations, and a newly empowered regulator create an imperative for action to avoid severe financial penalties and operational disruption.
References
- “Portugal updates cybercrime law to exempt security researchers,” DataBreaches.Net, Dec. 7, 2025. [Also reported by BleepingComputer, Dec. 7, 2025; Daniel Cuthbert via LinkedIn, Dec. 5, 2025].
- “Data Protection Laws of the World – Portugal,” DLA Piper Data Protection Portal, Dec. 1, 2025. [Additional context from Linklaters “Data Protected – Portugal” (2024) and CMS Expert Guide (Oct. 8, 2025)].
- A. M. Cordeiro, “Portugal: NIS2 authorising law published,” Bird & Bird, Nov. 12, 2025. [Additional context from Chambers & Partners Cybersecurity Guide 2025 – Portugal (Mar. 13, 2025), Council of Europe Octopus Community, and CMS Expert Guide (Oct. 8, 2025)].
- “Portugal Cybersecurity & Data Protection Landscape Report,” Abreu Advogados via Chambers & Partners, 2025.
