Overview
- Portugal published Article 8.o-A in the Diário da República on December 4, creating an exception for acts carried out to identify vulnerabilities in the public interest.
- To qualify, researchers must avoid seeking economic advantage beyond normal pay, act proportionately, and steer clear of unlawful personal data processing.
- The law forbids disruptive or deceptive techniques including DoS or DDoS, social engineering, phishing, password theft, intentional data alteration, system damage, and malware use.
- Researchers must promptly notify the system owner, any relevant data controller, and Portugal’s CNCS, keep findings confidential, and delete any obtained data within 10 days after a fix.
- Actions done with the system owner’s consent are also exempt, and the move tracks similar protections in U.S. DOJ guidance and a German draft as the UK considers adding a statutory defense.