Portugal’s New Safe Harbor: A Legal Shield for Security Research and a Warning for Critical Infr…>
Red Team News –
Portugal has recently amended its cybercrime legislation to create a legal safe harbor for good-faith security researchers
This change, implemented through Decree-Law 125/2025, protects researchers from legal action under specific conditions while they identify and report vulnerabilities
Security experts view this amendment as a positive development that may influence other countries
However, it coincides with serious security gaps within Portugal’s critical infrastructure sectors, as reported by the National Cybersecurity Centre (CNCS)
The CNCS is transitioning from an educational role to an enforcement-focused approach, highlighting the need for organizations to enhance their cybersecurity measures in light of new regulatory pressures.
– New Safe Harbor: Security researchers are exempt from punishment for good-faith activities if they adhere to strict requirements, including immediate reporting of vulnerabilities and no economic gain.
– Regulatory Environment: Entities must navigate GDPR, NIS 2 Directive, DORA, and national laws, facing significant penalties for non-compliance.
– Critical Sector Vulnerabilities: Many organizations lack adequate security measures; over half of digital infrastructure firms do not have security or incident response plans.
– Shift in CNCS Role: The CNCS is expected to enforce compliance more rigorously, with new data revealing poor preparedness across essential sectors.
– Actionable Recommendations: Organizations should implement comprehensive security training, establish incident response plans, ensure logging practices, and prepare for new regulatory roles under NIS 2.
Link: https://redteamnews.com/cyber-laws-regulations/portugals-new-safe-harbor-a-legal-shield-for-security-research-and-a-warning-for-critical-infrastructure/