Portugal has become the latest country to carve out protections for researchers under its cybersecurity law.

The move increases pressure on the UK after a government minister admitted last week that the 35-year-old Computer Misuse Act needed updating to protect cybersecurity pros from prosecution.

Security minister Dan Jarvis told a Financial Times conference that the government had “heard the criticisms” and was looking to create a “statutory defense” for researchers to spot and share vulnerabilities if they met certain safeguards.

It’s taken decades to get here. The Computer Misuse Act 1990 (CMA) was created after IT journalist Steve Gold and fellow hacker Robert Schifreen were accused of accessing the Duke of Edinburgh’s BT Prestel email account.

Gold and Schifreen were prosecuted under forgery and counterfeiting legislation but were freed on appeal. The government created the CMA in response – passing it in 1990 before modern cybersecurity research, ecommerce, cybercrime, vulnerability reporting, or even The Register existed.

Portugal’s change was highlighted by Daniel Cuthbert, who was himself convicted under the CMA in October 2005, illustrating the inflexible nature of the act.

In December 2004, he made a donation to a site raising money for victims of the Boxing Day Tsunami. When he did not receive a thank you or confirmation page, Cuthbert carried out two tests to ensure it wasn’t a scam page, setting off an “Intruder Detection System.”

A district judge said he found the case proved, but “with some considerable regret.”

On Friday, Cuthbert described Portugal’s action on Twitter X as “tightly scoped,” requiring security actions to be “strictly proportionate.” He said it was a “positive amendment and hopefully other countries take note and give us security researchers a safe harbor in which to find bugs and report them… Nice work.”

Running Portugal’s legislation through Google Translate shows that acts will be “not punishable due to public interest in cybersecurity” when “the agent acts with the sole intention of identifying the existence of vulnerabilities” and of disclosing them to boost security.

Likewise, researchers are not acting “with the aim of obtaining economic advantage… without prejudice to the remuneration that he obtains as consideration for his professional activity.”

Vulnerabilities must be notified promptly, and the work shouldn’t be disruptive or damage data.

A range of techniques including denial of service, social engineering, and phishing etc. remain prohibited. Acts committed with the consent of the system owner get the green light.

Ed Parsons, COO of Belgium-based bug bounty platform Intigriti, said the need for CMA reform had been pressing 20 years ago, and only more so now.

“In 2016, the UK government of the day committed to making the UK the safest place to live and do business online. We can’t keep saying things like that but, ten years later, still trying to achieve it having tied our own hands behind our backs.”

James Morris, CEO of cyber policy group the CSBR, said successive UK governments had dragged their feet on reforming the law.

“Like the Cyber Security and Resilience Bill which is beginning its passage through Parliament, the UK needs to urgently update all relevant legislation to ensure that it is fit to support the vital national effort required to harden our cybersecurity and resilience.” ®