Ethical Hackers and Cybercrime: A New Frontier in Criminal Law

In recent years, cybercrime has become one of the main threats to economic, social and institutional security. Portugal is no exception. The growth in ransomware attacks, intrusions into critical systems and digital fraud has brought to light a topic that is beginning to gain relevance in the legal and criminal landscape: the role of so-called ethical hackers and the legal limits of their actions.

Following the European directives on cybersecurity (with particular emphasis on the NIS-2 Directive) and the recent warnings from the National Cybersecurity Centre (CNCS), the possibility of institutionalising, with greater clarity and legal certainty, the collaboration of computer security specialists - commonly known as "white hat hackers" - in strengthening the protection of critical infrastructures and public systems has been discussed.

Proof of this was the approval, on 3 July 2025, by the Council of Ministers, of the legislative authorisation Bill that establishes the legal framework for cybersecurity.

What are ethical hackers?

Ethical hackers are professionals who, with the authorisation of the target entities, test the vulnerabilities of computer systems, identifying potential flaws that could be exploited by criminals. Their activity is now widely accepted in the private sector, under clear contractual terms and within previously defined limits. However, when it comes to public systems or sensitive sectors - justice, health, banking, defence, energy - the absence of a clear legal regime raises a number of questions.

What is the legal and criminal problem?

Currently, any unauthorised access to systems can be considered, in abstract terms, a crime of illegitimate access, as provided for and punishable by Article 6 of Law 109/2009 of 15 September (the Cybercrime Law).

The problem arises when these professionals are given a mission in the public interest, allowing them to test security limits without necessarily being expressly authorised by the courts.

Is the legislator prepared to create exceptions to the principle of the judge's reserve in matters of fundamental rights, particularly with regard to the secrecy of communications and data privacy?

The new trend: collaboration with the state

In May 2025, information emerged that the government, in conjunction with the CNCS and the Judicial Police, was preparing a pilot project that envisages the hiring or regular collaboration of ethical hackers to strengthen the state's defences and prevent attacks. This collaboration could include penetration tests on critical networks and, in certain cases, "invasive" access that has been previously authorised by administrative bodies.

Although this solution could prove effective in terms of prevention, it poses serious challenges to the legality of criminal intervention and the protection of fundamental rights, since:

• There is currently no legal basis to legitimise proactive access without judicial control.
• The activity of ethical hackers can collide with data protected by professional secrecy (lawyers, doctors, journalists).
• The line between prevention and violation of rights becomes blurred.

What answers can criminal law provide?

Criminal doctrine is beginning to question whether it is necessary to create a separate legal statute for ethical hackers, which clearly distinguishes them from criminals and defines them:

• Who can be an ethical hacker (certification, suitability, official registration)?
• What are the limits of their activities?
• What guarantees are there for system and data owners?
• What responsibility does the state assume for the damage caused?

It is also debated whether the penal framework should be strengthened against those who act outside these limits, to avoid abuses under the guise of preventive protection.

Comparative perspective

Countries like Germany and France allow ethical hackers to collaborate, but always with clear judicial or administrative supervision and without waiving the legal requirements for data protection and privacy. In the US, "bug bounty" programmes are common, but are not to be confused with permissions for unauthorised invasive actions.

Portugal seems to be leaning towards a mixed model, with controlled use of these professionals, but still without a clear regime.

A debate that cannot be avoided

As with video surveillance, the use of ethical hackers in the fight against cybercrime requires serious reflection on the limits of preventive criminal law and the protection of fundamental rights. The lack of a robust legal framework creates a risk of legal uncertainty, both for public operators and for the professionals themselves.

It will be time for the legislator to create clear rules that balance security and freedoms, preventing dangerous precedents for the rule of law from being set in the name of protection.

Between the need to protect critical infrastructures and safeguarding fundamental rights, the debate on ethical hackers is proving to be a new frontier in Portuguese criminal law. It remains to be seen whether the legislature will be prepared to draw this line with the precision that the Constitution demands.