Protect critical infrastructure or protect yourself. That is the untenable choice good-faith security researchers face. In much of Europe and beyond, laws still fail to clearly distinguish legitimate security research from malicious hacking. This not only exposes good-faith researchers to legal liability, it materially weakens cybersecurity outcomes. 

There is, however, a timely opportunity to correct this. Several governments have used the flexibility of the ongoing NIS 2 transposition process to codify explicit legal protections for good-faith security researchers. These protections are essential to improving a country’s cybersecurity posture and EU Member States should take advantage of this timely opportunity to embed critical legal protections for security researchers.

What is Good-Faith Security Research?

Good-faith security researchers play a vital role in the cybersecurity ecosystem by finding vulnerabilities in systems and responsibly disclosing them to vendors. This increases the likelihood that vulnerabilities are mitigated in a timely manner, before malicious actors can exploit them. 

When countries’ laws fail to distinguish between legitimate security research and malicious hacking, this can expose good-faith researchers to civil or criminal liability even if they are helping to secure digital systems, potentially chilling security research and undermining overall cybersecurity. 

Why Do Good-Faith Security Researchers Need Our Help?

By reducing the likelihood that serious flaws remain unaddressed for malicious actors, legal protections contribute directly to stronger digital resilience and reduce risk to critical systems. Countries with such protections also enable more effective cooperation between researchers, industry, and government and facilitate the growth of businesses built around security research. 

Those that do not have clear protections stand to make themselves more vulnerable and penalize their own citizens in the process, as demonstrated by a case in Malta. In October 2022, a group of computer science students and a professor identified multiple security vulnerabilities in a student scheduling application widely used across the country. The vulnerabilities reportedly exposed sensitive student data and, if discovered and exploited by a malicious actor, could have enabled the unauthorized extraction of personal information, manipulation of academic records, and disruption of school operations.

Acting responsibly, the students disclosed the flaws to the application’s developers so they could be remediated. Yet despite their positive intent, the researchers were formally charged under Malta’s Computer Misuse Act and faced the prospect of criminal penalties. 

Although the students eventually received a presidential pardon, the incident still likely had a chilling effect on good-faith research as experts wondered whether they could rely on similar treatment from the government. Recognizing these challenges, the Maltese Government responded to the incident by introducing an interim government policy intended to provide clearer guidance around good-faith security research. These efforts are now subsequently reinforced through Malta’s NIS 2 transposition, an approach other EU Member States would be wise to replicate. 

How Can NIS 2 Help Good-Faith Security Researchers?

Adopted by the European Parliament and the Council of the EU in December 2022, NIS 2 (Directive (EU) 2022/2555) creates new cybersecurity requirements for entities operating in 18 “critical and important” sectors across the EU and compels Member States to reassess and update their own national cybersecurity policies.

As enacted, NIS 2 is already poised to provide tangible benefits for good-faith security researchers. By making coordinated vulnerability disclosure policies a mandatory component of required national cybersecurity strategies (Article 7(2)(c)), NIS 2 embeds recognition of structured vulnerability reporting into each Member State’s national cybersecurity doctrine. This will lead to the creation of clearer, institutionalized pathways that security researchers can rely on to responsibly report vulnerabilities.

NIS 2 has the potential to even further regularize and legitimize the work of good-faith security researchers. Since the EU institutions enacted NIS 2 as a “directive,” each Member State must individually adopt it into national law. This process, called “transposition,” allows Member States to introduce provisions that go beyond the NIS 2’s baseline requirements, and several have used that flexibility to codify more explicit legal protections for good-faith security researchers.

Of the 19 EU Member States and four EU candidate countries that have already transposed NIS 2, the following three countries included such language:

• Portugal: Decreto-Lei n.º 125/2025, Portugal’s NIS 2 legislation, was transposed in December 2025. Article 7 added to Portugal's Cybercrime Law (Lei n.º 109/2009) a section explicitly stating that acts are not punishable due to public interest in cybersecurity, if they meet certain circumstances.
  

• Malta: In Malta’s April 2025 transposition – the Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025 – Article 13(7) clarifies that, for the purposes of Coordinated Vulnerability Disclosure, security researchers are not in violation of Article 337C of the Criminal Code, which criminalizes unauthorized access to computer systems.  
  

• Belgium: Transposed in April 2024, Belgium’s Law establishing a framework for the cybersecurity of networks and information systems of general interest for public safety clarifies conditions for good-faith research protections established in an earlier whistleblower law and recognizes the importance of CVD. 

For EU Member States yet to finalize their NIS 2 transpositions, the path forward is clear: codify explicit protections for good-faith security researchers. We call on Ireland, France, Spain, Luxembourg, the Netherlands, Poland, Bulgaria, and Estonia to take decisive action. We likewise urge EU candidate countries transposing NIS 2–Ukraine, Moldova, and Georgia–and EEA/EFTA countries expected to adopt it–Iceland, Liechtenstein, and Norway–to do the same.

For Member States that have already completed transposition, other avenues for reform are still available. The European Commission’s ongoing Digital Fitness Check, and the legislative reforms poised to follow, provide a perfect opportunity to build on the progress made by Portugal, Malta, and Belgium. 

Regardless of how it’s achieved, providing legal certainty for good-faith security researchers is a prudent policy decision for countries – one that will strengthen resilience amid escalating cybersecurity threats, position themselves as credible hubs for cybersecurity talent and investment, and reinforce their leadership in the digital domain.