UK Government Announces Major Overhaul of the Computer Misuse Act to Shield Cybersecurity Experts
By Alex Scroxton, Security Editor
Modernizing a 35-Year-Old Law to Empower Cyber Defenders
The UK Government has unveiled plans to revise the Computer Misuse Act (CMA) of 1990, a pivotal but increasingly outdated statute governing cybercrime. This legislative update aims to provide explicit legal safeguards for cybersecurity professionals and threat analysts, granting them immunity from prosecution when conducting legitimate security research.
At the Financial Times Cyber Resilience Summit 2025, Security Minister Dan Jarvis acknowledged longstanding concerns about the CMA’s restrictive nature. He emphasized the critical role that ethical hackers and vulnerability researchers play in fortifying the nation’s digital infrastructure and pledged to introduce a statutory defense that protects their activities, provided they adhere to defined ethical standards.
Why Reforming the Computer Misuse Act Is Crucial
Originally enacted over three decades ago, the CMA criminalizes unauthorized access to computer systems-a provision that has been instrumental in prosecuting cybercriminals. However, many cybersecurity experts argue that the law’s broad language inadvertently jeopardizes their work, which often involves probing systems without explicit permission to identify security flaws.
For example, Simon Whittaker, former head of cybersecurity at consultancy Instil, recounted how his legitimate research was mistakenly linked to the notorious WannaCry ransomware attack, nearly resulting in his arrest. Such incidents highlight the urgent need for clearer legal protections that distinguish between malicious hacking and responsible security testing.
Previous Reform Attempts and Challenges
Efforts to update the CMA have faced significant hurdles. Former Home Secretary Priti Patel came close to enacting reforms in 2021, but the proposals ultimately stalled. More recently, early 2025 saw another attempt led by Lord Chris Holmes and Lady Tim Clement-Jones during the passage of the Data (Access and Use) Bill. This initiative was rejected amid concerns that loosening the law could create loopholes exploitable by cybercriminals.
Despite these setbacks, the government’s renewed commitment signals a shift toward balancing robust cybersecurity defenses with effective legal frameworks.
Support from the Cybersecurity Community and Economic Implications
The CyberUp Campaign, a prominent advocacy group championing CMA reform, welcomed the government’s announcement as a landmark development. The campaign has long argued that the outdated legislation hampers the UK’s competitiveness by discouraging cybersecurity firms from establishing operations domestically.
According to recent industry analyses, the lack of clear legal protections for security researchers costs the UK economy millions annually by limiting innovation and deterring investment in cyber defense capabilities. The campaign views the proposed statutory defense as a vital step toward fostering a safer and more attractive environment for cybersecurity talent.
Looking Ahead: Building a Future-Proof Cybersecurity Legal Framework
Security Minister Dan Jarvis emphasized the government’s intention to collaborate closely with industry stakeholders to ensure the revised CMA is both comprehensive and resilient against emerging cyber threats. The goal is to craft legislation that not only protects ethical hackers but also anticipates future technological developments, thereby safeguarding the UK’s digital ecosystem for years to come.
This reform represents the most significant advancement in UK cybercrime law in decades, promising to empower security researchers to operate without fear of legal repercussions while maintaining strong defenses against malicious actors.
