SolisImages - stock.adobe.com
UK government pledges to rewrite Computer Misuse Act
Campaigners celebrate as security minister Dan Jarvis commits to amending the outdated Computer Misuse Act to protect security professionals from prosecution.
The UK government will forge ahead with changes to the Computer Misuse Act (CMA) of 1990, introducing long-called-for changes to the 35 year-old law that will finally offer statutory protection from prosecution for cyber security professionals and threat researchers.
Speaking on 3 December at the Financial Times Cyber Resilience Summit 2025, security minister Dan Jarvis said: “We’ve heard the criticisms about the Computer Misuse Act, and how it can leave many cyber security experts feeling constrained in the activity that they can undertake. These researchers play an important role in increasing the resilience of UK systems, and securing them from unknown vulnerabilities.
“We shouldn’t be shutting these people out, we should be welcoming them and their work. Which is why we are looking at a legal change to the Computer Misuse Act,” said Jarvis.
“This would create a ‘statutory defence’ for these researchers to spot and share vulnerabilities, which would protect them from prosecution, as long as they meet certain safeguards.”
Introduced in part as a response to a high-profile hack of BT systems by a technology journalist, the CMA as written includes the offence of unauthorised access to a computer. While this offence is still used successfully to prosecute cyber criminal hackers to this day, many British cyber pros argue that it also runs the risk of criminalising their work because from time-to-time, they may need to access a computer without explicit permission.
Multiple attempts to reform the law have been made at various times over the past six years, with former Conservative home secretary Priti Patel arguably coming closest to success in 2021, to no avail.
A more recent endeavour, led by Lord Chris Holmes and Lord Tim Clement-Jones during the passage of the Data (Access and Use) Bill at the start of 2025, was shot down by no less a figure than former government chief scientific advisor Patrick Vallance, on the basis that changing the law risked creating a loophole for cyber criminals to exploit.
Speaking to Computer Weekly earlier in 2025, Simon Whittaker, head of cyber security at consultancy Instil, described how he narrowly avoided arrest, and almost had his front door broken in by police, after his work was mistakenly linked to the infamous WannaCry attack.
“The CMA doesn’t … put any kind of allowance for research or understanding that there are cyber professionals out there whose job it is to try to break things, to try to keep the nation secure and organisations safe,” said Whittaker.
“The CMA was a piece of legislation that was very broad, and the idea that it’s still there after this amount of time, and hasn’t been adapted in accordance with the changes we’ve seen over the last 20, 25 years that I’ve been in the industry, is quite bizarre.”
Promising development
A spokesperson for the CyberUp Campaign, which has been fighting for reform for some time now, hailed a promising development in the long-running saga. The campaign has long argued that the outdated law is costing the UK economy significant amounts of money every year by making Britain a less attractive jurisdiction in which to base cyber teams.
“This announcement is a major breakthrough for the UK’s cyber sector. It sends a clear signal that government understands the importance of enabling security researchers to operate without fear of prosecution for legitimate work,” they said.
“This is the most significant movement on Computer Misuse Act reform in decades, and we look forward to working with the Home Office to ensure the final legislation is robust, future-proof, and provides sufficient protections for both vulnerability and threat intelligence researchers.”
Timeline: Computer Misuse Act reform
- January 2020: A group of campaigners says the Computer Misuse Act 1990 risks criminalising cyber security professionals and needs reforming.
- June 2020: The CyberUp coalition writes to Boris Johnson to urge him to reform the UK’s 30-year-old cyber crime laws.
- November 2020: CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecuted just for doing their jobs.
- May 2021: Home secretary Priti Patel announces plans to explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world.
- June 2022: A cross-party group in the House of Lords has proposed an amendment to the Product Security and Telecommunications Infrastructure Bill that would address concerns about security researchers or ethical hackers being prosecuted in the course of their work.
- August 2022: A study produced by the CyberUp Campaign reveals broad alignment among security professionals on questions around the Computer Misuse Act, which it hopes will give confidence to policymakers as they explore its reform.
- September 2022: The CyberUp coalition, a campaign to reform the Computer Misuse Act, has called on Liz Truss to push ahead with needed changes to protect cyber professionals from potential prosecution.
- January 2023: Cyber accreditation association Crest International lends its support to the CyberUp Campaign for reform to the Computer Misuse Act 1990.
- February 2023: Westminster opens a new consultation on proposed reforms to the Computer Misuse Act 1990, but campaigners who want the law changed to protect cyber professionals have been left disappointed.
- March 2023: The deadline for submissions to the government’s consultation on reform of the Computer Misuse Act is fast approaching, and cyber professionals need to make their voices heard, say Bugcrowd’s ethical hackers.
- November 2023: A group of activists who want to reform the UK’s computer misuse laws to protect bona fide cyber professionals from prosecution have been left frustrated by a lack of legislative progress.
- July 2024: In the Cyber Security and Resilience Bill introduced in the King’s Speech, the UK’s new government pledges to give regulators more teeth to ensure compliance with security best practice and to mandate incident reporting.
- July 2024: The CyberUp Campaign for reform of the 1990 Computer Misuse Act launches an industry survey inviting cyber experts to share their views on how the outdated law hinders legitimate work.
- December 2024: An amendment to the proposed Data (Access and Use) Bill that will right a 35-year-old wrong and protect security professionals from criminalisation is to be debated at Westminster.
- December 2024: Amendments to the Data Bill that would have given the UK cyber industry a boost by updating restrictive elements of the Computer Misuse Act have failed to progress beyond a Lords committee.
- January 2025: Science minister Patrick Vallance rejects proposed amendments to the Computer Misuse Act, arguing that they could create a loophole for cyber criminals to exploit.
- May 2025: Britain’s outdated hacking laws are leaving the UK’s cyber practitioners hamstrung and afraid. Security professional Simon Whittaker reveals how he nearly ran afoul of the Computer Misuse Act, and why he’s speaking out for reform.
