The UK government will forge ahead with changes to the Computer Misuse Act (CMA) of 1990, introducing long-called-for changes to the 35 year-old law that will finally offer statutory protection from prosecution for cyber security professionals and threat researchers.
Speaking on 3 December at the Financial Times Cyber Resilience Summit 2025, security minister Dan Jarvis said: “We’ve heard the criticisms about the Computer Misuse Act, and how it can leave many cyber security experts feeling constrained in the activity that they can undertake. These researchers play an important role in increasing the resilience of UK systems, and securing them from unknown vulnerabilities.
“We shouldn’t be shutting these people out, we should be welcoming them and their work. Which is why we are looking at a legal change to the Computer Misuse Act,” said Jarvis.
“This would create a ‘statutory defence’ for these researchers to spot and share vulnerabilities, which would protect them from prosecution, as long as they meet certain safeguards.”
Introduced in part as a response to a high-profile hack of BT systems by a technology journalist, the CMA as written includes the offence of unauthorised access to a computer. While this offence is still used successfully to prosecute cyber criminal hackers to this day, many British cyber pros argue that it also runs the risk of criminalising their work because from time-to-time, they may need to access a computer without explicit permission.
Multiple attempts to reform the law have been made at various times over the past six years, with former Conservative home secretary Priti Patel arguably coming closest to success in 2021, to no avail.
A more recent endeavour, led by Lord Chris Holmes and Lord Tim Clement-Jones during the passage of the Data (Access and Use) Bill at the start of 2025, was shot down by no less a figure than former government chief scientific advisor Patrick Vallance, on the basis that changing the law risked creating a loophole for cyber criminals to exploit.
Speaking to Computer Weekly earlier in 2025, Simon Whittaker, head of cyber security at consultancy Instil, described how he narrowly avoided arrest, and almost had his front door broken in by police, after his work was mistakenly linked to the infamous WannaCry attack.
“The CMA doesn’t … put any kind of allowance for research or understanding that there are cyber professionals out there whose job it is to try to break things, to try to keep the nation secure and organisations safe,” said Whittaker.
“The CMA was a piece of legislation that was very broad, and the idea that it’s still there after this amount of time, and hasn’t been adapted in accordance with the changes we’ve seen over the last 20, 25 years that I’ve been in the industry, is quite bizarre.”
Promising development
A spokesperson for the CyberUp Campaign, which has been fighting for reform for some time now, hailed a promising development in the long-running saga. The campaign has long argued that the outdated law is costing the UK economy significant amounts of money every year by making Britain a less attractive jurisdiction in which to base cyber teams.
“This announcement is a major breakthrough for the UK’s cyber sector. It sends a clear signal that government understands the importance of enabling security researchers to operate without fear of prosecution for legitimate work,” they said.
“This is the most significant movement on Computer Misuse Act reform in decades, and we look forward to working with the Home Office to ensure the final legislation is robust, future-proof, and provides sufficient protections for both vulnerability and threat intelligence researchers.”