Government to reform Computer Misuse Act

It’s only taken 35 years

The UK government has formally pledged to rewrite the 35-year-old Computer Misuse Act (CMA) to shield cybersecurity professionals from potential prosecution for legitimate threat research.

Security minister Dan Jarvis confirmed the commitment on 3^rd December at the Financial Times Cyber Resilience Summit 2025, announcing that individuals who responsibly identify and disclose vulnerabilities will be protected from legal repercussions.

"We've heard the criticisms about the Computer Misuse Act, and how it can leave many cyber security experts feeling constrained in the activity that they can undertake," Jarvis told attendees.

He added that the government intends to amend the CMA to introduce a statutory defence allowing researchers to identify and report vulnerabilities without fear of prosecution, provided they comply with specific safeguards.

The Computer Misuse Act, first introduced in 1990 partly in response to a journalist’s high-profile hack of BT, criminalises unauthorised access to computer systems.

While the provision remains an effective tool against cyber criminals, cybersecurity professionals have long argued that the same rule can technically criminalise routine activities like pen-testing, which requires gaining system access without overt permission.

Industry leaders have campaigned for revisions for years, warning that the law's outdated structure no longer reflects modern technology or cyber defence practices.

However, attempts to amend the CMA have repeatedly stalled.

The most notable effort came from former Conservative home secretary Priti Patel in 2021, but the proposals failed to progress.

Lords Chris Holmes and Tim Clement-Jones renewed the push during debates on the Data (Access and Use) Bill in January 2025. Those proposals were ultimately rejected following objections from former government chief scientific adviser Patrick Vallance.

Holmes said the Act was "introduced at a time when technology was unrecognisable compared to today," insisting that it "hinders the sector's ability to keep us safe and holds businesses back from reaching their full potential."

Merlin Hay, the Earl of Erroll, said the law had been flawed from the moment it was enacted.

"The problem is, it offers no defence for the 'good guys' who are working to protect systems," he noted.

Vallance, while acknowledging the concerns driving reform, warned that modifying the Act is far from straightforward.

His earlier recommendations on pro-innovation technology regulation broadly supported protections for researchers, but he cited significant disagreement among industry and law enforcement stakeholders.

"While some in the industry argue that the CMA prevents legitimate public interest activities, others worry about unintended consequences.”

Vallance stressed that poorly controlled exemptions could create new loopholes for criminals, undermine investigations, and weaken policing capabilities.

Cyber community celebrates progress

Campaigners now believe meaningful reform is finally within reach.

A spokesperson for the CyberUp Campaign – the coalition leading the push for change – hailed Jarvis's announcement as a "major breakthrough" that will strengthen the UK's reputation in the global cyber landscape.

They argue that legal uncertainty has been costing the UK significant economic opportunity and discouraging cyber teams from establishing bases in the country.

"This is the most significant movement on Computer Misuse Act reform in decades," they told Computer Weekly.

"We look forward to working with the Home Office to ensure the final legislation is robust, future-proof and provides sufficient protections for both vulnerability and threat intelligence researchers."