The United Kingdom has long relied on the Computer Misuse Act 1990 (CMA) to criminalise unauthorized access to computer systems. Originally conceived at a time when digital technology was comparatively simple — and threats mostly limited to lone hackers — the CMA has become increasingly controversial as the nature of cyber-threats evolved. In December 2025, the government publicly committed to rewriting the 35-year-old statute, promising to modernise the law and protect cybersecurity practitioners who act in the public interest.

Why the CMA is now considered outdated

The CMA’s core offence — unauthorised access to computer systems — was never designed with modern cyber-defence practices in mind. Today, legitimate cybersecurity activities such as vulnerability-testing (pen-testing), threat-research, or intelligence-gathering often involve accessing systems in ways that, strictly speaking, could fall under “unauthorised access.” That means that ethical hackers — working to secure systems — risk prosecution under a law that treats them the same as malicious actors.

In effect, many professionals feel constrained; they hesitate to search for and report vulnerabilities, fearing legal consequences even when their intent is to help protect systems. Critics argue that this undermines national cyber-resilience and slows growth in the cybersecurity sector.

What the reform would do

The announced reform aims primarily to introduce a legal defence — often referred to as a “statutory public-interest defence” — for individuals who find and report vulnerabilities responsibly. Under the proposed changes, security researchers would no longer face prosecution for unauthorised access if their work is carried out in good faith, under clear safeguards, and aimed at improving security rather than committing wrongdoing.

Moreover, reformers argue that updating the CMA would allow the UK’s cybersecurity industry to compete globally. Other nations — such as France, Israel or the United States — reportedly have more permissive regimes that better support security research and innovation.

Supporters include a broad coalition of industry experts, legal professionals and academics — grouped under CyberUp Campaign — who have long called on lawmakers to modernise the law and provide legal certainty to “the good guys.”

Roadblocks and concerns

The path to reform has not been smooth. Previous attempts to amend the CMA stalled; for instance, amendments proposed during debates on the Data (Use and Access) Act 2025 were rejected. Critics — including law-enforcement and security-policy figures — warned that introducing broad defences might open loopholes for criminals, make prosecutions harder, and allow malicious actors to hide behind “public-interest” claims.

In particular, implementing a defence requires careful drafting: what counts as “responsible research”? What safeguards prevent abuse? Without clarity, critics warn, reform might weaken efforts to tackle cybercrime rather than strengthen them.

Why it matters for the UK — and beyond

Adapting the CMA to modern cyber-realities is more than a niche legal discussion. Cybersecurity underpins everything: national infrastructure, business continuity, privacy, and public safety. When well-intentioned professionals are legally hampered, vulnerabilities may remain undiscovered — creating openings for criminals or state-sponsored cyber-attacks. Reform could help the UK better defend itself in an increasingly hostile digital environment.

Moreover, a modernised law could foster growth in the domestic cybersecurity sector. Legal certainty encourages investment, allows firms to operate without fear, and could attract talent — benefiting the UK’s economy and global cyber-standing.

What to watch next

As of December 2025, the government — via a statement from Dan Jarvis — pledged to proceed with reform at the next legislative opportunity.

Key questions remain though: what exact language will be used? What limits or safeguards will be introduced? Will the “public-interest defence” be narrow (only for certain kinds of research) or broad (applicable more widely)? And how will law enforcement balance facilitating legitimate research with preventing misuse?

For cybersecurity professionals, legal experts, and citizens alike, the coming months will be crucial. If done well, the reform could bring the UK’s cyber-laws into the 21st century — and make the country safer. If done poorly, it might compromise both security and justice.