The long-awaited reform of Britain’s outdated Computer Misuse Act of 1990 – which has hamstrung the work of the nation’s cyber security professionals and researchers for years – is to be included in a new National Security Bill.
Announced today by King Charles III in his speech at the State Opening of Parliament, the National Security Bill is chiefly designed to make the UK a harder target for hostile foreign states and other dangerous groups to attack.
It comes partly in response to the 2024 Southport terror attack, and more recent incidents targeting Britain’s Jewish community, and will create new offences around creating and disseminating harmful material online, and according to Westminster will close gaps within the nation’s state threats legislation and align it more closely with anti-terror laws.
Ultimately, the stated goal is to enhance the UK’s ability to counter the full spectrum of threats ranged against the UK by enhancing the powers available to law enforcement and the security services.
The government said that by reforming the legal cyber landscape within this, cyber cops will gain updated powers and capabilities to “remain effective in the digital age”.
It intends to create a Cyber Crime Risk Order that can be applied to control the behaviour of cyber criminals, and new abilities to search people believed to be concealing evidence on behalf of suspected offenders.
“It will also unlock the power of cyber security professionals to better enable them to secure computer systems. It will also seek to tackle the pervasive threat to the UK economy and businesses, posed by ruthless cyber criminals,” said the government.
Bona fide professionals
The CMA was passed thirty-five years ago in response to a high-profile hacking incident involving no less than the King’s father, the late Duke of Edinburgh.
It defined the offence of unauthorised access to a computer – which has been used successfully in countless cyber crime prosecutions over the years.
However, as the cyber security landscape has developed into its current form, this language has become increasingly vague and for some years now, a growing number of bona fide security professionals have been arguing that it potentially criminalises their work because from time to time, they may need to gain covert access to IT systems in the course of legitimate research.
Speaking to Computer Weekly in 2025, Belfast-based security consultant Simon Whittaker described how the police showed up at his front door after his research was erroneously implicated in the infamous WannaCry incident of 2017.
At the time, Whittaker said: “It [CMA reform] would allow us to be more secure in our research. I’d love to be able to just look at things in more detail and help people secure themselves. It would allow us to focus on our jobs instead of being worried that we’re going to breach something or that something else is going to go wrong.”
Besides making life easier for security teams, the CyberUp Campaign, which has been pushing for reform for years, estimates that merely by reforming the CMA to give legitimate security professionals a statutory defence in law, Britain’s cyber sector – which employs almost 70,000 people generating £11.9bn in revenues – could unlock up to 20% growth right off the bat.
A campaign spokesperson said: “Today marks a genuine turning point for cyber security in the UK. For years, the CMA has left legitimate cyber security professionals and researchers operating under unnecessary legal risk, while hostile actors move faster and with fewer constraints.
“By including CMA reform in the National Security Bill, the Government has recognised a basic reality: cyber professionals cannot be expected to defend the country with one hand tied behind their backs.
“The test now is whether the legislation delivers a clear, workable statutory defence for good-faith cyber security activity, including vulnerability research and threat intelligence. We stand ready to work with ministers and Parliament to turn this commitment into a lasting upgrade to the UK’s cyber resilience,” they said.
AI adds urgency to reform chatter
Sabeen Malik, vice president for global government affairs and public policy at Rapid7, added: “As AI-driven vulnerability discovery scales, defenders need to run automated scanning, agentic red-teaming, and large-scale vuln research at machine speed – activities the 1990 Computer Misuse Act’s broad unauthorised-access provisions were never designed to accommodate, leaving UK researchers exposed to criminal risk for work their adversaries face no equivalent friction performing.
“Hostile actors are already weaponising AI to find and exploit zero-days faster than human teams can triage them, so any legal regime that chills good-faith use of the same capabilities by UK defenders directly widens the offence-defence gap the National Cyber Strategy is meant to close.
“A statutory public-interest defence – the test the CyberUp Campaign has now set for the bill – is the minimum needed to give industry, CERTs, and threat-intel teams the legal certainty to deploy AI-enabled defensive tooling at the scale the threat environment now demands,” said Malik.