UK moves to shield security researchers in cybercrime law overhaul

The British government announced Wednesday it will rewrite key cybercrime laws after years of warnings that outdated legislation was hindering security researchers and weakening the country’s cyber defenses.

The proposed reforms, outlined in briefing documents published alongside the King’s Speech opening a new parliamentary session, would update the Computer Misuse Act 1990 as part of a broader national security package focused on cybercrime and digital threats.

While the nature of the rewrite has not been set out, in opposition the Labour Party had proposed a legal amendment that would have introduced a public interest defense for hackers. This was not passed at the time.

The move marks the clearest signal yet that the government is prepared to revisit one of the UK cyber industry’s longest-running complaints: that the country’s main cybercrime law no longer reflects the realities of modern defensive security work.

The Computer Misuse Act was drafted before the rise of cloud computing, ransomware gangs, cryptocurrency laundering and the modern cybersecurity industry. Researchers and industry groups have argued for years that the law’s broad unauthorized-access provisions can create legal uncertainty around legitimate activities such as vulnerability research, penetration testing and threat intelligence operations.

Campaigners say that ambiguity has left security professionals concerned that work intended to identify vulnerabilities or protect organizations from attack could still expose them to legal risk.

A spokesperson for the CyberUp Campaign said the government’s decision to include the reforms in its legislative agenda represented a significant shift.

“Today marks a genuine turning point for cyber security in the UK. For years, the Computer Misuse Act (CMA) has left legitimate cyber security professionals and researchers operating under unnecessary legal risk, while hostile actors move faster and with fewer constraints.

“By including CMA reform in the National Security Bill, the Government has recognised a basic reality: cyber professionals cannot be expected to defend the country with one hand tied behind their backs,” they added.

“The test now is whether the legislation delivers a clear, workable statutory defence for good-faith cyber security activity, including vulnerability research and threat intelligence. We stand ready to work with ministers and Parliament to turn this commitment into a lasting upgrade to the UK’s cyber resilience.”

The King’s Speech briefing notes also referenced proposed “Cyber Crime Risk Orders” and powers relating to people suspected of concealing evidence on behalf of cybercrime suspects, suggesting the government is pursuing a broader strategy aimed at disrupting ransomware and organized cybercrime networks.

The proposed Cyber Crime Risk Orders could give authorities powers to impose restrictions on individuals considered to pose an ongoing cyber threat, reflecting a wider shift among governments toward preventive disruption measures rather than relying solely on criminal prosecutions after attacks occur.

The government has not yet published draft legislation, and significant questions remain about the scope of the reforms, including whether ministers intend to introduce a formal statutory defense for public-interest cybersecurity research or focus more narrowly on updated investigative powers.

Successive governments had previously resisted major changes to the Computer Misuse Act despite repeated calls for reform from researchers, cybersecurity firms and parliamentarians who argued the legislation risked placing British defenders at a disadvantage against increasingly sophisticated cybercriminals.

The legislation is expected to be introduced in Parliament later this year.