What happened
The UK government announced on Wednesday that it will rewrite key cybercrime laws as part of a broader national security legislative package introduced in the King’s Speech opening a new parliamentary session. The proposed reforms would update the Computer Misuse Act 1990, a law drafted before cloud computing, modern ransomware operations, and the contemporary cybersecurity industry existed.
The CMA has drawn sustained criticism from security researchers, penetration testers, and cybersecurity firms for creating legal uncertainty around legitimate defensive security work. Its broad unauthorized-access provisions have left professionals concerned that vulnerability research, threat intelligence operations, and authorized penetration testing could expose them to criminal liability. The CyberUp Campaign, which has lobbied for reform for years, described the announcement as a genuine turning point.
The government has not yet published draft legislation and the precise scope of the reforms remains undefined. When in opposition, the Labour Party had proposed a public interest defense for hackers, though that amendment was not passed at the time. Whether ministers intend to introduce a formal statutory defense for good-faith cybersecurity research or focus more narrowly on updated investigative powers remains an open question.
The King’s Speech briefing notes also referenced proposed Cyber Crime Risk Orders, which would give authorities powers to impose restrictions on individuals considered to pose an ongoing cyber threat, and new powers relating to concealment of evidence on behalf of cybercrime suspects. The legislation is expected to be introduced to Parliament later this year.
Who is affected
UK-based security researchers, penetration testers, threat intelligence professionals, and cybersecurity firms operating under the current legal ambiguity of the CMA are the primary beneficiaries of the proposed reforms. Organizations that commission security research and vulnerability disclosure programs also face indirect regulatory risk under the current framework that the reforms would address.
Why CISOs should care
The Computer Misuse Act’s outdated provisions have created a structural disadvantage for UK cyber defenders. Legitimate security research, including the kind that finds vulnerabilities before attackers do, has operated in a legal grey area for decades. The UK’s NCSC has repeatedly acknowledged that skilled defensive researchers are among the country’s most important cyber assets, yet the law governing their work has not kept pace with what that work actually involves.
The proposed Cyber Crime Risk Orders also represent a meaningful shift in enforcement posture, moving toward preventive disruption of cyber threats rather than relying solely on prosecution after attacks occur. For security leaders advising on threat intelligence operations or bug bounty programs, tracking how the legislation takes shape will be important for understanding what activities are formally protected.
3 practical actions
- Monitor the draft legislation as it develops for the specific scope of any statutory public interest defense: The government has signaled intent but not defined the boundaries of any protection for security researchers. Track parliamentary proceedings and engage with industry bodies such as the CyberUp Campaign to understand how the final legislation will define protected activities before adjusting your organization’s research and disclosure policies.
- Review existing penetration testing and vulnerability research contracts for legal clarity under current law: While reforms are forthcoming, the CMA remains in force as written. Ensure that all authorized security testing activities are covered by written agreements that clearly establish scope, authorization, and purpose, providing the strongest available defense under existing law until reforms take effect.
- Assess how Cyber Crime Risk Orders may affect threat intelligence and information sharing practices: If the proposed orders can restrict individuals assessed as posing ongoing cyber threats, understand how that authority might interact with legitimate security research that involves studying threat actor infrastructure and techniques, and engage with industry consultation processes to ensure researcher protections are adequately defined.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.