Reforming the UK's Computer Misuse Act
As proud Founding Members of the CyberUp Campaign in 2018, NCC Group began advocating for reform of the UK’s Computer Misuse Act (CMA) 1990. We were driven by the very real barriers the Act creates for cyber security professionals—from legal uncertainty to the risk of jail time—when conducting legitimate research. These risks extend even to our colleagues on vulnerability research, exploit development, and threat intelligence teams.
Since its launch in 2020, the CyberUp Campaign has brought together peers from across the cyber ecosystem, as well as trade associations, academics, and parliamentarians. We share a common belief: the UK’s cybercrime laws should not inadvertently criminalise the very same people seeking to keep the nation safe and secure. Yet, the industry continues to be constrained by an outdated legal framework – one that largely ignores the valuable contribution cyber professionals make to the UK’s security and prosperity.
At NCC Group, we are encouraged by recent signals that these concerns are being listened to, particularly the UK Government’s decision to launch an official process to explore how to protect good faith cyber security researchers better. This is progress.
However, we cannot be complacent. At this crucial crossroads, we must continue to make the case for reform and work closely with Government to explore all options and ensure reform of the Act remains a cyber policy priority.
What are we advocating for?
Later this year, NCC Group will celebrate its 25th anniversary at the forefront of cyber security. In contrast, the UK’s Computer Misuse Act turns 35—yet, unlike us, it has not kept up to pace with the evolving cyber landscape.
While technology, threat actors, and defences have advanced rapidly, the CMA remains stuck in the past. Its blanket prohibition of all unauthorised access to computer systems fails to distinguish between malicious attackers and cyber security professionals acting in the public interest.
That means it is no longer fit for purpose in the 21st century.
As part of the CyberUp Campaign, NCC Group advocates for the inclusion of a statutory defence in the Act that would give individuals across the cyber industry legal protections to carry out crucial vulnerability research and threat intelligence, provided they meet certain criteria.
This reform is vital as the gap between threat actors and defenders continues to widen. Done right, it will empower researchers to fight cybercrime more effectively, bolster national security, and help ensure the UK thrives in the digital era.
How close to reform are we?
While the UK’s new Labour Government has confirmed a review of the Act is underway, concrete next steps are yet to be laid out. Meanwhile, other countries are forging ahead with their own reforms.
The EU’s Cyber Resilience Act encourages Member States to adopt measures that ensure cyber professionals are not prosecuted or held liable for researching vulnerabilities, with Belgium, Portugal, and Malta among the EU countries moving forward with these much-needed updates. Without similar action, the UK risks falling behind its international peers.
What’s next?
As we await the Government’s update on progress, NCC Group continues to work with our peers across the cyber ecosystem to make a case for 21st-century legislation that reflects today’s cyber security realities.
The continued ambiguity slows the industry and presents very real risks to the UK, as cyber security professionals must operate with one hand tied behind their back against a fast-evolving threat landscape. Therefore, we are urging the UK Government to prioritise reform of the Computer Misuse Act.
Updating the Act will help create a thriving environment for cyber talent, strengthen national cyber resilience, and unlock new economic opportunities for the UK’s cyber sector.