UK Plans for Cybercrime Law Reform Would Protect Almost No One, Experts Warn

The Computer Misuse Act of 1990 has long been a stumbling block for legitimate security research in the UK. While its original intent was to criminalise unauthorized access, the rapid evolution of cyber‑defence practices – from bug bounty programs to AI‑assisted scanning – has rendered many of its provisions outdated. Industry groups have pressed the government for a statutory defence that would provide legal certainty for researchers acting in good faith, arguing that without it, firms struggle to obtain insurance and to attract talent.

The government’s latest draft narrows that defence to a narrow subset of activities: only the scanning of internet‑exposed assets, and only by chartered professionals accredited by the UK Cyber Security Council. With just 300 accredited individuals, the proposal excludes the vast majority of bug bounty hunters, academic researchers, and small‑business security teams. Moreover, the requirement to cease testing the moment a flaw is detected prevents researchers from confirming exploitability, a step often demanded by vendors before remediation. The draft also fails to address the growing use of autonomous AI tools, leaving a legal gray area for a technology that is increasingly central to vulnerability discovery.

If enacted, the reforms could place the UK at a competitive disadvantage relative to the US, Germany, France and the Netherlands, where broader safe‑harbour provisions encourage active research and rapid disclosure. Companies may route sensitive testing through jurisdictions with clearer legal frameworks, eroding the domestic cyber‑security ecosystem. Stakeholders are urging a more inclusive approach that balances national security concerns with the need to foster innovation, perhaps by expanding the statutory defence to cover a wider range of defensive activities and by decoupling protection from narrow accreditation criteria.