CYBERUK ’26: UK Lagging on Legal Protections for Cyber Pros

The Computer Misuse Act, drafted before the modern internet, still defines "unauthorised access" in vague terms that can criminalise routine security testing. As cyber attacks grow in scale, the UK’s legal framework lags behind peers such as the United States, Germany and France, which have introduced safe‑harbour provisions for ethical hackers. This disparity not only hampers research but also deters skilled professionals from operating in the UK, creating a competitive disadvantage in a sector that underpins national security and economic growth.

Portugal’s recent Decreto‑Lei 125/2025 illustrates how legislation can evolve without stifling security work. By embedding the EU NIS2 Directive, the law recognises that certain investigative actions may occur without explicit permission, provided they meet strict conditions—prompt vulnerability disclosure, avoidance of harmful tactics, and timely data deletion. The result is a clear, legally protected pathway for researchers to act in the public interest, encouraging collaboration between private firms and government agencies while reducing the fear of prosecution.

Building on these international models, the CyberUp Campaign’s Defence Framework offers a pragmatic blueprint for the UK. Its four pillars—harm versus benefit, proportionality, intent and competence—create a statutory defence that aligns legal accountability with professional standards. If adopted through the pending Cyber Security and Resilience Bill, the framework could restore confidence among cyber‑professionals, attract global talent, and accelerate the nation’s defensive capabilities. In a landscape where every minute of delay translates into heightened risk, swift reform is essential to keep the UK competitive and secure.