The Computer Misuse Act turned 36 this year. It was written in 1990, before the public web, before cloud, before bug bounties, before anyone had heard of ransomware. It is the law that decides whether a security researcher who finds a flaw in a UK system is a hero or a defendant. For most of the last decade, the answer has been "it depends on who's annoyed."
That is finally changing. In the State Opening of Parliament on 13 May 2026, the government confirmed that reform of the Computer Misuse Act will be carried in the new National Security Bill. The CyberUp Campaign has been arguing for this since January 2020. Security minister Dan Jarvis committed to it last December. The bill puts the commitment on paper.
What the bill is expected to do
Two things, on the current read.
A statutory defence for good-faith security work. The bill is expected to create a defence for activity that today sits in a grey zone: vulnerability research on systems you don't own, threat intelligence work that requires touching infrastructure, and the kind of automated scanning that modern defensive work depends on. None of that was contemplated in 1990, and the act's broad "unauthorised access" wording catches all of it.
New Cyber Crime Risk Orders. A civil power to restrict individuals who pose an ongoing threat, modelled on similar orders used elsewhere in serious crime. This sits alongside the existing criminal offences rather than replacing them.
What is genuinely unclear is whether the statutory defence will be a clean defence (you raise it, the prosecution disproves it) or a narrower set of investigatory carve-outs. The briefing documents released alongside the King's Speech do not settle that question. The detail will come when the bill is published in full, expected later in 2026.
Why this has been stuck for so long
Two competing fears, both reasonable.
Researchers and the industry have argued that the current law makes the UK a hostile place to do defensive work. If you find a flaw in a UK organisation's system and report it, you are relying on that organisation's goodwill not to call the police. Several well-known UK researchers have moved their work offshore for exactly this reason. Rapid7, CREST, and individual researchers like Simon Whittaker have all said publicly that the chilling effect is real.
The counter-argument from law enforcement has been that any defence risks being used by the people the act exists to catch. "I was researching it" is an easy claim to make after the fact. That tension is why reform has been promised, consulted on, and shelved more than once since 2020.
The bill's framing, putting CMA reform inside a national security vehicle, is the government's way of saying it has landed on the side of the researchers without giving up the enforcement edge.
What it doesn't change
Unauthorised access to systems you have no business touching is still a crime. Selling access, building criminal tooling, running ransomware, none of that gets any softer. The defence, if it lands as expected, is narrow: good-faith research, conducted reasonably, on a system where the researcher genuinely believed they were acting in the public interest or in the interest of the system's owner.
It also does not create a free-for-all on penetration testing. If you are paying someone to test your systems, the legal cover for that work has always been the contract you signed with them. That is still the right way to do it. A statutory defence is a backstop for legitimate research that doesn't have a prior contractual relationship, not a substitute for one.
What it means in practice
For most SMEs, nothing changes day to day. The act has always been more relevant to researchers than to the businesses they research. The thing worth noticing is the direction of travel.
If you commission security testing, keep doing it the way you already do: written scope, written authorisation, named systems, agreed dates. That is your protection and the tester's, and a new statutory defence does not replace it.
If a researcher contacts you out of the blue to say they have found a flaw in your system, the reform makes it more likely, over time, that they were acting in good faith and less likely that they were trying to set up a sale. Treating them like a threat by default has always been the wrong instinct. It will get harder to defend once the law changes.
If you are a developer or security professional yourself, the bill is the first serious sign in a generation that the UK wants legitimate defensive work to happen here rather than somewhere else. Watch for the published text. The wording of the defence is the whole point.
How Steelwise can help
If you don't have a process for what to do when a researcher reports a flaw, or your testing scopes haven't been looked at since you wrote them, those are sensible things to fix before the law changes around them. Get in touch.
Further reading
- Computer Weekly: Computer Misuse Act reform to move forward in National Security Bill
- The Record: UK moves to shield security researchers from cybercrime law
- The CyberUp Campaign