Concerns are growing within the cybersecurity industry over the UK government’s proposed reforms to the Computer Misuse Act 1990, with experts warning that the planned legal protections may benefit only a very small section of security researchers.
The reforms were announced during the King’s Speech after years of industry pressure to modernise laws that many experts believe restrict legitimate cybersecurity work. Last year, Security Minister Dan Jarvis said the government would introduce a statutory defence to protect researchers from prosecution if they followed certain safeguards.
However, experts briefed on the proposals said the planned protections are extremely narrow. According to the proposed changes, the legal defence would apply only to researchers scanning internet-facing systems for vulnerabilities.
Industry professionals argued that the proposals would prevent researchers from verifying whether vulnerabilities are genuine, assessing their severity or testing exploitability. Experts said this would significantly reduce the usefulness of vulnerability disclosures, as organisations often require proof before taking corrective action.
The proposed rules would also require accredited researchers to personally carry out testing activities without delegating tasks to junior staff or automated systems. In addition, only British nationals accredited by the UK Cyber Security Council would qualify for protection.
Officials reportedly said that only around 300 professionals currently hold such accreditation, representing roughly 0.4% of the UK cybersecurity workforce.
Experts criticised the accreditation requirement as a “pay to play” system that could exclude independent researchers, bug bounty hunters, academics and smaller cybersecurity firms that contribute significantly to global vulnerability reporting.
Industry representatives also warned that several standard cybersecurity practices, including investigating attacker infrastructure during cyber investigations, would remain criminalised under the proposed framework.
Concerns were also raised over the absence of clarity around AI-powered cybersecurity tools. Researchers noted that the proposals do not address how autonomous AI systems used for vulnerability discovery and security testing would be treated under the law.
Cyber policy consultant Jen Ellis said researchers had hoped for broader legal protection for good-faith security research but described the current proposal as “much narrower”.
The UK Home Office said the government will continue working with the cybersecurity industry while refining the proposed legislation.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.