Why the UK's "outdated" cybersecurity legislation needs an urgent refresh
The bipartisan coalition seeks to update the Computer Misuse Act


Parliamentarians from both sides of the aisle have called on the government to modernize the UK’s “outdated” cybersecurity laws to secure the country from growing digital threats.
The coalition, led by Lord Holmes of Richmond, said it wants to fix areas of the 1990 Computer Misuse Act (CMA), stating the legislation is not fit to govern the modern internet.
The CMA was drawn up to control dangerous or malicious misuse of computer systems and data. As the bill was created before the modern internet, the coalition argued that it fails to account for the challenges UK security practitioners are currently facing.
In particular, the bipartisan group said the CMA inadvertently criminalizes a very wide range of legitimate digital activities that it argues are crucial for safeguarding the country’s critical national infrastructure, businesses, and citizens.
The cross-party group has proposed a statutory defense for security practitioners who can demonstrate either a reasonable belief that the organization in charge of the system would have consented to their work, or that work was necessary to catch malicious activity.
The push will seek to make “key amendments” to the Data (Access and Use) Bill which are expected to be debated in the House of Lords Grand Committee on 18 December.
The CyberUp Campaign, a UK initiative pushing for refreshing the UK’s cyber laws, argued that the changes proposed by Lord Holmes et al are vital to enable security researchers to play a more central role in protecting digital systems and sensitive data in the UK.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Rob Dartnall, CEO at UK-based threat intelligence provider SecAlliance and representative of the CyberUp Campaign, said the campaign welcomed the recent developments, stating legitimate cybersecurity researchers face unique challenges in the UK as a result of the “outdated” legislation.
“We are delighted to see an amendment tabled that could bring the Computer Misuse Act into the 21st century by introducing a statutory defence. Updating this Act would represent a landmark moment for UK cyber security legislation, which is outdated when compared to the cyber threat landscape we face,” he said.
“The UK’s outdated cyber laws are preventing our cyber security professionals from defending organisations effectively. In no other sector do security professionals face risks of breaking the law for simply doing their jobs. Campaign research shows that nearly two-thirds of cyber professionals say the CMA hinders their ability to safeguard the UK—an untenable situation as cyber threats grow.”
Dartnall added that this action has been sorely needed in light of the growing cyber threats facing the country, arguing that giving security practitioners the freedom to do more to help protect the country is essential.
RELATED WHITEPAPER
“ The last two years have seen unprecedented levels of critical vulnerabilities, ransomware breaches and third party system breaches, all of which have had a massive effect on people’s data privacy and the UK’s economy,” he explained.
“By introducing a statutory defence, the UK could protect legitimate cybersecurity professionals, strengthen its cyber defences, and reinforce its place as a cybersecurity leader.
"It is time we updated the law to fit with the digital age. With support from across parliament, we believe this amendment could be a catalyst for a change that would better protect the country.”
Solomon Klappholz is a former Staff Writer at ITPro adn ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
FCC orders telcos to sharpen up security after Salt Typhoon chaos
News The move follows a devastating attack on US telecoms infrastructure
By Solomon Klappholz Published
-
US eyes 'Cyber Trust Mark' to lock down IoT frailties, but experts worry it doesn’t go far enough
News The label is intended to build trust in internet-connected devices
By Solomon Klappholz Published
-
Top data security trends
Whitepaper Must-have tools for your data security toolkit
By ITPro Published
-
Conquering technology risk in banking
Whitepaper Five ways leaders can transform technology risk into advantage
By ITPro Published
-
Advancing your risk management maturity
Whitepaper A roadmap to effective governance and increase resilience
By ITPro Published
-
Are you ready for NIS2?
WEBINAR Find out what you should be doing to prepare for the EU’s latest data protection regulation and UK equivalent with our free webinar
By ITPro Published
-
Fines for data mismanagement could exceed $1 billion
News Businesses that are careless with subject rights requests could face severe penalties
By Richard Speed Published
-
When banking works, the world works
Whitepaper Five ways automated processes can drive revenue and growth across your bank
By ITPro Published