The British government's long-awaited reform of its main cybercrime law would shield fewer than 300 security professionals from prosecution — roughly 0.4% of the country's 69,600-strong cyber workforce — because the proposed statutory defence is so narrowly drawn that it excludes nearly every standard activity in the industry, multiple sources briefed on the plans told Recorded Future News.
The Computer Misuse Act 1990, drafted three decades before cloud computing and modern ransomware existed, has long been criticized for criminalizing legitimate defensive security work. When King Charles III announced on May 13 that the act would be reformed as part of the new National Security Bill, the CyberUp Campaign — which has lobbied for change since 2020 — called it "a genuine turning point." That optimism has since curdled.
Sources briefed on the specific proposals, in reporting first published May 21 by Recorded Future News, say the statutory defence would apply only when researchers are being prosecuted for scanning internet-facing systems — an activity already performed continuously, and from outside UK jurisdiction, by commercial platforms such as Shodan and Censys. Virtually every other form of defensive security work would remain criminalized.
National Security Bill Limits Defence to Scanning, Nothing Else
The restrictions go further than their narrow scope. Under the current proposals, accredited researchers would be required to stop the moment they identify a vulnerability — before they can confirm it is real, assess its severity, or establish whether it can actually be exploited. Industry professionals say that renders any resulting disclosure nearly worthless: system owners routinely demand proof that a flaw is genuine before acting on it.
Researchers would also be barred from directing others to carry out work on their behalf, a condition that directly conflicts with the standard commercial model in which senior professionals supervise junior colleagues or automated tools. And the defence would be limited to British nationals who hold an active accreditation from the UK Cyber Security Council — the only body authorized to confer chartered status on cybersecurity professionals, comparable to the status conferred on chartered accountants or engineers.
Government officials acknowledged to sources briefed on the plans that only around 300 people currently hold such accreditation. That is approximately 0.4% of the 69,600 full-time-equivalent professionals employed across the UK cyber sector, according to official government figures published in May 2026.
Who Gets Cut Out: Bug Hunters, Academics, Independent Researchers
The accreditation gate drew the sharpest criticism from experts consulted by Recorded Future News. Multiple sources described it as a "pay to play" model that would exclude bug bounty hunters, independent academic researchers, hobbyists, and professionals at smaller firms — groups that collectively account for a disproportionate share of global vulnerability disclosures.
Jen Ellis, a cyber policy consultant who advises the British government independently and sits on the UK Cabinet Office's Government Cyber Advisory Board, acknowledged that officials had engaged constructively with the industry but warned of a fundamental mismatch. The current proposal, she said, was "much narrower" than researchers had hoped for, focused only on scanning for known vulnerabilities rather than the broad statutory safe harbour the sector sought.
Ellis also criticized any defence tied to professional certifications, arguing that security research is often conducted independently and outside large organizations. Such requirements would "impede" research and skills development, favor large companies over individuals, and ultimately "criminalise the individual, not the act."
Standard Industry Practices Remain Illegal Under Current Draft
What the proposed reform does not cover is as revealing as what it does. Accessing attacker infrastructure to understand live campaigns — a standard practice across global threat intelligence — remains criminalized under the current proposals. So does vulnerability proof-of-concept development. So does the supervision of junior staff conducting penetration testing.
Sabeen Malik, vice-president for global government affairs at Rapid7, put the competitive stakes directly: as AI-driven vulnerability discovery scales, defenders need to run automated scanning, agentic red-teaming, and large-scale vulnerability research at machine speed. The 1990 act's broad unauthorized-access provisions were never designed to accommodate those activities, leaving UK researchers exposed to criminal risk for work their adversaries face no equivalent friction performing.
That competitive disadvantage is already measurable. Industry groups say some British firms route sensitive research work through jurisdictions with clearer legal frameworks — Germany, France, the Netherlands, Belgium, and the United States — none of which has reported difficulty prosecuting cybercriminals as a result. The Home Office said it was speaking to international counterparts to understand their approaches.
Agentic AI Testing Left in Legal Grey Zone
The proposals also take no account of agentic AI tools, which are increasingly used across the industry to conduct vulnerability discovery and security testing autonomously. Whether activity performed by an AI system — rather than a named, accredited human — would fall within a defence requiring individuals to conduct tests personally has not been addressed by the government.
Critics say this risks producing a legal framework that is already out of date before it reaches the statute book. Agentic red-teaming tools are not a future development; they are in active deployment across major UK security operations. Rapid7's Malik warned that any legal regime that discourages the good-faith use of AI-enabled defensive tooling directly widens the gap between UK defenders and the adversaries they face.
Government Defends Proposal, Industry Presses for Changes
The informal workarounds that currently substitute for legal clarity illustrate how inadequate the status quo is. One researcher whose company works with UK police told Recorded Future News they had raised concerns with a senior officer after accessing a criminal's network during an investigation. The officer's response: do not worry, the Crown Prosecution Service would take the public interest into account even without a statutory defence. Industry groups have consistently said that kind of assurance is no basis on which to build a business, obtain professional indemnity insurance, or instruct colleagues.
The National Cyber Security Centre, whose own activities require the type of access the law currently prohibits, declined to say how many of its staff hold the chartered accreditation the proposed defence would require. A spokesperson said the agency's activities "comply with the law and are governed by a robust oversight framework."
A Home Office spokesperson said the National Security Bill "will balance supporting legitimate research with protecting national security" and that the government would "continue working with the industry as we refine our proposal." The legislation is expected to be introduced to Parliament later in 2026.
The CyberUp Campaign, which has campaigned for reform since 2020, set the test plainly after the King's Speech: whether the legislation delivers a "clear, workable statutory defence for good-faith cyber security activity, including vulnerability research and threat intelligence." By the accounts of multiple people briefed on the current draft, it does not yet pass that test.
Frequently Asked Questions
Who qualifies for the UK's proposed Computer Misuse Act statutory defence?
Under the current proposals, only British nationals who hold an active chartered accreditation from the UK Cyber Security Council would qualify. Government officials have acknowledged that approximately 300 people currently meet that requirement — about 0.4% of the 69,600 professionals employed across the UK cybersecurity sector.
How does the Computer Misuse Act affect security researchers?
The act criminalizes unauthorized access to computer systems without distinguishing between malicious and defensive intent. Security researchers who access attacker infrastructure, develop proof-of-concept exploits, or test systems outside formal written authorization risk prosecution even when acting in good faith. The government's current reform proposal does not resolve this for the vast majority of the profession.
What does the UK cybersecurity law reform actually cover?
The proposed statutory defence applies only to cases where researchers are prosecuted for scanning internet-facing systems. It does not cover accessing attacker infrastructure, vulnerability proof-of-concept development, supervision of junior staff, or the use of agentic AI testing tools — activities that are standard practice across the global industry.
What happens if the National Security Bill passes without broader protections?
Security researchers, bug bounty hunters, and independent academics would remain in the same legal grey zone as today. Industry groups warn that British firms will continue routing sensitive research through jurisdictions with clearer legal frameworks, and that the country's 35-year disadvantage against adversaries who face no equivalent legal friction will persist.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
