Campaign urges UK cyber law reform to back researchers

The CyberUp Campaign has published a report calling for changes to the UK’s Computer Misuse Act 1990, arguing that the law now leaves the country behind others in protecting cyber security researchers.

The report, titled Protections for Cyber Researchers: How the UK is being left behind, says the UK’s legal framework has not kept pace with modern cyber threats or reforms introduced elsewhere. It argues that this gap affects cyber defence, recruitment, investment and the wider resilience of the digital economy.

At the centre of the case is the treatment of cyber security researchers who test systems or investigate vulnerabilities in the public interest. The report says several jurisdictions have introduced clearer legal safeguards for such work, while the UK has not created comparable protections under the Computer Misuse Act.

Those jurisdictions include Australia, Belgium, France, Germany, Hong Kong, Malta, Portugal and the United States. The campaign points to Portugal as a recent example of a country that updated its cybercrime law to create a legal exemption for cyber security research carried out in the public interest.

It argues that the UK’s position is increasingly exposed because the Computer Misuse Act predates the modern internet and has not been updated to reflect the current threat landscape. Without action from ministers, the report warns, the UK risks falling further behind peers that have revised older laws to match changes in cyber security practice.

A possible legislative route already exists. According to the campaign, the Cyber Security and Resilience Bill, currently before Parliament, is the clearest vehicle for modernising how cyber legislation interacts with criminal law.

Economic Cost

The intervention comes amid growing concern over the financial impact of cyber attacks on the UK economy. The report cites research estimating that cyberattacks cost the country almost £15 billion a year, equivalent to around 0.5% of gross domestic product.

That figure underpins the campaign’s argument that legal uncertainty around cyber security research is tied to the country’s wider economic interests. In its view, the current framework may make the UK less attractive to talent and investment at a time when businesses, public bodies and charities face more frequent and more complex attacks.

The CyberUp Campaign describes itself as a coalition of cross-party parliamentarians, academics and industry bodies, including the CBI and techUK. Its central goal is to reform the Computer Misuse Act so the law better reflects current cyber risks and established research practices.

Pressure for Reform

The report adds to a wider UK debate over whether criminal law drafted in an earlier era is now too blunt for a modern cyber security environment. Researchers and industry groups have long argued that the law can create uncertainty for legitimate work intended to identify weaknesses before malicious actors exploit them.

The campaign also raises a competitiveness question. If other countries offer clearer protections or exemptions for public-interest cyber research, the UK may be at a disadvantage in attracting specialists who want certainty over the legal status of their work.

Supporters of reform argue that this matters not only for private sector security teams but for the broader national ecosystem of universities, consultants, technology firms and researchers that contribute to cyber resilience. The report warns that inaction could weaken the UK’s ability to retain expertise as peer markets update their own frameworks.

It also presents the issue as one of alignment between policy ambition and legal structure. The UK has repeatedly stressed the importance of strengthening cyber defence, but that ambition is harder to realise, the campaign argues, if the law governing cyber activity remains rooted in 1990.

A spokesperson for the CyberUp Campaign put it this way: “Cyber attacks are growing in scale, sophistication and severity, with a devastating impact on infrastructure, businesses and charities. While other countries have moved to refresh their cyber laws in response, the UK’s Computer Misuse Act hasn’t been updated since before the modern internet – hardly the best platform for accelerating our defences into the next decade.

Portugal has demonstrated how to modernise their equivalent law through cyber legislation. We urge the Government to follow this example and act swiftly through the Cyber Security and Resilience Bill to achieve meaningful reform, or risk lagging even further behind our peers,” the spokesperson said.