Britain Is Finally Giving Security Researchers the Legal Cover They Were Always Owed

Key Takeaways

• The UK government announced on May 13, 2026, via the King's Speech, that it will overhaul the Computer Misuse Act 1990 as part of the incoming National Security Bill.
• The 35-year-old law has no defense for good-faith security work, meaning researchers doing legitimate vulnerability research and threat intelligence have operated under legal risk for decades.
• The proposed reform would introduce a statutory public interest defense, giving cybersecurity professionals explicit legal protection for defensive work.
• While the UK moves to protect researchers, the US under the Trump administration has been revoking visas and threatening deportation for scientists who study internet platforms.

A Law That Was Outdated Before the Internet Grew Up

On May 13, 2026, the King's Speech confirmed that the UK will overhaul the Computer Misuse Act 1990 as part of the National Security Bill. After years of stalled amendments, failed Lords debates, and ministerial foot-dragging, the reform is now finally on the table.

The CMA was drafted in 1990, partly in response to a journalist who had accessed BT's voicemail system. It defines unauthorized access to a computer broadly enough to capture anyone who probes a system they do not own, regardless of intent, with no carve-out for public interest and no defense for good-faith researchers. A penetration tester identifying a vulnerability in a client's system is, technically, committing the same offense as a ransomware operator.

That is not a hypothetical concern. Daniel Cuthbert, who sits on the British government's own cybersecurity advisory board, was himself prosecuted under the CMA in 2004 for accessing a charity website during a security check. The law has a history of reaching the wrong people.

The CyberUp Campaign, the coalition leading the push for reform, tabled amendments to the Criminal Justice Bill and later to the Data (Use and Access) Bill, only to see them defeated each time. The February 2026 committee debate on the Cyber Security and Resilience Bill saw MPs raise the issue again, with assurances that have now materialized into a legislative commitment.

What Good Policy on Researchers Actually Looks Like

The proposed reform would introduce a statutory public interest defense, meaning researchers who can demonstrate they were acting in good faith to detect or prevent harm would have a legal basis to stand on. The CyberUp Campaign has framed this as the minimum threshold for the bill to count as meaningful, with a spokesperson calling it a "genuine turning point" and noting that professionals had been left "operating under unnecessary legal risk while hostile actors move faster and with fewer constraints."

That framing is exactly right. Security Minister Dan Jarvis put it plainly at the FT Cyber Resilience Summit in December 2025, acknowledging that the law left researchers "feeling constrained in the activity they can undertake." His government is now, finally, acting on that acknowledgment, and that is a major step in the right direction against the digital censorship, especially when all too many governments in the world are doing the opposite.

While Britain Builds a Defense, Washington Is Dismantling One

Britain is updating a 35-year-old law to give researchers legal room to do defensive work. The Trump administration, meanwhile, has spent the past year revoking visas and threatening deportation for scientists who study internet platforms, under the logic that researching online harms constitutes "censorship of Americans."

The Coalition for Independent Technology Research filed a federal lawsuit in March 2026 after several members had their visas revoked for work on misinformation and content moderation, with State Department cables directing consular officers to pursue visa ineligibility findings against researchers in those fields. The chilling effect reaches anyone doing serious work on how digital platforms operate, and it is by design.

The pattern does not stop with researchers. The US has also revoked visas for five directors of La Nación, Costa Rica's leading independent newspaper, with no explanation. The same administration that positions itself as a global free expression defender is using immigration enforcement to police what journalists and scientists are allowed to say and study.

The Direction of Travel Is the Story

Britain's reform is not finished, and the CyberUp Campaign has been explicit that anything short of a clear, workable defense for good-faith cybersecurity activity will not be enough. That is the right pressure to maintain.

For decades, successive UK governments rejected reform on the grounds that a loophole might benefit criminals. That argument was never very convincing, and it is less convincing now that countries with better legal frameworks for researchers are ahead on cyber resilience. The UK is moving toward giving its defenders what they need and much deserve. In today’s increasingly censored world, this is a much-needed win, and, for once, genuinely something to be happy about.