Key Points
- Experts say the UK’s proposed cybercrime law reforms would leave most people without meaningful legal protection.
- The debate centres on the Computer Misuse Act 1990, which campaigners and legal experts say is outdated and too restrictive.
- Critics argue the law currently hinders cyber security professionals, journalists and academics from investigating threats in the public interest.
- The Criminal Law Reform Now Network has called for urgent reform, saying the legislation is “crying out for reform”.
- A separate CyberUp Campaign warning in 2026 said the UK is lagging on legal protections for cyber professionals.
- Government proposals published in 2024 included new law enforcement powers to preserve and seize data for investigations.
- Experts say reform is needed to protect critical national infrastructure and improve the UK’s cyber resilience.
- The issue remains politically and legally sensitive because it involves balancing security, privacy, lawful hacking and public safety.
LONDON — UK plans to reform cybercrime laws have drawn sharp criticism from experts who say the proposals would do little to protect ordinary people, while leaving cyber security professionals, journalists and academics exposed to prosecution under outdated rules. As reported by the Criminal Law Reform Now Network, the Computer Misuse Act 1990 is still the main law governing cybercrime in the UK, but it is now seen by many specialists as unfit for the modern internet age.
What is being changed?
The government’s reform plans follow long-running criticism that the Computer Misuse Act has not kept pace with modern cyber threats. According to Pinsent Masons, the UK government outlined reforms in October 2024 that would give law enforcement agencies new powers to tackle cyber security threats and online crime, including powers to preserve data and seek seizure of data through court authorisation.
However, critics say those measures focus on enforcement rather than protection. As reported by the Criminal Law Reform Now Network and quoted in CyberUp material, the core problem is that the existing law can deter legitimate cyber security work because professionals may fear crossing legal lines when they carry out threat intelligence research.
Why are experts warning about it?
As reported by the Criminal Law Reform Now Network, the Computer Misuse Act 1990 is “crying out for reform” because, in its current form, it can prevent cyber security professionals from researching attackers and threat actors. The same report says that this leaves the UK’s critical national infrastructure at greater risk.
The report also argues that the law restricts journalists and academics from investigating cyber threats in the public interest. That concern matters because public-interest reporting and independent research are often how weaknesses in systems, companies and state defences are identified before they are exploited.
What do campaigners want?
The reform campaign has pushed for changes that would better protect those working on the defensive side of cyber security. According to Fox IT’s summary of the CLRNN recommendations, the group wants new public-interest defences for cyber threat intelligence professionals, academics and journalists, alongside wider updates to existing offences.
The same recommendations include new corporate offences, fresh sentencing guidelines, and reforms intended to make the law more future-proof and technology-proof. Campaigners argue this would allow defenders to do their jobs without fear of prosecution, while still preserving the ability to punish genuine criminal activity.
How serious is the problem?
The concern is not merely academic. CyberUp’s March 2025 report said the current law is compromising the UK’s cyber resilience by holding back vital research against cyber criminals and geopolitical threat actors. That, the campaign said, increases the risk to national infrastructure and weakens the country’s ability to respond to attacks.
In April 2026, Computer Weekly reported that the CyberUp Campaign was again urging the government to keep focus on reform, warning that the UK was lagging on legal protections for cyber professionals. The same report said the group proposed a four-pillar framework aimed at protecting specialists from prosecution while they carry out legitimate security work.
What does the government say?
The government’s position, as reflected in earlier reform proposals reported by Pinsent Masons, is that law enforcement needs stronger tools to investigate online crime and preserve evidence. Those proposals suggest a desire to strengthen the state’s ability to respond to cyber offences, rather than weaken it.
That creates the central tension in the debate. Supporters of reform want legal clarity for defensive cyber work, while the state wants stronger powers to stop criminal abuse of digital systems. The disagreement is not over whether cybercrime is a threat, but over how the law should draw the line between lawful defence and unlawful access.
Why does the law matter now?
The Computer Misuse Act dates back to 1990, when the internet was far less embedded in daily life than it is today. Kaspersky’s review of UK cybercrime law notes that cybercrime legislation has evolved over time, but also says no single law can fully address the global nature of cybercrime.
That point is central to the present debate. The rise of cross-border attacks, ransomware, state-linked threat actors and complex supply-chain risks has made cyber law more difficult to apply in practice. Campaigners argue that if defenders cannot probe systems safely and legally, attackers gain an advantage.
What happens next?
At this stage, the dispute appears to be moving between campaigners, legal experts and policymakers rather than reaching an agreed settlement. The March 2025 CLRNN report, the April 2026 CyberUp warning and the government’s earlier reform proposals together show a policy argument that is still unresolved.
For now, the criticism remains clear: experts say the planned reforms do not go far enough to protect the people trying to defend the UK from cyber attacks, and that without broader legal change, the law will continue to shield almost no one in practice.