Yesterday (24 February), the Public Bill Committee on the Cyber Security and Resilience (Network and Information Systems) Bill debated two new clauses proposing mechanisms to update the Computer Misuse Act 1990 (CMA), before they were ultimately withdrawn following ministerial assurances on the Government’s direction of travel.

Yesterday (Tuesday 3 February 2026), the Public Bill Committee hearing oral evidence on the Cyber Security and Resilience (Network and Information Systems) Bill heard further clear calls to reform the Computer Misuse Act 1990 (CMA) as part of this legislative moment.

The CyberUp Campaign was twice referenced in the House of Lords on Wednesday during Committee stage of the Crime and Policing Bill, as peers tabled amendments aimed at introducing a statutory defence into the Computer Misuse Act 1990 (CMA) to protect legitimate cyber security activity.

Tuesday was a busy day for mentions of the Computer Misuse Act in Parliament, as several MPs spoke up to highlight the opportunity to reform the CMA presented by the Cyber Security and Resilience (Network and Information Systems) Bill.

As 2025 draws to a close, the CyberUp Campaign is marking a year of meaningful momentum towards updating the UK’s outdated Computer Misuse Act 1990 (CMA). This year saw the conversation move decisively from “why reform is needed” to “how reform can be delivered”, with clearer ministerial signals, deeper Home Office engagement, and multiple legislative pathways now in play.

On Wednesday 3rd December, Security Minister Dan Jarivs MP announced that the Government is looking at a “legal change” to the Computer Misuse Act to “create a ‘statutory defence’ for … researchers to spot and share vulnerabilities”.

On Wednesday afternoon, the much-anticipated Cyber Security and Resilience BIll was presented before Parliament. While the Bill does not include Computer Misuse Act reform, it is very encouraging that the Government is currently reviewing concrete proposals to update the Act.

On Tuesday 28th January, CyberUp supporter Lord Holmes of Richmond spoke passionately on his amendments to the Data (Use and Access) Bill, which would have updated the Computer Misuse Act to include a statutory defence.

The campaign has welcomed government proposals to ban all public sector bodies and critical national infrastructure from making ransomware payments, as well as plans to introduce mandatory reporting of ransomware attacks.

As 2024 draws to a close, we are celebrating a year of significant progress in our call for an urgent update to the UK’s outdated Computer Misuse Act 1990 (CMA). From shaping key legislative debates to expanding our engagement with both industry and Parliament, we’ve made great strides towards modernising the UK’s cyber laws. Here’s a look at six pivotal moments that defined our year:

On Wednesday afternoon, several peers spoke in support of Lord Holmes’s amendment to the Data (Use and Access) Bill proposing to update the Computer Misuse Act with a statutory defence to allow cybersecurity professionals to defend themselves from prosecution for legitimate cyber defensive activities.

In an exciting update, an amendment to the Data (Use and Access) Bill has been tabled by Lord Holmes proposing to update the CMA and introduce ‘a statutory defence’. This is a key ask of the CyberUp Campaign. The amendment will hopefully be raised at Grand Committee Stage on Monday 16th December.

Yesterday, the CyberUp Campaign hosted an expert-led drop-in event in Parliament. Our event focused on briefing parliamentarians on why updating the outdated Computer Misuse Act must be a priority for the new Government and why these much-needed updates to our cybersecurity laws will enhance sector growth and better equip the UK to tackle 21st century cybersecurity challenges impacting all areas of society.

The CyberUp Campaign hosted a virtual briefing event to update industry partners and professionals from within the sector on the progress of the campaign to update the Computer Misuse Act (1990).

Our parliamentary activity over the course of the last year has brought not insignificant successes, including securing amendments to the Criminal Justice Bill to include an update to the Computer Misuse Act from the then Labour shadow front bench and positive engagement with civil servants involved in the issue.

We urgently need your input on our survey to present decision-makers in the new Government with clear, up-to-date and indisputable evidence of how the Computer Misuse Act impacts cyber security researchers, professionals and businesses in the UK, so they are convinced of the necessity of this update.

The introduction of the Cyber Security and Resilience Bill in today's King's Speech – the first time ‘cyber security’ has been mentioned in the title of primary legislation – will be key to keeping the UK safe from rising cyberattacks, bringing the UK’s cyber regime in line with the EU’s Network and Information Systems Directive (NIS2) requirements in several ways.

Last week, the CyberUp Campaign hosted an expert-led drop-in event in the House of Lords in partnership with Lord Clement Jones, a long-time supporter of the CyberUp Campaign.

Representatives of the UK’s cyber security sector and the CyberUp Campaign have reacted to the worrying findings of the Government’s Cyber Security Breaches Survey, published today, with the report showing 50% of businesses and 32% of charities suffered a cyber breach or attack in the last year.

In an exciting update, an amendment to the Criminal Justice Bill has been tabled today on reform to the CMA and the introduction of ‘a statutory defence’.

As we come to the end of 2023, the CyberUp Campaign is reflecting on what has been a busy year for the Campaign.