CSR Bill a “golden opportunity” to reform CMA and remove its “chilling effect”, Public Bill Committee hears

Yesterday (Tuesday 3 February 2026), the Public Bill Committee hearing oral evidence on the Cyber Security and Resilience (Network and Information Systems) Bill heard further clear calls to reform the Computer Misuse Act 1990 (CMA) as part of this legislative moment.

Chris Anley, Chief Scientist at NCC Group, suggested the CSR Bill presented a “golden opportunty to reform the Computer Misuse Act, which he warned MPs can put cyber defenders at legal risk for routine, necessary investigative steps as it treats unauthorised access as an offence even where the purpose is defensive. He backed CyberUp’s proposal for a tightly safeguarded statutory defence to protect legitimate cyber security work while maintaining the integrity of the law.

Professor John Child, Co-founding Director of the Criminal Law Reform Now Network, argued that the CMA’s blanket criminalisation model creates a “chilling effect“ that actively undermines collaboration, professionalisation, and structured reporting between industry and public bodies.

He stressed that prosecutorial discretion cannot solve this problem, and that a tailored statutory defence is the most practical route to enable legitimate security activity while preventing misuse by bad actors.

He also raised the fact that several other countries have made legislative changes to ensure cyber professionals are not prosecuted for accessing computer systems without permission from the system owner, as long as they are acting in the public interest. Portugal, for instance, recently amended its legislation through the NIS2 reforms – the equivalent of the CS&R Bill – demonstrating the appropriateness of this legislative mechanism to reform the CMA in the UK.