Looking Back on a Breakthrough Year for the CyberUp Campaign

As 2025 draws to a close, the CyberUp Campaign is marking a year of meaningful momentum towards updating the UK’s outdated Computer Misuse Act 1990 (CMA). This year saw the conversation move decisively from “why reform is needed” to “how reform can be delivered”, with clearer ministerial signals, deeper Home Office engagement, and multiple legislative pathways now in play. Here are six key moments that defined our year.

1. A clear ministerial signal on introducing a ‘statutory defence’

In December, Security Minister Dan Jarvis MP announced that the Government is looking at a legal change to the CMA to create a statutory defence for vulnerability researchers to spot and share vulnerabilities, something which the campaign has long been calling for. This is the most significant public indication to date that CMA reform is moving from principle into policy design and is a huge win for the campaign and its supporters.

2. Sustained engagement with the Home Office on CMA Reform

Throughout the year, the campaign has engaged closely with the Home Office, including correspondence with the Home Secretary’s and Security Minister’s offices. This engagement culminated in a meeting in November with the Home Office CMA Review team, where we discussed emerging proposals for a statutory defence.

3. The Cyber Security and Resilience Bill enters Parliament

In November, the Cyber Security and Resilience Bill was presented to Parliament as the first piece of primary legislation ever to contain ‘cyber’, underscoring the Government’s intent to strengthen UK cyber resilience. The Bill’s introduction reinforces that cyber policy is now firmly on the legislative agenda and creates a pivotal context for the CMA debate.

4. The Cyber Growth Action Plan recognises the Campaign

In September, the UK Cyber Security Growth Action Plan was published, suggesting key interventions needed to further develop the UK’s cyber security sector. Led by senior academic and sector figures, it explicitly referenced the campaign’s view asserting how the CMA impacts skills and growth. The plan also reflects the wider policy direction that cyber is recognised as a frontier industry within the Government’s Industrial Strategy.

5. Parliamentary and Industry Roundtables keep CMA reform on the radar

The campaign was delighted to be invited to two policy discussions on the Cyber Security and Resilience Bill and the UK’s wider cyber posture: a roundtable hosted by Victoria Collins MP, David Chadwick MP and Lord Clement-Jones, and a separate industry roundtable hosted by Dr Ben Spencer MP. These sessions have been valuable opportunities to reinforce that cyber resilience and cyber growth require legal clarity for legitimate cyber defence activity.

6. The Data (Use and Access) Bill

Early in the year, we responded to the withdrawal of a Lords amendment to the Data (Use and Access) Bill that would have updated the CMA to include a statutory defence. Although this was a missed legislative opportunity, the debate demonstrated strong, informed support in the Lords and helped sharpen the case for a Government-led route to reform.

Looking ahead: the Crime and Policing Bill – a fresh legislative opportunity in January

Lord Clement-Jones has tabled amendments to the Crime and Policing Bill to introduce a statutory defence to the Computer Misuse Act. These are due to be heard in January, and we will continue to work with supporters and parliamentarians to ensure any change delivers clear, workable protections for legitimate cyber security activity.

As we move into 2026, the campaign’s focus will be on ensuring any statutory defence is robust, tightly scoped to legitimate activity, and operationally usable, so that the UK’s cyber defenders can do their jobs with confidence, and the UK can fully realise the growth and resilience ambitions now being set out across Government.

We would like to extend our heartfelt thanks to all of our supporters—industry representatives, cyber security professionals, parliamentarians, and other allies—who have championed this cause.

With your support, 2026 is looking more and more like the year we finally achieve meaningful change in the UK’s cyber laws!