Game-Changing Victory: UK Government Commits to Statutory Defence for Security Researchers

After five years of relentless campaigning, Security Minister Dan Jarvis delivers the strongest government commitment yet to modernizing Britain's cybercrime laws

On December 3, 2025, at the Financial Times Cyber Resilience Summit, UK Security Minister Dan Jarvis made an announcement that sent shockwaves of relief and celebration through the cybersecurity community. The UK government is looking at creating a statutory defence within the Computer Misuse Act that would protect security researchers from prosecution when spotting and sharing vulnerabilities, provided they meet certain safeguards.

This represents the most concrete commitment any UK government has made to fixing a 35-year-old law that has left the nation's cyber defenders working with one hand tied behind their backs.

Why This Matters

The Computer Misuse Act of 1990 was created when just 0.5% of the UK population had internet access. While designed to prosecute cybercriminals, the law punishes behavior without any regard for the motivation of those carrying it out, offering no protection whatsoever for professional researchers acting in good faith.

This has created an impossible situation for UK cybersecurity professionals. Activities that are fundamental to defending organizations—vulnerability research, threat intelligence gathering, incident response—technically constitute "unauthorized access" under the CMA, potentially exposing researchers to prosecution even when they're trying to protect British interests.

Previous studies revealed that 60% of security professionals believe the CMA acts as a barrier to working effectively, and 80% claim it puts the UK at a competitive disadvantage on the world stage. The economic impact is staggering—CyberUp estimates that out of nearly 2,000 active cybersecurity firms in the UK, almost 600 have experienced economic losses due to their inability to work effectively under current legal constraints.

The Long Road to Reform

The journey to this moment began in early 2020 when the CyberUp Campaign launched, bringing together industry leaders, academics, and professionals to advocate for reform. The coalition has been pushing for a statutory defence that would allow cybersecurity professionals acting in the public interest to defend themselves from prosecution and unjust civil litigation.

Over the past five years, the campaign has achieved several milestones:

• May 2021: Home Secretary Priti Patel announced plans to explore CMA reform
• August 2022: Research revealed broad consensus among security professionals on needed changes
• February 2023: Government opened consultation on CMA reforms (though campaigners were disappointed by its limited scope)
• December 2024: Parliamentary amendments proposed by Lords Holmes and Clement-Jones sought to introduce statutory defence—but were withdrawn after government resistance

Previous attempts stalled with the government arguing they were premature, leaving campaigners frustrated after years of effort. But persistence paid off.

What Changed

Minister Jarvis's announcement represents a fundamental shift. In his speech, he explicitly acknowledged the concerns raised by the cybersecurity community, stating that the CMA leaves many cyber security experts feeling constrained in their activities, and emphasized that researchers play an important role in increasing UK system resilience.

The timing is critical. Jarvis highlighted major 2024 cyber incidents affecting Co-op, Marks and Spencer, Harrods, and Jaguar Land Rover, with the Bank of England believing the JLR attack contributed to economic growth contracting in September. Additionally, fifty percent of small businesses reported being hit by cyber attacks last year—hundreds of thousands of organizations made targets.

The government has also committed to publishing a National Cyber Action Plan with defined roles and tasks for all stakeholders, and has consulted over 400 individual partners across business, critical national infrastructure, and international allies.

The International Context

The UK's hesitation on CMA reform has increasingly isolated it from international peers. Several European countries including Belgium, Germany, France, Malta, and the Netherlands have either recently updated their legal frameworks to address professional hacking or already had more appropriate legal regimes.

Industry leaders have emphasized the urgent need for reform, particularly as the US and EU move ahead with protections for ethical hackers. The competitive disadvantage was becoming untenable—UK companies were being forced to purchase threat intelligence and security services from overseas providers operating under more permissive legal frameworks.

What Comes Next

While this announcement is cause for celebration, the cybersecurity community knows the work isn't done. The devil will be in the details of those "certain safeguards" Jarvis mentioned. CyberUp has developed a Defence Framework to guide statutory defence application, emphasizing that reform must address risks of misuse while explicitly not supporting 'hacking back' activities that would disrupt or degrade investigated systems.

Key considerations going forward include:

1. Scope of Protection: Will the statutory defence cover both vulnerability research and threat intelligence work? The community is clear both are essential.
2. Safeguards Design: What conditions must researchers meet? The framework needs to protect legitimate work while preventing abuse.
3. Legislative Vehicle: Will reform come through standalone legislation, the Cyber Security and Resilience Bill, or another vehicle?
4. Implementation Timeline: When can researchers expect actual legal protection rather than just promises?

The Stakes

This year 39% of businesses reported cybersecurity breaches or attacks—extrapolating to the UK's business population means 2.3 million businesses were victims of computer misuse offences. Meanwhile, cybercrime has become such a massive problem that if it were a national economy, it would be the third largest in the world, with experts claiming online scams could cost the world $27 trillion annually by 2027.

The UK cannot afford to keep its cyber defenders legally hamstrung. The government's 2022 National Cyber Strategy called for a 'whole of society' approach to tackling cyber threats—but this cannot be possible while the private sector still has one hand tied behind its back.

A Victory Five Years in the Making

For those who've been fighting this battle since 2020—organizations like NCC Group, WithSecure, McAfee, Trend Micro, and countless individual researchers—Jarvis's announcement represents validation of years of advocacy work. The CyberUp Campaign's persistence through multiple government administrations, parliamentary setbacks, and bureaucratic delays has finally resulted in the strongest commitment yet from any UK government.

But as the campaigners know well, announcements must become legislation, and legislation must become implementation. The cybersecurity community will be watching closely to ensure this commitment translates into meaningful legal protection that actually allows UK cyber defenders to do their jobs without fear of prosecution.

After 35 years, the Computer Misuse Act is finally on the path to joining the 21st century. For UK cybersecurity professionals, that journey can't happen fast enough.