The British government’s plans to overhaul the country's main cybercrime law would offer such narrow legal protections that most security researchers would be left in the same position as today, multiple sources briefed on the proposals have told Recorded Future News.

Plans to amend the Computer Misuse Act 1990 were announced in the King’s Speech last week following years of campaigning by industry to modernize a law they criticized for prohibiting ordinary cybersecurity activities.

Last December, Security Minister Dan Jarvis pledged the government would introduce a statutory defense — a formal legal protection written into law — protecting researchers from conviction in court, “as long as they meet certain safeguards.” But sources briefed on the plans, which have not previously been reported, say those safeguards are extremely limited.

The government plans to restrict the statutory defense only to cases where researchers are being prosecuted for scanning internet-facing systems. Scanning is a subset of cyberdefense activities that is largely already performed continuously, and from outside British jurisdiction, by commercial platforms such as Shodan and Censys.

The proposals would require researchers to cease activity the moment a vulnerability is identified, meaning they could not confirm it was real, assess its severity or determine its exploitability. Industry professionals say that renders any disclosure nearly worthless, since system owners routinely require proof that a vulnerability is genuine before acting on it.

Accredited researchers would also be required to conduct tests personally and could not direct others to carry out activity on their behalf, a provision that would cut across the standard commercial model in which senior professionals oversee junior staff or automated tools.

The proposals would also limit who could qualify for the statutory defense to British nationals holding accreditations with the UK Cyber Security Council — the only body able to confer chartered status on cybersecurity professionals, similar to the status conferred on chartered accountants or engineers.

Government officials told Recorded Future News’ sources that currently only around 300 people currently hold such accreditation — about 0.4% of the “nearly 70,000 highly skilled people” employed in the sector, according to official government figures.

The accreditation requirement was widely criticized by experts consulted by Recorded Future News, who described it as a “pay to play” model that could exclude bug bounty hunters, academic researchers, hobbyists and professionals at smaller businesses — all of whom account for a significant proportion of vulnerability disclosures globally.

The sources said the reforms appeared designed primarily to address the government's own legal exposure rather than the needs of the industry they are intended to help. They cited meetings in which the government itself acknowledged the Computer Misuse Act was constraining the activities of both law enforcement and the National Cyber Security Centre (NCSC).

A spokesperson for the NCSC said: “As you would expect, the NCSC’s activities comply with the law and are governed by a robust oversight framework delivering on our mission to make the UK the safest place to live and work online.” The agency declined to say how many of its own staff hold chartered status.

Jen Ellis, a cyber policy consultant and independent advisor to the British government, praised officials for engaging with the security community but warned there was “a misalignment between expectations and reality.”

She said researchers had hoped proposed reforms to the Computer Misuse Act would provide “a statutory defence or legal safe harbour” for good-faith security research, but argued the current proposal was “much narrower” and focused only on scanning for known vulnerabilities.

Ellis also criticized any carve-out tied to professional roles or certifications, saying security research is often conducted independently and outside large organizations. Such requirements, she argued, would “impede” research and skills development, favor big companies and ultimately “criminalise the individual, not the act.”

Standard practices across the global cybersecurity industry, including accessing attacker infrastructure to understand ongoing campaigns, remain criminalized in the United Kingdom. The government is understood to be concerned that a broad statutory defense covering these activities would provide malicious actors with legal cover.

Industry says the current position puts British companies at a competitive disadvantage to rivals in Germany, France, the Netherlands, Belgium and the United States — all of which operate under less restrictive legal frameworks and none of which has reported difficulty prosecuting cybercriminals as a result.

Industry bodies say some British firms already route sensitive research work through jurisdictions with clearer legal frameworks. The Home Office said it was speaking to international counterparts to understand their approaches to the issue.

The shortcomings of the Computer Misuse Act are widely known among specialists in British law enforcement. One researcher whose company works with the police told Recorded Future News they had raised concerns with a senior officer after accessing a criminal's network during an investigation. The officer's response, they said, was not to worry — the Crown Prosecution Service would take the public interest into account even without a statutory defense. Researchers and industry groups have said that kind of informal assurance is no basis on which to build a business, obtain professional insurance or instruct colleagues.

Researchers also flagged how the proposals took no account of agentic AI tools, which are increasingly used across the industry to conduct vulnerability discovery and security testing autonomously.

Whether activity performed by an AI system rather than a human researcher would fall within a defense requiring accredited individuals to conduct tests personally has not been addressed, raising the prospect of a legal framework that is already out of date before it reaches the statute book.

A spokesperson for the Home Office said: “This government recognises the major role that cyber security professionals play in enhancing and protecting the UK’s security. It is vital that we support them. Our National Security Bill will balance supporting legitimate research with protecting national security. We value the cyber security industry’s input and will continue working with them as we refine our proposal.”