An update to the Computer Misuse Act 1990 is among the proposed legislation outlined in the King’s Speech of My 13, 2026.
According to the Labour Government, this will provide law enforcement with updated powers and capabilities, so they remain effective in the digital age. The creation of a Cyber Crime Risk Order will place controls on the behaviours of cyber criminals, alongside new powers to search those believed to be concealing evidence on behalf of suspects. Also promised is a legal way for cyber security professionals to go about securing computer systems.
For the King’s Speech 2026 in full visit https://www.gov.uk/government/speeches/the-kings-speech-2026.
The CyberUp Campaign has complained that the 1990 law governing ‘computer misuse’ has become well out of date and does not allow ethical cyber employees to test systems for vulnerabilities without running the risk of prosecution; and has meant the UK has fallen behind other countries in terms of legal protections for cyber workers.
Comments
Sabeen Malik, VP for Global Government Affairs and Public Policy at Rapid7, said:ย โAs AI-driven vulnerability discovery scales, defenders need to run automated scanning, agentic red-teaming, and large-scale vuln research at machine speed โ activities the 1990 Computer Misuse Actโs broad unauthorised-access provisions were never designed to accommodate, leaving UK researchers exposed to criminal risk for work their adversaries face no equivalent friction performing.
“Hostile actors are already weaponising AI to find and exploit zero-days faster than human teams can triage them, so any legal regime that chills good-faith use of the same capabilities by UK defenders directly widens the offence-defence gap the National Cyber Strategy is meant to close.
“A statutory public-interest defence โ the test the CyberUp Campaign has now set for the bill โ is the minimum needed to give industry, CERTs, and threat-intel teams the legal certainty to deploy AI-enabled defensive tooling at the scale the threat environment now demands.โโโโโโโโโโโโโโโโโ
Shankar Haridas, Head of UK and Ireland at ManageEngine said: โBoards need to treat cyber resilience as a strategic priority, not just an IT cost. Cyber resilience is now a business continuity issue as much as a technical one, a viewpointโฏemphasisedโฏby the Kingโs Speech.ย The attack surface in our country is expanding, not shrinking. And, with threats increasingly targeting critical national infrastructure,โฏthereโฏneeds to be stronger visibility across identities, endpoints, applicationsโฏand privileged access – and faster incident response times to mitigate the long tail impact of attacks.
โWeโve seen the impact of high profile attacks and it’s critical businesses pivot away from reactive security models. A Government report shows cyber incidents are now part of normal business risk – yet supply chain assurance and board-level governance remain major gaps. Organizationsโฏneed continuous monitoring, identity-first controlsโฏand tighter recovery times to overcome attacks and protect their assets.โ
And Jamie Akhtar, CEO and co-founder of CyberSmart, said: “Over the past 12 months, the UK has seen a marked shift toward treating cyber resilience as a core issue of national security, economic stability and operational continuity. That shift has been reflected not only in the progression of the Cyber Security and Resilience Bill, but across wider government activity, including announcements at CYBERUK, continued NCSC intervention and growing concern around AI-enabled cyber threats.”
