UK Cyber Law

The Computer Misuse Act 1990

The Computer Misuse Act 1990 (c. 18) is the primary legislation criminalising computer-related offences in the United Kingdom. Enacted following the Law Commission’s 1989 report on computer misuse and the influential decision in R v Gold and Schifreen (1988) 86 Cr App R 438 — in which the House of Lords overturned convictions for accessing a British Telecom voicemail system under the Forgery and Counterfeiting Act 1981 — the CMA establishes three principal offences: unauthorised access to computer material (section 1), unauthorised access with intent to commit or facilitate further offences (section 2), and unauthorised acts with intent to impair the operation of a computer (section 3). Section 3A, added by the Police and Justice Act 2006, criminalises the making, supplying, or obtaining of articles for use in computer misuse offences. The Act was substantially amended by the Serious Crime Act 2015, which introduced a new offence under section 3ZA of unauthorised acts causing serious damage, including damage to human welfare, the environment, the economy, or national security, with a maximum penalty of life imprisonment. The Act has extraterritorial application: section 4 provides jurisdiction where there is a significant link with the United Kingdom, including where the accused or the target computer is in the UK, or where the offence causes damage within the UK. The Crown Prosecution Service published revised guidelines on computer misuse prosecutions in 2023, emphasising the importance of these provisions in addressing state-sponsored cyber attacks and ransomware campaigns.

The UK Cybersecurity Act

The Cybersecurity Act 2022 received royal assent on 29 March 2022 and addresses cybersecurity in two principal domains. Part 1 of the Act amends the Telecommunications Act 1984 to impose enhanced security duties on public electronic communications providers and on data centre service providers. These duties require providers to identify and assess security risks, implement proportionate technical and organisational measures, and report security incidents. The Act confers on the Secretary of State the power to issue codes of practice and to designate technical standards with which providers must comply. Part 2 creates a new regulatory regime for certain categories of software developers, importers, and distributors, requiring them to declare compliance with prescribed security requirements before making their products available to consumers in the United Kingdom. The Act empowers the Secretary of State to establish a framework for the security of consumer connectable products — smart devices — aligning with the European Union’s Cyber Resilience Act in its regulatory objectives while diverging in its enforcement mechanisms.

The Network and Information Systems Regulations 2018

The Network and Information Systems Regulations 2018 (SI 2018/506) transpose the EU NIS Directive (Directive 2016/1148) into UK law. Following the United Kingdom’s withdrawal from the European Union, the Regulations were retained as domestic legislation and have been amended by the NIS Amendment Regulations 2020 and the Network and Information Systems (EU Exit) Regulations 2021. The Regulations apply to operators of essential services in the energy, transport, water, digital infrastructure, health, and banking sectors, and to relevant digital service providers. Operators of essential services are required to implement appropriate and proportionate technical and organisational measures to manage security risks to their network and information systems, to prevent and minimise the impact of incidents, and to notify the relevant competent authority of incidents having a significant impact on service continuity. The competent authorities — sectoral regulators including the Financial Conduct Authority, Ofgem, and the Information Commissioner’s Office — are empowered to issue enforcement notices, monetary penalties (up to £17 million), and, in the case of digital service providers, to require cessation of non-compliant activities. The National Cyber Security Centre, a part of Government Communications Headquarters, serves as the single point of contact for cybersecurity in the UK and as the Computer Security Incident Response Team for the purposes of the Regulations.

The Online Safety Act 2023

The Online Safety Act 2023, one of the most extensive legislative interventions in digital regulation globally, received royal assent on 26 October 2023. The Act imposes a duty of care on user-to-user services and search services to protect users in the United Kingdom from illegal content and activity and to protect children from content harmful to their wellbeing. Ofcom, the communications regulator, is designated as the independent regulator with extensive enforcement powers, including the ability to impose fines of up to £18 million or ten per cent of qualifying worldwide revenue (whichever is greater), to require the implementation of specified technical measures, and, in cases of persistent non-compliance, to seek court orders requiring business disruption measures including payment blocking and internet access restriction. The Act categorises services based on their size, functionality, and user base, with largest services designated as Category 1 services subject to the most stringent duties, including the duty to conduct and publish risk assessments and to implement systems and processes to mitigate identified risks. Schedule 4 of the Act addresses fraudulent advertisements, imposing duties on user-to-user services to establish complaints procedures for fraudulent advertising. The Act does not include provisions requiring the dismantling of end-to-end encryption, though the government’s position during the legislative process confirmed that Ofcom may require services to use proportionate and technically feasible technology to identify and remove child sexual exploitation and abuse content, creating ongoing tension between online safety obligations and the protection of encrypted communications.

The Role of the National Cyber Security Centre

The National Cyber Security Centre, established in 2016 as an arm of GCHQ, serves as the United Kingdom’s authoritative technical authority for cybersecurity. The NCSC provides incident response and crisis management support to government, Critical National Infrastructure sectors, and the wider economy; issues cyber threat assessments and alerts through its Active Cyber Defence programme; develops and promulgates technical security standards and guidance, including the Cyber Assessment Framework and the 10 Steps to Cybersecurity guidance; and operates the UK’s Computer Security Incident Response Team. The NCSC’s Active Cyber Defence programme has deployed a series of national-scale protective measures, including the Protective DNS service, the Early Warning service, and the Web Check vulnerability scanning service. The NCSC also administers the Cyber Essentials and Cyber Essentials Plus certification schemes, which set baseline security controls for organisations seeking to demonstrate their cybersecurity posture. While the NCSC exercises no direct regulatory enforcement powers, its technical guidance is given significant weight by the courts and sectoral regulators in determining the standard of reasonable cybersecurity.

Data Protection Under UK GDPR

Following the United Kingdom’s withdrawal from the European Union, the Data Protection Act 2018 and the UK General Data Protection Regulation (as retained EU law) constitute the domestic data protection framework. The UK GDPR, as modified by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, substantively mirrors the EU GDPR in its core principles, data subject rights, controller and processor obligations, and international transfer mechanisms. The Information Commissioner’s Office enforces the UK GDPR and has exercised its corrective powers in several high-profile cybersecurity-related enforcement actions, including a £4.4 million monetary penalty against Interserve Group Limited following a ransomware incident that the ICO determined resulted from failures to implement adequate technical and organisational measures pursuant to Article 32 UK GDPR. The ICO’s regulatory approach to cybersecurity emphasises the importance of accountability, requiring controllers to demonstrate compliance through documentation of risk assessments, data protection impact assessments, and data processing records. The UK government has announced its intention to reform the UK GDPR framework through the Data Protection and Digital Information Bill, which proposes amendments including a revised lawful basis for processing for the purposes of scientific research, the expansion of the legitimate interests basis, and adjustments to the accountability framework for small and medium-sized enterprises.