1. Home
  2. /Compliance Frameworks
  3. /UK Computer Misuse Act
Feeling StupidKeyboard Layout

Computer Misuse Act 1990 (UK)

Understand the criminal offences, defences, and enforcement powers that govern unauthorised access and interference with computer systems in the United Kingdom.

Overview

The Computer Misuse Act 1990 (CMA) is the cornerstone of UK cybercrime law. It sets out criminal offences for unauthorised access, modification, and impairment of computer systems. The Act has been amended numerous times (including the Serious Crime Act 2015 and Police and Justice Act 2006) to reflect emerging threats such as denial-of-service attacks and tools designed for hacking.

Why It Matters
  • Criminal liability for red teamers, penetration testers, and researchers without proper authorisation
  • Provides legal basis for law enforcement to investigate and prosecute cyber offences
  • Relevant to incident response teams when considering referrals to the National Crime Agency (NCA)
  • Influences corporate policy for acceptable use, privileged access, and system monitoring
Key Agencies & Guidance
  • NCA / Regional Cyber Crime Units: Lead serious cybercrime investigations
  • College of Policing: Operational guidance for enforcing CMA offences
  • CPS: Crown Prosecution Service guidance on prosecuting CMA offences
  • Home Office: Policy updates, proposed reforms, and consultation outcomes

Core Offences

SectionOffenceKey Elements & Sentencing
Section 1Unauthorised access to computer material
  • Accessing any program/data without authorisation (e.g., password guessing)
  • Intent: knowledge that access is unauthorised
  • Maximum sentence: 2 years (summary 12 months)
Section 2Unauthorised access with intent to commit further offences
  • Section 1 access combined with intent to commit fraud or other serious crime
  • Example: Accessing payroll system intending to steal funds
  • Maximum sentence: 5 years (indictment)
Section 3Unauthorised acts impairing the operation of a computer
  • Includes malware deployment, ransomware, DoS/DDoS attacks
  • Requires intent to impair, or recklessness
  • Maximum sentence: 10 years (indictment)
Section 3ZAUnauthorised acts causing serious damage
  • Serious damage to human welfare, environment, economy, or national security
  • Applies to critical infrastructure attacks
  • Maximum sentence: life imprisonment
Section 3AMaking, supplying or obtaining articles for use in CMA offences
  • Production or distribution of hacking tools, malware, exploit kits
  • Knowledge or belief that the tool is likely to be used for CMA offences
  • Maximum sentence: 2 years (supplying), 1 year (obtaining)

Lawful Authorisation

  • Explicit written consent from the system owner (e.g., rules of engagement for penetration tests)
  • Ensure scope includes IP ranges, timing, attack types, and data handling expectations
  • Keep auditable records of approvals, sign-offs, and change requests
  • Consider double-lock authorisation for live production testing

Statutory Defences & Considerations

  • Section 10: Applies to activities authorised by warrants under the Investigatory Powers Act or Telecoms regulatory duties.
  • Public Interest Defence: Currently limited; security research reforms are under consultation. Follow NCSC vulnerability disclosure guidance.
  • Consent & Necessity: Genuine belief in authorisation may mitigate culpability but is risky to rely on.
  • Corporate Policy: Internal policies cannot override CMA—ensure employees understand legal boundaries.

Sentencing, Aggravating Factors & Enforcement

Sentencing Guidelines
  • Culpability (role in offence) and harm (financial loss, disruption, impact)
  • Consider mitigation: early guilty plea, cooperation, minimal damage
  • Confiscation under Proceeds of Crime Act may apply
Aggravating Factors
  • Targeting critical infrastructure or emergency services
  • Use of botnets or large-scale distributed attacks
  • Commercial gain or extortion motives
  • Repeat offending or organised crime links
Enforcement
  • National Crime Agency (NCA) Cyber Crime Unit
  • Regional Cyber Crime Units / Police Scotland / PSNI
  • International cooperation via Europol, INTERPOL, Budapest Convention
  • Computer Forensics Unit for evidence preservation and analysis

Organisational Good Practice

Policy & Governance
  • Acceptable Use Policy (AUP) with references to CMA offences
  • Privileged Access Management (PAM) with break-glass procedures
  • Incident escalation routes to legal counsel and law enforcement
  • Clear separation of duties for system administrators
Testing & Research
  • Written Rules of Engagement for penetration tests and red teaming
  • Coordinated vulnerability disclosure process aligned with NCSC guidance
  • Use of safe, controlled environments (sandboxes, labs) for malware analysis
  • Due diligence on third-party testing providers
Education & Awareness
  • Training for developers and administrators on legal boundaries
  • Awareness for employees on social engineering liability
  • Board-level briefings on cybercrime exposure and legal obligations
  • Embed CMA considerations into change management processes

Further Reading & Resources