Skip main navigation

What is the Computer Misuse Act?

This article looks at the history of the Computer Misuse Act (CMA), when it wa founded, and how it has developed.
© Coventry University. CC BY-NC 4.0

The Computer Misuse Act (CMA) is the main legislation in the UK which covers computer-related crime.

When was the CMA founded?

It was originally introduced in 1990 and has been used as a basis for similar legislation across the world. A number of updates have followed in recent years in order to reflect new technologies, developments in cyberspace and new forms of criminal activities.

Punishments for offences under the CMA vary depending on the severity of the crime, so let’s take a quick detour into some legal terminology to support our understanding.

A summary offence

A summary offence is usually one which is considered less serious. The case will only be looked by a magistrate and normally carries smaller penalties and shorter prison terms.

An indictment

An indictment is used for more serious offences and carries penalties up to the maximum and may involve a prison term. These cases will be decided by both a judge and a jury.

Back to the law itself, the CMA currently has five main offences:

Unauthorised access to computer material

  • It must be proved that the suspect knew their access was not authorised
  • The maximum prison sentence is 12 months (summary) or two years (indictment) and/or a fine

Unauthorised access with intent to commit or facilitate the commission of further offences

  • It must be proved that the suspect carried out the hacking to further some other criminal intention, such as theft
  • The maximum prison sentence is 12 months (summary) or five years (indictment) and/or an unlimited fine

Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer

  • This covers damage to computer systems or data, including Denial of Service (DoS) attacks
  • The maximum prison sentence is 12 months (summary) or 10 years (indictment) and/or an unlimited fine

Unauthorised acts causing or creating a risk of serious damage

  • This aims to protect human welfare, UK critical infrastructure, national security and the economy, in particular in relation to cyber-physical systems
  • The maximum prison sentence is 14 years or a life sentence in the case of damage to human welfare (eg loss of life, illness or injury, or threat to national security) and/or an unlimited fine

Making, supplying or obtaining articles for use in an offence under the above sections

  • This section also covers developers and distributors of any form of malware, botnets or any other hacking tools
  • The maximum prison sentence is 12 months (summary) or two years (indictment) and/or a fine

A common part of the criteria for the main offences under the CMA is that the prosecution has to prove that the suspect knew that they were not authorised and had acted intentionally. This affects the ethical hacker if they accidentally go out of scope.

For example, if they attack a system for which they have not been authorised, they are not yet automatically guilty under the CMA as they did not intend to commit that crime. However, if they intentionally attack a system which is out of scope (ie they are not authorised) they could be liable under the CMA.

Development of the CMA

In 2006, the CMA was amended by the Police and Justice Act in order to comply with the European Convention on Cyber Crime. The amendment increased the maximum penalties and also made it explicit that DoS is a crime.

The 2006 amendment also made the development, distribution or use of hacking tools illegal if there is an intent to commit or assist in the commission of a crime. This covers virtually every tool that an ethical hacker will have, with the only difference being that an ethical hacker does not have the intent to commit or assist in the commission of a crime.

The Serious Cime Act

In 2015, the CMA was amended again, this time by the Serious Crime Act, which introduced a new section protecting the UK national infrastructure, national security and human welfare.

The CMA continues to be updated with new developments focusing on covering smart mobile devices, as well as making the disclosure of stolen information illegal (eg publishing passwords).

The CMA has been used in convicting cyber criminals in many cases – see the Computer Misuse Act in action link under ‘Further reading’ for some examples.

If you’d like to learn more about ethical hacking, check out the full online course, from Coventry University, below.


Computer Misuse Act (1990) available from [11 April 2019]

Police and Justice Act (2006) available from [11 April 2019]

Serious Crime Act (2015) available from [11 April 2019]

Further reading

Computer Misuse Act Factsheet

Computer Misuse Act in action

© Coventry University. CC BY-NC 4.0
This article is from the free online

Ethical Hacking: An Introduction

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education