Skip main navigation

What is the Computer Misuse Act?

This article looks at the history of the Computer Misuse Act (CMA), when it wa founded, and how it has developed.

The Computer Misuse Act (CMA) is the main legislation in the UK which covers computer-related crime.

When was the CMA founded?

It was originally introduced in 1990 and has been used as a basis for similar legislation across the world. A number of updates have followed in recent years in order to reflect new technologies, developments in cyberspace and new forms of criminal activities.

Punishments for offences under the CMA vary depending on the severity of the crime, so let’s take a quick detour into some legal terminology to support our understanding.

A summary offence

A summary offence is usually one which is considered less serious. The case will only be looked by a magistrate and normally carries smaller penalties and shorter prison terms.

An indictment

An indictment is used for more serious offences and carries penalties up to the maximum and may involve a prison term. These cases will be decided by both a judge and a jury.

Back to the law itself, the CMA currently has five main offences:

Unauthorised access to computer material

  • It must be proved that the suspect knew their access was not authorised
  • The maximum prison sentence is 12 months (summary) or two years (indictment) and/or a fine

Unauthorised access with intent to commit or facilitate the commission of further offences

  • It must be proved that the suspect carried out the hacking to further some other criminal intention, such as theft
  • The maximum prison sentence is 12 months (summary) or five years (indictment) and/or an unlimited fine

Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of a computer

  • This covers damage to computer systems or data, including Denial of Service (DoS) attacks
  • The maximum prison sentence is 12 months (summary) or 10 years (indictment) and/or an unlimited fine

Unauthorised acts causing or creating a risk of serious damage

  • This aims to protect human welfare, UK critical infrastructure, national security and the economy, in particular in relation to cyber-physical systems
  • The maximum prison sentence is 14 years or a life sentence in the case of damage to human welfare (eg loss of life, illness or injury, or threat to national security) and/or an unlimited fine

Making, supplying or obtaining articles for use in an offence under the above sections

  • This section also covers developers and distributors of any form of malware, botnets or any other hacking tools
  • The maximum prison sentence is 12 months (summary) or two years (indictment) and/or a fine

A common part of the criteria for the main offences under the CMA is that the prosecution has to prove that the suspect knew that they were not authorised and had acted intentionally. This affects the ethical hacker if they accidentally go out of scope.

For example, if they attack a system for which they have not been authorised, they are not yet automatically guilty under the CMA as they did not intend to commit that crime. However, if they intentionally attack a system which is out of scope (ie they are not authorised) they could be liable under the CMA.

Development of the CMA

In 2006, the CMA was amended by the Police and Justice Act in order to comply with the European Convention on Cyber Crime. The amendment increased the maximum penalties and also made it explicit that DoS is a crime.

The 2006 amendment also made the development, distribution or use of hacking tools illegal if there is an intent to commit or assist in the commission of a crime. This covers virtually every tool that an ethical hacker will have, with the only difference being that an ethical hacker does not have the intent to commit or assist in the commission of a crime.

The Serious Cime Act

In 2015, the CMA was amended again, this time by the Serious Crime Act, which introduced a new section protecting the UK national infrastructure, national security and human welfare.

The CMA continues to be updated with new developments focusing on covering smart mobile devices, as well as making the disclosure of stolen information illegal (eg publishing passwords).

The CMA has been used in convicting cyber criminals in many cases – see the Computer Misuse Act in action link under ‘Further reading’ for some examples.

If you’d like to learn more about ethical hacking, check out the full online course, from Coventry University, below.


Computer Misuse Act (1990) available from [11 April 2019]

Police and Justice Act (2006) available from [11 April 2019]

Serious Crime Act (2015) available from [11 April 2019]

Further reading

Computer Misuse Act Factsheet

Computer Misuse Act in action

© Coventry University. CC BY-NC 4.0
This article is from the free online

Ethical Hacking: An Introduction

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now