No Safe Harbor for Security Research

This provision criminalizes unauthorized access to computer systems and critical infrastructure (2-5 years imprisonment, up to 25,000 penalty units) without defining what constitutes "lawful authority" or providing explicit exemptions for security researchers, penetration testers, or bug bounty participants. Combined with the Authority's directive power over "innovators, developers" (41), this creates a regime where security researchers face criminal liability unless they obtain explicit Authority approval before testing—chilling legitimate vulnerability research and responsible disclosure practices that are essential to cybersecurity innovation.