The CMA is auful
The CMA is the worst of both worlds at the moment
Literally, everything can be shoehorned into one of the three or four categories
And with the exception of the causing death clause, the penalties are laughable.
It needs cleaning up to better define an offence and given some teeth to act as a sufficient deterrent
For the protection of legitimate security testing, it should be a case of reasonable attempt to gain permission / inform the system owner, and a membership of a relevant authorising body ((ISC)2, ISACA, CREST, EC-Council, TIGER, SANS, etc.) along with contemporaneous documentation of actions taken and an intent to inform, a CVE request/Bug bounty Submission, would be a good option too.....
If a responsible body, for deciding which certs count, needs to be appointed, the NCSC in its role as National CERT and SPOC makes a good candidate.