In the news

Companies do it via vulnerability scans. Doesn't seem to be illegal there?

Anyone can scan and probe, document "this port appears to be accessible, it's port 22 so I'll presume this is SSH". This is legal.

What you can't do is scan and probe and try lots of usernames:passwords, this is covered by the Computer Misuse Act and various EU legislation. This is illegal.

When companies do it to other companies, via penetration tests and other tests. This is legal because it is not a misuse of a computer if you've gained permission in advance. In this scenario the company would have contracted someone to try and gain access so that they have a list of things to do to then make sure that they are not vulnerable to real attackers. This is the "white hat" (we do it with your permission to keep you safe, and we tell you what we found in a responsible way) vs "black hat" (we don't ask permission, and do it for our own profit).

Don't mistake the existence of white hat security companies to imply that their activities, if non-sanctioned by the party in question, would be legal. They would not.

Well who knows... the EU/USA/UK could pass laws on port blocking.. ;)

This would be naive.

No law should state which ports should be blocked, as this would inhibit innovation and the evolution of the internet.

A law should simply state that end user telecommunication services should be configured to provide minimal services at time of purchase, but to retain common carrier status the end user should be able to configure this to allow any service to be available.

Also, there are privacy implications. Imagine if an application could be identified by its' traffic or port numbers, the ISP having a database of which users have enabled that service means that they can be compelled to give up that information. So there are downsides.