Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
29MAY

UK cyber bill drops payment regime

3 min read
14:17UTC

The UK Cyber Security and Resilience Bill reached report stage and third reading in the Commons on 10 June, but the consulted ransomware-payment ban and economy-wide reporting duty are absent from the published text.

TechnologyDeveloping
Key takeaway

The UK bill expands reporting duties but leaves the ransomware-payment ban out of the published text.

The UK Cyber Security and Resilience Bill reached its report stage and third reading in the House of Commons on Wednesday 10 June, the stage before it passes to the House of Lords 1. The bill widens the reportable-incident definition to cover integrity and security compromises, pre-positioning, and ransomware, building on the framework that reached an earlier stage in March and the £14.7bn UK cyber sector the government counted last month .

The ransomware-payment ban for CNI (critical national infrastructure) operators, and the economy-wide payment-reporting duty the government consulted on, are absent from the published bill text 2. That gap matters because mandatory payment reporting is the only instrument that collapses the distance between what victims disclose and what attackers actually claim. Without it, defenders, regulators and insurers keep working from incompatible numbers, which is precisely the visibility problem the briefing's ransomware-market section below describes.

The omission also reshapes the lobbying ahead. Industry was always going to contest the £17 million or 4%-of-turnover penalty ceiling when the bill reaches the Lords; with the payment regime already dropped, that fight now has a softer target and one fewer flank to defend. Canada's Bill C-8, building an equivalent CNI cyber framework, cleared its Senate the same week, so the Five Eyes are legislating in parallel on critical-infrastructure duties while diverging on the payment question 3.

Deep Analysis

In plain English

In the UK, critical services like power, water, hospitals, and banks are required to follow rules about cybersecurity. A new law called the Cyber Security and Resilience Bill, which the government has been developing for over a year, cleared a major stage in Parliament on 10 June 2026 and will now move to the House of Lords for further consideration. The bill widens the list of cyber incidents that organisations must report to regulators, including cases where attackers have quietly positioned themselves inside a network ahead of a future attack, alongside the existing requirement to report service disruptions. Companies found to have failed to report incidents could face fines of up to £17 million or 4 per cent of their global turnover. A proposal to require organisations to disclose when they pay a ransom to ransomware attackers was considered during development but does not appear in the published bill text. Canada passed a similar law the same week.

What could happen next?
  • Consequence

    The payment-reporting regime's absence from the Commons bill text means the UK will lack mandatory ransomware payment data collection for at least the duration of the Lords stage and likely into 2027.

    Medium term · Assessed
  • Opportunity

    Canada's Bill C-8 clearing Senate the same week creates a Five Eyes window for UKNCSC-ACSC-CCCS (Canadian Centre for Cyber Security) data-sharing on CNI incident reporting using parallel legislative frameworks.

    Medium term · Reported
  • Risk

    The £17 million fine ceiling or 4 per cent global turnover threshold aligns with GDPR enforcement levels; insurers may adjust cyber policy pricing in anticipation of enforcement rather than waiting for the Lords passage.

    Short term · Reported
First Reported In

Update #7 · VPN zero-day, no-patch KEV, late Exchange

JURIST· 14 Jun 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.