14JUN

UK cyber bill drops payment regime

3 min read

11:51UTC

The UK Cyber Security and Resilience Bill reached report stage and third reading in the Commons on 10 June, but the consulted ransomware-payment ban and economy-wide reporting duty are absent from the published text.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

The UK bill expands reporting duties but leaves the ransomware-payment ban out of the published text.

The UK Cyber Security and Resilience Bill reached its report stage and third reading in the House of Commons on Wednesday 10 June, the stage before it passes to the House of Lords ¹. The bill widens the reportable-incident definition to cover Integrity and security compromises, pre-positioning, and ransomware, building on the framework that reached an earlier stage in March and the £14.7bn UK cyber sector the government counted last month .

The ransomware-payment ban for CNI (critical national infrastructure) operators, and the economy-wide payment-reporting duty the government consulted on, are absent from the published bill text ². That gap matters because mandatory payment reporting is the only instrument that collapses the distance between what victims disclose and what attackers actually claim. Without it, defenders, regulators and insurers keep working from incompatible numbers, which is precisely the visibility problem the briefing's ransomware-market section below describes.

The omission also reshapes the lobbying ahead. Industry was always going to contest the £17 million or 4%-of-turnover penalty ceiling when the bill reaches the Lords; with the payment regime already dropped, that fight now has a softer target and one fewer flank to defend. Canada's Bill C-8, building an equivalent CNI cyber framework, cleared its Senate the same week, so the Five Eyes are legislating in parallel on critical-infrastructure duties while diverging on the payment question ³.

Deep Analysis

In plain English

In the UK, critical services like power, water, hospitals, and banks are required to follow rules about cybersecurity. A new law called the Cyber Security and Resilience Bill, which the government has been developing for over a year, cleared a major stage in Parliament on 10 June 2026 and will now move to the House of Lords for further consideration. The bill widens the list of cyber incidents that organisations must report to regulators, including cases where attackers have quietly positioned themselves inside a network ahead of a future attack, alongside the existing requirement to report service disruptions. Companies found to have failed to report incidents could face fines of up to £17 million or 4 per cent of their global turnover. A proposal to require organisations to disclose when they pay a ransom to ransomware attackers was considered during development but does not appear in the published bill text. Canada passed a similar law the same week.

What could happen next?

Consequence
The payment-reporting regime's absence from the Commons bill text means the UK will lack mandatory ransomware payment data collection for at least the duration of the Lords stage and likely into 2027.
Medium term · Assessed
Opportunity
Canada's Bill C-8 clearing Senate the same week creates a Five Eyes window for UKNCSC-ACSC-CCCS (Canadian Centre for Cyber Security) data-sharing on CNI incident reporting using parallel legislative frameworks.
Medium term · Reported
Risk
The £17 million fine ceiling or 4 per cent global turnover threshold aligns with GDPR enforcement levels; insurers may adjust cyber policy pricing in anticipation of enforcement rather than waiting for the Lords passage.
Short term · Reported

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Australia's Security of Critical Infrastructure Act 2018 amendments in 2022 provide the closest Five Eyes precedent for the CS&R Bill's broadened incident-reporting scope. Australia widened mandatory reporting to cover ransomware, pre-positioning, and Integrity compromises alongside availability events, and required CNI (critical national infrastructure) operators to report to the Australian Cyber Security Centre (ACSC) within 12 hours of a significant cyber incident.

The UK bill's 24-hour initial notification and 72-hour full report thresholds align with the Australian model, and Australia's experience of Trellix-style dwell incidents (ID:3124) validates the pre-positioning reporting category.

Counter-parallel: The EU NIS2 Directive, which reached full personal-liability enforcement on 1 June 2026, shows that mandatory reporting regimes face a transposition and enforcement gap: 19 EU member states remained under reasoned opinions 19 months after the October 2024 transposition deadline.

The UK's parliamentary process, with a Lords stage still ahead, may be faster than EU member-state transposition, but the payment-regime absence means the CS&R Bill will be weaker on ransomware economics than the NIS2 regimes in transposed member states where national implementation laws include payment-reporting provisions.

Consensus view: Chatham House's Cyber Policy Programme and the Royal United Services Institute (RUSI) both assess the CS&R Bill's third reading on 10 June as technically substantive but operationally incomplete: the expanded incident reporting definition (covering Integrity, pre-positioning, and ransomware alongside availability) advances on NIS1 obligations, but the absence of the ransomware-payment reporting duty removes the UK's primary data-collection tool for measuring criminal ransom economics.

DSIT's own £14.7 billion sector impact report demonstrates the UK cyber industry's scale; a payment-reporting regime would have generated a policy-usable dataset that no other Five Eyes country currently possesses at mandatory-disclosure quality.

Counter-view: The Alliance for Digital Infrastructure (ADI) and techUK's Cyber Security Management Group argued during consultation that the proposed payment-reporting duty created an intelligence-collection obligation without a clear mechanism for protecting commercially sensitive negotiation data.

Their position, which appears to have influenced the decision to exclude the payment regime from the current bill text, is that voluntary reporting to the NCSC (National Cyber Security Centre) via the Early Warning service generates operationally equivalent intelligence without criminalising the payment disclosure gap that organisations currently exploit to preserve insurance cover. Canada's Bill C-8, which cleared its Senate the same week, does not include a ransomware-payment reporting regime either, suggesting the Five Eyes consensus is against mandatory disclosure at this stage.

Key tension: Whether the Lords stage will reintroduce the payment-reporting clause under industry pressure from insurers seeking to cap ransomware liability exposure, or whether the absence from the Commons text signals a settled government decision to defer to voluntary reporting indefinitely.

Sources:JURIST

Mentions:Cyber Security and Resilience Bill →House of Representatives →DSIT →RUSI →Early Warning →Trellix →Parliament →Chatham House →Canada →NCSC →NIS2 →Australia →House of Lords →Bill C-8 →

First Reported In

Update #7 · VPN zero-day, no-patch KEV, late Exchange

JURIST· 14 Jun 2026

Read original →

Causes and effects

Caused by

EU CRA guidance; German NIS2 missed

The CS&R Bill reached its earlier Report Stage milestone in March 2026; the 10 June third reading is the Commons completion event that advances it to the Lords.

Occurred 3 Mar 2026

Read story →

UK cyber sector clears 14.7bn pounds

DSIT's £14.7 billion UK cyber sector report and Cyber Resilience Pledge provide the commercial context framing the CS&R Bill's passage as paired supply-chain accountability alongside sector strength.

Occurred 1 May 2026

Read story →

This Event

UK cyber bill drops payment regime

The bill widens incident reporting, yet parks the one instrument that would measure the ransomware market this beat tracks.

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.