The Crime and Policing Act 2026: a widening of corporate criminal liability risk

On 29 April 2026, the Crime and Policing Act 2026 (CPA 2026) received Royal Assent, bringing a marked shift in the UK’s approach to corporate criminal liability and enforcement. The reform forms part of a broader Government strategy to ensure that the police and courts have the necessary powers to tackle serious and organised crime.

From 29 June 2026, organisations face a materially broader and more realistic risk of prosecution based on how they are managed in practice, not just how they are structured on paper. The CPA 2026 introduces new powers aimed at tackling organised crime – including new offences targeting technology-enabled theft and suspension of access to domain names and IP addresses linked to serious crime – significantly increasing investigation, enforcement, and reputational risk for organisations operating in the UK.

This Keynote considers what the CPA 2026 means for business crime, how it reshapes the attribution of criminal liability, and what organisations should be doing now to manage the increased risk of investigation and prosecution.

What is changing?

While much of the CPA 2026 will come into force on dates to be appointed by the Secretary of State, section 250 comes into force on 29 June 2026. Section 250 replaces sections 196 to 198 of the Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023) with a new test for corporate criminal liability: where a “senior manager” of a body corporate or partnership acts within the actual or apparent scope of their authority and commits an offence under the law of England and Wales, Scotland or Northern Ireland, the organisation also commits the offence.

For these purposes, a “senior manager” means an individual who plays a significant role in making decisions about how the whole or a substantial part of the organisation’s activities are to be managed or organised, or in actually managing or organising those activities.  The definition of senior manager is role‑based, not title‑based, focusing on individuals who exercise significant decision‑making or operational control over all or a substantial part of the organisation. It is likely that early prosecutions will involve litigation around what constitutes a “substantial part” of an organisation’s activities and whether an individual was acting within the scope of their actual or apparent authority.

Importantly for businesses, section 250 extends statutory corporate criminal liability to all criminal offences, replacing the narrower regime under the ECCTA 2023, which applied only to economic crimes.

The clearest illustration is gross negligence manslaughter. The Corporate Manslaughter and Corporate Homicide Act 2007 was introduced to address the challenge, but even it required proof that senior management arrangements were grossly deficient and causative of the death. Under the new law, where a senior manager whose role includes responsibility for operational safety commits the offence within the actual or apparent scope of their authority, section 250 may attribute it directly to the organisation, bypassing both hurdles. The exposure is most acute for organisations in higher-risk sectors such as construction, manufacturing, energy and transport.

The breadth of exposure is, however, subject to limited statutory exclusions. An organisation will not commit an offence where all relevant conduct occurs outside the UK and where the organisation would not commit the offence if that conduct were the organisation’s (rather than the senior manager’s). The senior manager need not have been authorised to commit the offence itself; it is sufficient that the act was of the type that the manager was authorised to undertake, or which a person in that position would ordinarily undertake. There is no reasonable or adequate procedures defence for this form of liability, meaning that an organisation may be criminally liable even where robust compliance frameworks are in place.

The reforms address long-standing imbalances that favoured large corporates with diffuse governance models. Historically, the identification principle required prosecutors to show that an offence was committed by an individual representing the company’s “directing mind and will”,

and that threshold was exceptionally high. The Government acknowledged that this approach no longer reflected the reality of modern corporate governance. In large and complex organisations, decision‑making authority is frequently dispersed across senior operational and functional roles rather than concentrated at board level. This created an imbalance whereby smaller businesses were more readily prosecutable, while larger corporates could rely on dispersed governance arrangements to frustrate attribution of liability. The ECCTA 2023 first placed the attribution of liability for economic crimes on a statutory footing, and now the CPA 2026 completes that reform.

Wider serious crime measures affecting business

The CPA 2026 gives law enforcement agencies greater scope to disrupt large-scale criminal activity facilitated through technology and cross‑border digital infrastructure.

With organised vehicle theft being a significant driver of serious and organised crime and a source of substantial economic harm, new offences under the CPA 2026 criminalise the possession, manufacture, importation, or supply of electronic devices intended for vehicle theft, such as signal jammers, carrying penalties of up to five years’ imprisonment and unlimited fines.

The CPA 2026 also grants law enforcement agencies powers to obtain court orders requiring the suspension of domain names and IP addresses associated with serious crime, including where infrastructure is located overseas. For businesses, this reinforces the need to understand how domain names and IP addresses are allocated, monitored, and may be misused by third parties.

What are the risk and governance implications for boards?

The traditional difficulty prosecutors faced in attributing criminal liability to large, complex organisations has been substantially reduced.

Exposure is no longer confined to fraud and bribery and includes areas such as health and safety, environmental matters, data protection, regulatory breaches, modern slavery and human trafficking, and other serious offences.

Compliance frameworks no longer operate as a shield to liability and greater weight will be placed on prosecutorial discretion and public interest considerations. Robust compliance controls nevertheless remain central to preventing breaches and as mitigation in the event of prosecution.

Senior operational leaders, not just board directors, can now directly expose the organisation to criminal prosecution. Consequently, boards should expect increased scrutiny of governance, delegation, and oversight arrangements.

What should boards be doing now?

Boards should ensure that steps are taken to:

• Identify which senior roles are likely to qualify as senior managers under the Act, and document the scope of their authority.
• Assess areas of criminal risk beyond traditional economic crime, including operational, regulatory, and technology‑related offences.
• Review compliance frameworks and incident response plans to reflect the expanded basis for corporate liability.
• Strengthen training, oversight, and escalation arrangements for senior managers.
• Reinforce organisational culture, ensuring clear accountability and zero tolerance for misconduct.

Active board oversight of senior management authority, risk, and culture is now critical.

If you have questions or concerns about corporate crime, please contact Jonathan Chibafa.