The past twelve months have marked one of the most significant periods of change across the cybersecurity landscape. The patterns observed in incidents, coupled with notable developments in cybercrime response and a fast‑intensifying global regulatory environment, point to a simple truth: the era of voluntary resilience is over. Organisations are now navigating a world in which cyber threats are more sophisticated, law enforcement is increasingly interventionist, and regulators worldwide are demanding demonstrable security maturity.
This article examines key insights drawn from the incidents that the Pinsent Masons cyber team dealt with in 2025, the evolving cooperation model between corporates and law enforcement, and the sweeping global regulatory reforms reshaping compliance in 2026 and beyond. It draws from the team’s seventh annual cyber report: https://www.pinsentmasons.com/thinking/special-reports/cyber-annual-report
- Incident Trends: What 2025 Taught Us
Ransomware Dominance—But With Evolving Tactics
Ransomware remained the single most common incident type we handled in 2025, accounting for 52% of all our matters. But beneath this familiar statistic lies a notable shift: the methods used by threat actors changed significantly. Encryption, previously ubiquitous, occurred in only 74% of our cases — down from 100% the previous year. Instead, attackers increasingly relied on extortion‑only models, stealing data without encrypting systems or disabling access.
Data exfiltration also declined from 83% in 2024 to 59% in 2025. This reduction may reflect modified threat actor strategies, but it also highlights the complexity of supply‑chain breaches. In 15% of ransomware matters, it was unknown whether exfiltration took place, often because third‑party providers — rather than the affected organisations themselves — held the forensic evidence.
Meanwhile, Akira remained the most active threat actor, appearing in 26% of our cases, with a long tail of emerging groups making attribution more fragmented than ever.
Business Email Compromise Decline, Supply‑Chain Breaches Surge
One of the most striking trends was the steep rise in supply‑chain incidents. These represented 19% of all matters in 2025, compared to only 6% in 2024. Many involved vulnerabilities in widely used third‑party tools, including notable incidents linked to the Oracle E‑Business Suite. This reflects a major shift in the cyber risk landscape: organisations are increasingly exposed not through their own systems, but through the sprawling software and service ecosystems they depend on.
Business Email Compromise (BEC) incidents decreased from 26% in 2024 to 17% in 2025 and invoice fraud was present in a third of BEC cases.
Credential stuffing and system misconfigurations remained persistent sources of compromise. Ethical‑researcher disclosures—where security researchers alerted companies to vulnerabilities—also increased, showing the growing role of external security communities in risk detection.
Affected Sectors and Root Causes
The healthcare sector accounted for the largest share of our incidents at 13%, followed closely by retail. This aligns with high‑profile attacks seen globally throughout the year. Technology and financial services remained consistently targeted.
As in previous years, exploitation of vulnerabilities was the most common root cause, followed by incidents where the cause was unknown—often due to opaque third‑party environments. Phishing continued to be a persistent contributor, underscoring the ongoing need for robust user‑centric controls.
Insurance and Ransom Payments
Cyber‑insurance uptake increased from 78% to 83%, although among clients who chose to pay a ransom, coverage dropped from 100% to 86%, suggesting organisations are reassessing the role insurance plays in ransom decision‑making.
Ransom demands fell noticeably: the highest observed was $5 million, dramatically lower than the $70 million peak seen the previous year. A quarter of victim organisations paid ransoms, consistent with 2024.
Regulatory Scrutiny Intensifies
Regulatory engagement increased substantially, with 78% of all incidents requiring notification to data protection regulators (up from 54% in 2024), and the average investigation timeline increased from 35 to 49 days.
Regulators increased their technical scrutiny, demanding detailed evidence relating to multi‑factor authentication, security controls, forensic findings, and remediation measures. There was also a resurgence in requests for forensic reports—something that had decreased in prior years.
Non‑data protection regulators were notified in 29% of cases, double the previous year, reflecting heightened expectations in sectors handling higher volumes of personal data.
Post‑Breach Litigation and Recovery Efforts
Data subject notifications rose sharply to 44%, particularly in sensitive data sectors like healthcare. Yet claims remained relatively rare: in one matter, only 50 claims followed 300,000 notifications.
Notably, there was an increase in claims against third‑party providers. Five such matters were pursued in 2025, up from three the year before. Organisations increasingly sought recovery for losses by examining contractual obligations, service standards, and liability caps. This trend is expected to accelerate in 2026 as supply‑chain risk continues to dominate the incident landscape.
- Cybercrime and Cooperation with Law Enforcement
A More Active Enforcement Landscape This year’s report had a focus section on UK law enforcement. 2025 saw a significant increase in UK law enforcement activity. The National Crime Agency (NCA) reported a 34% rise in interventions, including 12 high‑impact cybercrime disruptions targeting major threat actors.
Cybercrime investigations increasingly focused on ransomware, technology‑enabled fraud, and organised crime groups operating across borders.
The Growing Role of Real‑Time Cooperation
A major theme emerging in 2025 was the value of real‑time collaboration between victim organisations and specialist law enforcement units.
Engagement during an incident can:
- provide critical intelligence about threat actors
- help organisations understand whether other victims are affected
- enable coordinated international disruption efforts
- assist in identifying domestic participants who facilitate attacks
Law enforcement can act swiftly when victim organisations provide logs, forensic reports, system artefacts, and witness evidence, but this cooperation also raises challenges around privilege, confidentiality, and future disclosure obligations.
Navigating the Computer Misuse Act and Cross‑Border Cases
The Computer Misuse Act 1990 remains the UK’s primary cybercrime legislation, with penalties up to life imprisonment for the most serious offences. Crucially, UK courts have jurisdiction even when attackers operate abroad, provided there is a “significant link” to the UK—such as a UK‑based victim or infrastructure.
Mutual Legal Assistance Treaties (MLATs) and Joint Investigation Teams have become essential tools for tackling international cybercrime, especially for ransomware groups based overseas.
Corporate Cooperation Principles
Organisations working with law enforcement must:
- preserve relevant digital evidence
- avoid compromising criminal investigations
- engage legal specialists to manage privilege and disclosure
- anticipate that forensic reports may later be shared with defendants
- consider money‑laundering, sanctions, and terrorist‑financing risks when interacting with threat actors
The shift is clear: law enforcement now expects proactive engagement, not passive reporting.
- The Global Cyber Regulatory Landscape
2025 brought a wave of significant regulatory change across all major jurisdictions. Cybersecurity is no longer treated as a technical issue but as a core component of national security, economic stability, consumer protection, and corporate governance.
Expanding Cyber Obligations Worldwide
Regulatory frameworks have converged around common themes:
- stricter governance requirements
- accelerated incident reporting timelines
- broader sectoral scope, especially supply‑chain and digital services
- severe penalties for non‑compliance
- greater personal accountability for senior management
Europe: The NIS2 Revolution, the EU Digital Omnibus and the Cyber Resilience Act
The NIS2 Directive is the EU’s sweeping cybersecurity reform. Key elements include:
- mandatory risk‑management measures across supply chains
- 24–72‑hour incident reporting
- personal liability for management
- fines up to €10 million or 2% of global turnover, aligning with GDPR-style sanctions.
Member states have been slow to transpose NIS2 into national law, meaning 2025 was a “pre‑compliance” year for many organisations. Germany implemented NIS2 at the end of last year, with full implementation in the Netherlands, France, Spain, and Ireland expected in 2026.
The Cyber Resilience Act (CRA) establishes comprehensive cybersecurity standards for products with digital components, requiring “security by design,” conformity assessments, CE marking, and 24-hour vulnerability reporting. Non-compliance can result in significant fines of up to €15 million or 2.5% of global annual turnover. Companies must assess at an early stage whether their products fall within the scope of the CRA and adapt their product development and incident response processes to meet these new requirements.
Against this backdrop of increasing regulation, the EU Digital Omnibus proposal aims to streamline cyber incident reporting by aligning GDPR breach thresholds, extending notification periods from 72 to 96 hours, and introducing a unified portal for reporting under multiple regulations (GDPR, NIS, DORA, eIDAS and CER).
United Kingdom: The Cyber Security and Resilience Bill
The UK is diverging from the EU through its Cyber Security and Resilience Bill (CSRB), which updates the UK’s NIS Regulations. It includes:
- expanded coverage, including MSPs and data centres, the UK has not opted for the breadth of sectors in the EU’s NIS2.
- a two‑tier penalty model – up to £17 million or 4% of global turnover for more serious infringements or up to £10million or 2% of global turnover for less serious infringements.
- more powerful regulator intervention rights
- 24‑ and 72‑hour reporting timelines
Royal Assent is expected in 2027, giving organisations time to prepare during 2026.
Asia-Pacific: Rapid Modernisation
Jurisdictions across APAC advanced aggressive reforms:
- Australia introduced ransomware payment reporting and tightened critical infrastructure controls.
- Singapore amended its Cybersecurity Act to include two‑hour reporting for critical systems and expanded regulator powers.
- China increased penalties, introduced AI‑related cyber rules, and strengthened cross‑border data transfer rules.
- Hong Kong enacted its first full cyber security law, imposing mandatory audits and strict risk‑management requirements on critical infrastructure.
Middle East & Africa: Building Resilience
Countries including the UAE, Qatar, and Saudi Arabia introduced stricter cybercrime laws, enhanced national cybersecurity controls, and new sector‑specific regulations. Enforcement is expected to increase in 2026 as regulatory frameworks mature.
United States: From Guidance to Mandatory Compliance
The U.S. is also experiencing regulatory change:
- new SEC rules required disclosure of material incidents and annual cyber‑risk reporting
- state privacy laws now mandate cybersecurity audits and risk assessments
- federal agencies are expanding enforcement, especially in healthcare and consumer protection
Dozens of incident disclosures and multi‑million‑dollar penalties were issued in early 2025 alone.
Conclusion: A New Era of Cyber Accountability
The developments of the past year reveal a decisive shift. Cyber risk has become a board‑level issue, law enforcement expects active cooperation, and regulators across the globe are no longer tolerating fragmented or reactive security practices.
Across all regions, three themes dominate:
- The threat landscape is escalating, with supply‑chain compromise and ransomware still at the forefront.
- Regulators are increasingly interventionist, demanding technical evidence, oversight of third‑party risk, and detailed incident reporting.
- Compliance and resilience must become integrated, with security‑by‑design and governance‑by‑default embedded throughout organisations.
For businesses, the challenge ahead is substantial—but so are the opportunities. Those that invest early in robust governance, tested incident response, strong vendor management, and international compliance alignment will be best placed to thrive in 2026’s transformed cyber environment.
Our 2026 annual report (together with previous editions) can be found here: https://www.pinsentmasons.com/thinking/special-reports/cyber-annual-report
This ITechlaw article was written by members of the Pinsent Masons cyber team:
Stuart Davey, Partner
David McIlwaine, Partner
Anna Flanagan, Legal Director
Julia Varley, Senior Associate
The information in this article is for general informational purposes only and does not constitute legal advice, nor does it create an attorney-client relationship. The information is from Pinsent Masons, and does not reflect the views or opinions of ITechLaw.
