UK law update

Crime and Policing Act 2026 and UK NDAs: What Changed on 29 June 2026

Section 250 of the Crime and Policing Act 2026 came into force on 29 June 2026, extending corporate criminal liability to all crimes via the senior manager identification doctrine. Combined with the Victims and Courts Act 2026 NDA prohibitions, these are the most significant changes to UK NDA law since October 2025.

By Richard Wood, Founder9 min readUpdated 29 June 2026Last reviewed 29 June 2026Crime and Policing Act 2026UK NDA lawcorporate criminal liabilityVictims and Courts Act 2026

On 29 June 2026, section 250 of the Crime and Policing Act 2026 came into force, extending the reformed identification doctrine — previously limited to economic crimes — to all criminal offences. The Victims and Courts Act 2026, which received Royal Assent on 29 April 2026, adds further statutory prohibitions on what an NDA can lawfully prevent. Together, these developments represent the most significant changes to the UK NDA legal landscape since the Victims and Prisoners Act 2024 came into force on 1 October 2025.

This is general information, not legal advice

NDASafe is a document preparation service, not a law firm. Our templates are legally reviewed against applicable UK law at the point of release, but every situation is different. Where significant value, unusual risk or a cross-border element is involved, take independent legal advice before you sign.

What section 250 of the Crime and Policing Act 2026 does

Corporate criminal liability in English law has historically depended on the ‘identification doctrine’ — the principle that a company could only be held criminally liable where an offence was committed by the ‘directing mind and will’ of the organisation: typically its most senior directors. This narrow test made it extremely difficult to prosecute large companies.

The Economic Crime and Corporate Transparency Act 2023 reformed this position for a defined category of economic crimes — including fraud, bribery, money laundering and sanctions evasion — by replacing the identification doctrine with a broader ‘senior manager’ attribution rule. Under that rule, a company is criminally liable if a senior manager — a person who plays a significant role in the management of the company’s activities or in making decisions about them — commits a relevant offence within the actual or apparent scope of their authority.

Section 250 of the Crime and Policing Act 2026 extends this senior manager attribution rule to all criminal offences, not just economic crimes. From 29 June 2026:

  • Any criminal offence committed by a senior manager within the actual or apparent scope of their authority can be attributed to the company.
  • The definition of ‘senior manager’ is broad: it includes any individual who plays a significant role in the management of the whole or a substantial part of the company’s activities, or in the making of decisions about those activities — extending well beyond board directors.
  • The company’s prior knowledge is not required for liability to attach — it is sufficient that the senior manager committed the offence within the scope of their authority.
  • All companies operating in England and Wales are subject to the extended rule, including foreign companies carrying on business there.

How s.250 changes the NDA risk landscape

Section 250 has three direct consequences for UK NDA practice:

  • NDAs cannot suppress evidence of senior manager conduct: a clause purporting to prevent a party from disclosing criminal conduct by a senior manager to law enforcement, a regulator, or in legal proceedings is void. Where a company uses an NDA to conceal criminal conduct by a senior manager, the company may itself incur corporate criminal liability — the act of suppression is conduct that can attract the same attribution principle.
  • Internal investigation and disciplinary clauses need review: where an NDA restricts disclosure of information about internal compliance or disciplinary matters involving senior managers, businesses should review whether those restrictions could be construed as obstructing the reporting of criminal conduct. A blanket internal-confidentiality clause not expressly carved out for regulatory and criminal reporting is at greater risk of challenge from 29 June 2026.
  • Settlement NDAs following senior manager misconduct: settlement agreements containing confidentiality clauses that address conduct by a senior manager require careful review. If the underlying conduct could constitute a criminal offence, a clause prohibiting disclosure to the police or a regulator is void — and, under the new regime, potentially evidence of the company’s own criminal liability.

The Victims and Courts Act 2026: NDA prohibitions

The Victims and Courts Act 2026 received Royal Assent on 29 April 2026. Its NDA-related provisions build on the Victims and Prisoners Act 2024, which came into force on 1 October 2025 and which NDASafe’s Employee NDA already reflects in its mandatory carve-outs.

The key NDA prohibitions under the Victims and Courts Act 2026 are:

  • NDAs cannot prevent a victim disclosing to law enforcement: any clause purporting to prohibit a person who is a victim of a criminal offence from reporting to the police or any other law enforcement agency is void.
  • NDAs cannot prevent disclosure to a lawyer: a victim must be able to obtain legal advice about the crime and about the NDA itself without breaching the agreement. Any clause preventing disclosure to a qualified legal adviser is void.
  • NDAs cannot prevent access to a regulated support service: the victim must be able to access mental health support, counselling, a rape crisis centre, a domestic abuse service or any other regulated support organisation without breaching the NDA.
  • NDAs cannot prevent disclosure to a regulator or healthcare provider: reporting the crime to an appropriate regulator and disclosing to a treating healthcare provider are both protected disclosures.
  • The prohibition applies regardless of what the NDA says: these carve-outs operate as a matter of statute. A clause in an NDA that expressly attempts to restrict any of these disclosures is void and unenforceable. It does not matter that the parties agreed to it or that the clause is clearly worded.
Pre-October 2025 NDA templates may already be non-compliant

The Victims and Prisoners Act 2024 came into force on 1 October 2025. Any NDA signed after that date should already contain victim-reporting carve-outs. The Victims and Courts Act 2026 extends those protections further. NDAs drafted from templates that pre-date the VPA 2024 may still contain clauses that are now void by statute — those clauses cannot be enforced regardless of whether the NDA document has been updated.

Practical impact on NDAs from 29 June 2026

For NDAs signed on or after 29 June 2026, four considerations apply:

ChangeWhat it means in practice
Extended corporate liability via senior manager attribution (s.250 CPA 2026, in force 29 June 2026)Companies can be held criminally liable for offences by senior managers in the scope of their authority. An NDA used to suppress that liability itself becomes evidence of corporate criminal conduct.
Victims and Courts Act 2026 NDA prohibitionsAny clause preventing a crime victim from disclosing to law enforcement, a lawyer, a regulated support service, a regulator or a healthcare provider is void by statute.
Void clauses do not automatically void the whole NDAEnglish courts apply the severance doctrine: void clauses are struck out and the rest of the NDA continues. A court may decline to sever a void clause if doing so would fundamentally alter the character of the agreement.
Mandatory carve-outs must be present in NDAs signed since 1 October 2025NDAs signed on or after 1 October 2025 should already include victim-reporting carve-outs under the VPA 2024. The VCA 2026 extends what those carve-outs must cover. NDASafe templates include these as mandatory clauses.

Why NDASafe templates include these carve-outs by default

Every NDASafe NDA template includes the following mandatory carve-outs, documented in each template’s guidance notes and marked as mandatory in the document itself:

  • Whistleblowing carve-out (PIDA 1998): present in all Employee and Freelancer NDAs. A party may make a qualifying protected disclosure under the Public Interest Disclosure Act 1998 regardless of the confidentiality obligations.
  • Regulatory disclosure carve-out: present across all variants. A party may disclose to any regulatory body with jurisdiction over their activities, including the FCA, the ICO, the SRA, and sector regulators.
  • Crime victim reporting carve-out (VPA 2024 / VCA 2026): present in the Employee NDA and updated to reflect the Victims and Courts Act 2026. A party who is a victim of a criminal offence may report to the police, disclose to a qualified legal adviser, access a regulated support service, and disclose to a healthcare provider — all without breaching the NDA.
  • Law enforcement cooperation: present across all variants. A party may cooperate with any law enforcement investigation, court order or legally compelled disclosure.
  • These clauses cannot be removed: a customer who deletes a mandatory clause from their downloaded template does so at their own legal risk; NDASafe does not endorse modified versions.

Which NDASafe template to use

The CPA 2026 and VCA 2026 changes are relevant across all NDA contexts. The most directly affected templates are:

  • Employee NDA (£29): the most directly affected template. Includes mandatory whistleblowing, regulatory, victim-reporting and law enforcement carve-outs updated to reflect the VCA 2026. Use for employment NDAs, post-termination confidentiality, and settlement agreements with confidentiality clauses covering senior manager conduct.
  • Mutual NDA (£29): includes regulatory and law enforcement carve-outs. The right choice for commercial NDAs between businesses where either party employs senior managers in scope of the CPA 2026 attribution rule.
  • One-Way NDA, Disclosing (£29): includes standard carve-outs. Where the disclosing party employs senior managers, the NDA must not purport to restrict internal reporting of criminal conduct by those individuals.
  • Freelancer NDA (£29): includes whistleblowing and victim-reporting carve-outs for self-employed contractors, including individuals engaged in a capacity that may meet the ‘senior manager’ definition under s.250.
  • Complete NDA Bundle (£79): all eight variants with current mandatory carve-outs. The right choice for businesses that use NDAs across multiple contexts and want assurance that all templates reflect the law as at 29 June 2026.
UK NDA templates reflecting the Crime and Policing Act 2026 — legally reviewed, instant download

NDASafe's NDA templates include mandatory victim-reporting, whistleblowing, regulatory and law enforcement carve-outs consistent with the Victims and Prisoners Act 2024, the Victims and Courts Act 2026 and the corporate criminal liability regime under the Crime and Policing Act 2026. Single template £29. Complete bundle (all 8 variants) £79. Delivered instantly as an editable Word (.docx) file.

Frequently asked questions

What does section 250 of the Crime and Policing Act 2026 do?

Section 250 extends the senior manager identification doctrine — previously limited to economic crimes under the Economic Crime and Corporate Transparency Act 2023 — to all criminal offences. From 29 June 2026, a company can be held criminally liable for any offence committed by a senior manager acting within the actual or apparent scope of their authority. This is a significant expansion of corporate criminal liability beyond the narrow 'directing mind and will' test that applied before 2023.

Does the Crime and Policing Act 2026 make my existing NDA unenforceable?

Not automatically. Existing NDAs are not voided by s.250. However, any clause in an NDA that purports to prevent disclosure of criminal conduct to the police or a regulator was already void under the Victims and Prisoners Act 2024 (in force 1 October 2025). The new corporate liability regime adds a further consequence: a company that uses an NDA to suppress evidence of a senior manager's criminal conduct may itself be criminally liable.

What does the Victims and Courts Act 2026 mean for NDAs?

The Victims and Courts Act 2026 builds on the Victims and Prisoners Act 2024 by imposing further statutory restrictions on what NDAs can lawfully prohibit. An NDA cannot prevent a person who is a victim of a criminal offence from disclosing to the police, a lawyer, a regulated support service, a healthcare provider, or a regulator. Any clause purporting to restrict these disclosures is void by statute regardless of what the NDA says.

Do NDAs signed before 29 June 2026 need to be updated?

Pre-existing NDAs are not automatically invalid. However, any clause purporting to prevent crime reporting was already void under the VPA 2024 from 1 October 2025. Businesses using NDA templates that pre-date October 2025 should check whether their templates include the mandatory statutory carve-outs now required by UK law. NDASafe templates include these as mandatory clauses.

Can an NDA prevent a senior manager from reporting a crime under the Crime and Policing Act 2026?

No. An NDA cannot prevent a senior manager — or any employee or contractor — from reporting a criminal offence to the police or cooperating with a regulator. Under the new regime, a company that uses an NDA to suppress such a report may itself face criminal liability under the senior manager attribution rule. Any NDA clause purporting to restrict crime reporting by a senior manager is both unenforceable and potentially evidence of corporate criminal conduct.

Templates mentioned in this guide