No Middle Ground – the DPA Gap, International Exposure, and What Section 250 of the Crime and Policing Act 2026 Means Beyond the UK

This article examines two structural consequences of the universal senior manager attribution test introduced by section 250 of the Crime and Policing Act 2026 (the CPA). First, the “DPA gap”: for the majority of offences now captured by section 250, no deferred prosecution agreement (DPA) is available, leaving organisations with a binary outcome of conviction or acquittal. Second, international reach: section 250 is not limited to UK-incorporated entities and can engage overseas organisations whose senior managers have UK-law exposure. It also examines how the failure to prevent framework sits alongside the new regime and where the critical differences in protection lie.

The “DPA Gap”

DPAs, introduced by the Crime and Courts Act 2013, are available to the Serious Fraud Office and Crown Prosecution Service as an alternative to prosecution - the prosecution is suspended while the organisation complies with agreed terms and discontinued if those terms are met. DPAs have become the preferred resolution mechanism for major corporate cases but remain available only for the specific offences listed in Schedule 17 to the Crime and Courts Act 2013. That list does not automatically expand to capture all offences newly in scope under section 250. For the many offences now caught by the extended senior manager test that are not DPA-eligible - including health and safety, data protection, environmental, modern slavery, and competition law violations - an organisation faces a binary outcome: conviction or acquittal. The absence of a DPA pathway across this range requires a fundamental reassessment of how criminal risk is managed and resolved.

A further consequence is the risk of parallel enforcement. For many offences now in scope, including data protection, health and safety, environmental, and competition law, criminal prosecution under the CPA will sit alongside regulatory enforcement by the Information Commissioner’s Office, Competition and Markets Authority, Health and Safety Executive or Environment Agency. Organisations should anticipate coordinated or concurrent action and manage both tracks from the outset.

The International Dimension

Section 250 is not confined to UK-incorporated entities. Any body corporate or partnership, wherever incorporated or registered, whose senior managers operate within the scope of UK criminal law is potentially subject to the attribution test. Three principal routes bring an overseas organisation within the CPA’s reach: first, where it carries on business in the UK through a branch, subsidiary, or regular UK client-facing activity; second, where a senior manager’s act or omission has effect in the UK, even if the decision was made abroad; and third, where the offence has its own extraterritorial reach under UK statute, engaging section 250 attribution for the organisation.

Fraud offences under the Fraud Act 2006 have well-established extraterritorial reach where a false representation is communicated to or has effect in the UK. Bribery offences under the Bribery Act 2010 apply where there is a UK nexus. Computer Misuse Act 1990 offences may be committed from abroad where a targeted computer is in the UK. Data Protection Act 2018 offences apply irrespective of where processing occurs. In each case, where the underlying offence is established against a senior manager of an overseas organisation, section 250 attribution follows.

International organisations that have assessed their UK criminal exposure solely by reference to their UK subsidiaries should recognise that the attribution test can reach the parent entity itself where its own senior managers have UK-law exposure. A formal UK establishment is not required: a pattern of UK-directed activity by senior managers - traveling to the UK, attending meetings, executing transactions, or making decisions affecting UK operations - may be sufficient.

The Failure to Prevent Framework

Alongside section 250, organisations remain subject to three statutory regimes imposing liability for failure to prevent specific categories of criminal conduct. The critical structural difference is that each provides an affirmative defence - absent from section 250 - where the organisation demonstrates it had adequate or reasonable prevention procedures in place.

The Three Regimes in Outline

Failure to Prevent Bribery (Bribery Act 2010)

A relevant commercial organisation commits an offence where an associated person bribes another intending to obtain or retain business or a business advantage for the organisation. The only defence is “adequate procedures” designed to prevent such conduct. Conviction carries an unlimited fine.

Failure to Prevent the Facilitation of Tax Evasion (Criminal Finances Act 2017)

An organisation commits an offence where an associated person acting in that capacity criminally facilitates tax evasion by a third party. There are separate offences dealing with UK and foreign tax evasion offences. The only defence to both is “reasonable prevention procedures”. The offences apply to all bodies corporate and partnerships and carry an unlimited fine.

Failure to Prevent Fraud (Economic Crime and Corporate Transparency Act 2023, s.199)

In force since September 1, 2025, this offence applies to “large organisations” (satisfying two of: more than 250 employees; turnover exceeding £36 million; balance sheet total exceeding £18 million). An organisation is liable where an associated person commits a fraud offence - including fraud by false representation, by failing to disclose information, by abuse of position, or false accounting - for the benefit of the organisation or a client, and the organisation lacked reasonable fraud prevention procedures. Conviction carries an unlimited fine.

Taken together - the binary enforcement outcome for most offences newly captured by section 250, the reach of the attribution test to overseas organisations with no UK establishment, and the sharp contrast with the affirmative defences available under the failure to prevent regimes - these features define the structural risk landscape organisations now face.

For the priority steps your organisation should take - including guidance on senior manager mapping, compliance framework review, and incident response - please contact our London Enforcement and Investigations team.

Read more analysis of the implications of the UK Crime and Policing Act 2026 via the News & Insights tab below.