The CMA’s announcement today (13 February 2026) of a £473,000 fine against Euro Car Parks sends a clear message to all companies about the importance of being prepared to handle statutory information requests. The CMA’s fine amounts to 75 per cent of the maximum fixed penalty. It suggests that, in line with its agenda to increase the pace of its investigatory work, the CMA will take a firm line on non-compliance regarding information notices. The company had raised cyber‑security concerns to seek to justify its failure to respond – apparently suggesting that it thought the CMA’s attempts to serve its notice were a phishing attempt – but the CMA firmly rejected the company’s arguments. 

What happened?

Euro Car Parks failed to respond to the CMA’s information notice for a number of months, despite various steps being taken by the CMA: the notice had been served on one of the company’s directors in hard copy and the CMA had attempted service by email. The company said it had blocked CMA emails because internal security protocols flagged them as suspicious. The CMA rejected the company’s arguments as not a “reasonable excuse” for non-compliance. It imposed the penalty under its new powers in the Digital Markets, Competition and Consumers Act 2024.

While a lot has already happened, this case is far from over. Euro Car Parks has already unsuccessfully sought an application to the High Court for an injunction in a failed attempt to keep its name out of the public domain. It has also appealed the CMA’s decision to the High Court. Importantly, the CMA is still reviewing information provided by the company. The CMA may ultimately conclude that Euro Car Parks has infringed consumer law, which could lead to more significant penalties, or it may not even open a formal investigation.

What are the lessons for others?

This case nonetheless demonstrates a crucial area of compliance risk: overly rigid cyber‑security filters can prevent legitimate regulatory communications from reaching decision‑makers. When this happens, businesses face serious financial and legal consequences. Companies should urgently review verification processes, escalation routes and email‑handling protocols, to ensure these do not come at the cost of blocking critical communications from regulators.

A company that fears a regulatory request may be a scam could contact the relevant regulator to check this. The CMA’s enforcement notice against Euro Car Parks states that a reasonable person would have taken steps to verify the information notice if they had any concerns about its authenticity (e.g. phoning or visiting the CMA or contacting the named CMA employees).

Failing to respond to an information notice – especially after repeated attempted contacts – in the early stages of a case when the CMA (or another regulator) is deciding whether to open a formal investigation is also likely unhelpful in terms of starting off on the back foot, in an already fraught process.