RUAG pays a ransom to Akira: red alert for executive boards

On 6 June 2026, RUAG confirmed on Swiss public radio SRF that it paid a ransom to the Akira gang after a ransomware attack against its US subsidiary in autumn 2025. Without disclosing the amount, chairman Jürg Rötheli called it a “small amount” and said the company “recovered all data.” This public admission evidences a direct economic impact beyond standard incident response costs.

The facts

The payment confirmation, reported by several outlets between 6 and 8 June 2026, shows that trade-offs between time, continuity, and costs can push leadership to pay to accelerate recovery. It also highlights the operational and reputational pressure on governance bodies.

Legal framework

• NIS 2 — incident notifications: Article 23 (early warning within 24h, notification within 72h, final report within 1 month). These milestones are transposed in Luxembourg with the ILR and SERIMA portal. See more on the NIS 2 directive and obligations.
• GDPR — personal data breach: Articles 33/34 may apply if EU personal data is affected, including via a non‑EU processor. Requirements recap on GDPR breach notifications.
• Paying ransoms: not per se prohibited in Luxembourg or by NIS 2, but strongly discouraged by authorities due to sanctions risks, criminal financing exposure, and moral hazard.

What this changes for Luxembourg companies

• Real price signal: “pay to recover” is no longer theoretical. Boards must pre‑price the full cost of non‑payment (RTO/RPO, lost revenue, penalties) and document a defensible stance.
• Extraterritorial risk: a non‑EU affiliate or provider can trigger NIS 2 and, where applicable, GDPR obligations in Luxembourg. Contractual notification clauses and immutable backups become essential.
• Regulatory posture expects evidence: within 24h, SERIMA alert; within 72h, initial assessment; within 1 month, root cause and durable measures. Without 24/7 SOC/SIEM and rehearsed processes, these timelines are unrealistic. Strengthen detection and response with a managed SOC with EDR/XDR.

Immediate actions this week

• Adopt a realistic “anti‑ransom” policy: non‑payment criteria, sanctions screening, linkage to cyber insurance, continuity scenarios without decryption.
• Contract critical dependencies: SLAs for ≤24h alert, ≤72h notification, 1‑month report, immutable backups, quarterly restore tests, and provision of IoCs and logs required by ILR. Bolster recovery through a business continuity and disaster recovery plan.
• Drill “T0 → T+24 → T+72 → 1 month”: ransomware tabletop with SOC/MSSP, DPO, management; measurable SERIMA content and final report objectives.

Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.