ARTICLE
8 August 2025

UK Government Looks Set To Introduce Ransomware Payment Ban And Mandatory Reporting

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
Ransomware remains one the UK's most serious and disruptive cyber risks in the UK, with high-profile attacks on retailers, hospitals and government services underscoring the significance of the risk it poses.
United Kingdom Technology
Andrew Moir,Peter Dalton,Sophia Wah
+1 Authors
 Your Author LinkedIn Connections

Ransomware remains one the UK's most serious and disruptive cyber risks in the UK, with high-profile attacks on retailers, hospitals and government services underscoring the significance of the risk it poses. Over the past year, the UK government has signalled its intent to adopt a more interventionist approach to tackling ransomware. We've been tracking this closely. First, when the government signalled its intent to consult (link here). Then, it launched the consultation itself, floating concrete proposals to restrict ransom payments and compel greater transparency (link here).

The government has now published its report on the consultation response (link here) based on the 223 submissions received. While it does not confirm which measures will be adopted, it offers important insight into the direction of travel for UK ransomware policy. Overall, the proposed measures, aimed at "smash[ing] the cyber criminal business model"1 were broadly supported in the public consultation and mark a significant shift toward a more proactive stance by the government in tackling ransomware, with the intent to prevent ransomware attacks by making them less attractive to the threat actors.

In this blog, we unpack the proposed measures, the implications for organisations and key concerns as the UK moves forward with these counter-ransomware initiatives.

The proposed measures at a glance

Following a 12-week consultation (Jan – April 2025), the government looks set to take three main proposals forward:

  1. A targeted ban on ransomware payments
    Publicly funded bodies and critical national infrastructure (CNI), including entities like the NHS, schools, local councils, and other private entities providing critical services2, would be prohibited from paying ransoms. This ban is intended to "strike at the heart of the cybercrime business model" by removing the financial incentive for attackers to target vital services. The consultation found that 72% of respondents support such a targeted ban3. Notably, while the ban focuses on public and CNI organisations, the consultation also floated the option of a broader ban covering all UK businesses. This idea is not proposed to be adopted at this stage, which may suggest lukewarm support.
  2. Pre-payment notification for the private sector
    Private companies not in scope of the targeted ban would be required to notify authorities before paying a ransom, as the government seeks to exercise blocking powers in certain circumstances (e.g. to sanctioned entities), or to purely offer guidance and advice before the victims decide to make the payment (where no block is warranted). 47% of respondents were in favour of an economy-wide payment notification regime4, with scepticism about how effective it would be in deterring criminals or enabling law enforcement action. It stops short of an outright ban on payments but introduces a new compliance step that companies must integrate into their incident response plans. However, respondents raised concerns about potential delays in time-sensitive decision-making and called for clarity regarding process and timings (e.g. how long it would take for the government to decide whether to block a payment)5.
  3. Mandatory ransomware incident reporting
    All ransomware attacks, regardless of whether a ransom is paid, would need to be reported within a set timeframe. 75% of respondents suggested that a 72-hour window for a victim to make an initial report of a suspected ransomware attack was reasonable6. What qualifies as "suspected" will need further clarity, as well as the point at which an organisation believes it is dealing with a ransomware incident. Meanwhile, 63% of respondents thought that mandatory reporting be limited to ransomware incidents, rather than extended to all forms of cyber incidents (such as phishing, hacking etc.) 7.

It is expected that these measures will be further developed in the coming months. The government has confirmed that it will collaborate closely with industry as it refines the scope of who is covered (for example, supply chains, definitions of CNI, the exact reporting process and penalties for non-compliance).

What does this mean for public bodies, CNI and the private sector?

Many central government departments in the UK are already barred from paying ransoms, but extending this across the whole of the public sector means they must all be prepared to weather a ransomware attack without resorting to payment. The government hopes to reduce the appeal of these targets to attackers, but this assumption remains untested. On the other hand, if payment is off the table, an attack which impacts critical national infrastructure entities covered by a payment ban could lead to extended disruption of essential services. This has prompted calls for narrow exceptions in national security or threat to life situations8, and for greater investment in contingency planning.

For businesses outside of critical national infrastructure sectors and possibly supply chains, the proposals stop short of banning ransomware payments outright but would still impose new duties that could significantly impact how companies approach ransomware incidents. Businesses would retain the legal ability to pay a ransom but would first have to notify the government of their intention to pay. In practice, this means companies will be unable to discreetly pay off attackers to resolve an incident without regulators knowing. Early notification could help companies get clarity on whether a ransom payment might put them in breach of sanctions or terrorism-financing laws. On the other hand, businesses voiced concerns over the practical implications of potentially having to seek pre-approval from the government: involving authorities could complicate and potentially slow down incident response in the heat of the crisis, especially if any formal approval is required.

Stakeholders raised several important concerns in the consultation:

  • The government has yet to define how these obligations will be enforced. Questions remain around proportionality (especially for victims), the risk of "re-victimising" organisations with penalties and how enforcement will operate across borders or group structures.9
  • Organisations already face overlapping reporting duties under the GDPR, sectoral regulation and the NIS regime. Adding a standalone ransomware regime risks duplication unless processes are streamlined and thresholds clarified. There is also uncertainty around what constitutes a reportable incident and whether a failed or minor attack triggers a duty to notify.
  • Public sector and CNI organisations may not yet have the resilience needed to recover from serious attacks without resorting to payment. If a ban is imposed without clear exceptions, essential services could face prolonged disruption. On the other hand, exceptions may risk exacerbating attacks not reducing them – i.e. the threat actors conclude that more serious attacks are necessary in order to come within the exceptions. It is not entirely clear from the proposals how (if at all) exceptions will develop, given that respondents to the government's consultation were almost evenly split as to whether or not there should be exceptions.10

Next steps for businesses

Simply banning payments or mandating reports does not by itself make organisations safer. Indeed, all it really does is remove an option for remediation; the hope that this will lead to those entities becoming less attractive as targets relies upon an assumption that threat actors target specific entities rather than rely on opportunistic compromise. Of course, the risks are obvious. Either threat actors mount more serious attacks such that payment is the only way to avoid continuing disruption, or they turn their attention to the private sector which is not impacted by the ban, or both. It also does nothing to disincentivise forms of attack which are not aimed at extorting a ransom, such as nation state attacks, man in the middle and fraud attacks aimed at stealing money, or politically motivated "hacktivist" attacks.

Therefore, businesses still need to continue to focus on improved cyber defences and response readiness. The consultation process highlighted the importance of measures like modernising IT infrastructure, using up-to-date security tools, maintaining offline backups and having well-rehearsed incident response plans. These basic hygiene practices are more crucial than ever, given that paying ransoms may soon be off the table, for some, or at least subject to greater scrutiny.

Footnotes

[1] https://www.gov.uk/government/news/uk-to-lead-crackdown-on-cyber-criminals-with-ransomware-measures

[2] See definition of critical national infrastructure: here

[3] Government response to the ransomware consultation, page 6 and 14.

[4]Government response to the ransomware consultation, page 28 and 41.

[5] Government response to the ransomware consultation, page 7.

[6] Government response to the ransomware consultation, page 53.

[7] Government response to the ransomware consultation, page 56.

[8] Government response to the ransomware consultation, page 24.

[9] Government response to the ransomware consultation, page 8 – 9.

[10] Government response to the ransomware consultation, page 24.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Andrew Moir
Andrew Moir
Photo of Peter Dalton
Peter Dalton
Photo of Adil Tirmizi
Adil Tirmizi
Person photo placeholder
Sophia Wah
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More