At the beginning of 2025, the UK government launched a 12-week consultation to consider new measures aimed at tackling ransomware. The objectives were clear: to reduce the flow of money to criminal groups, to improve the quality and timeliness of incident reporting, and to strengthen the country’s overall cyber resilience. The consultation closed in April and attracted more than 270 responses from across industry, the public sector, the insurance market, and the cyber-security community. While there was broad support for stronger action, respondents also raised concerns about the practical realities of dealing with a live ransomware attack, particularly when essential services are disrupted.
In July, the government announced that legislation will be introduced to ban ransom payments by public sector bodies and by operators of critical national infrastructure (CNI). This prohibition will cover organisations such as the NHS, local authorities, schools, and utilities. The intention is to remove the financial incentive for criminals to target services where public safety and continuity are at stake.
For the wider private sector, the approach will differ. Businesses will not face an outright ban on making ransom payments. However, before any payment can be made, they will be required to notify the authorities. This step will enable government to check compliance with sanctions and anti-terrorism laws, as well as to offer guidance during a period of crisis.
In addition, the government confirmed plans for mandatory incident reporting. All organisations will be required to report ransomware incidents, most likely within a 72-hour timeframe, followed by more detailed submissions as investigations progress. This reporting requirement is designed to provide law enforcement and the National Cyber Security Centre with better intelligence, improving both response capability and strategic understanding of ransomware threats.
Looking ahead, the publication of the consultation outcome marks only the beginning of the process. Draft legislation is expected in the autumn of 2025, which will provide clarity on the precise requirements, the mechanisms for reporting, and the penalties for non-compliance. Subject to parliamentary process, the earliest realistic implementation date would be early 2026, and it is likely that a short transition period will be provided to help organisations adjust their processes.
For public sector bodies and operators of CNI it is hoped that these changes will ultimately reduce the levels of threat they face from ransomware. For other organisations, these developments underline the importance of preparation. Incident response plans should be reviewed now to ensure compliance with reporting obligations and to build resilience in situations where a ransom payment may no longer be an option. Investment in robust cyber hygiene, immutable/offline backups, and tested recovery procedures will be critical.
Further information is available here.
