The UK government is set to implement new measures to tackle the growing threat of ransomware attacks, introducing a partial ban on ransom payments and mandatory reporting requirements for private sector organisations.
The proposals, revealed following a consultation that closed in April 2025, represent one of the UK’s most significant policy shifts to date in the fight against cybercrime.
Under the new rules, public sector organisations—including NHS trusts, local authorities, schools, and other operators of critical national infrastructure (CNI)—will be banned from making any form of ransomware payment to cybercriminals.
In contrast, private sector organisations will not be banned from paying but will be legally required to notify the government of any ransom payment they intend to make.
The announcement, made via a government press release, states the changes are aimed at “cracking down on cyber criminals and safeguarding the public,” particularly in the wake of increasingly severe and high-profile attacks targeting everything from supermarkets to healthcare providers.
Why the ban?
The government argues that banning payments by public bodies cuts off the financial lifeline that makes ransomware such an attractive criminal enterprise. According to Security Minister Dan Jarvis, “Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on.”
Jarvis added that the measures aim to “smash the cybercriminal business model” by making UK public services a less appealing target.
The move follows notable incidents involving organisations like the Co-op and Marks & Spencer (M&S), both of which were hit by ransomware earlier this year. M&S, notably, has refused to confirm whether it paid a ransom—something critics argue highlights the need for mandatory transparency across all sectors.
Rebecca Lawrence, chief executive of the British Library—which was the victim of a destructive ransomware attack in October 2023—voiced support for the government’s direction. “As a public body, we did not engage with the attackers or pay the ransom,” she said. “We are committed to sharing our experiences to help protect other institutions and build resilience.”
Mandatory reporting for private sector
For the private sector, the government is introducing a mandatory reporting regime that will require companies to notify authorities if they intend to make a ransom payment. The rationale, according to the government, is twofold: to help law enforcement track ransomware activity and to ensure payments do not inadvertently breach sanctions, particularly in cases involving cybercriminals linked to hostile states such as Russia.
Supporters of the reporting requirement, like former National Cyber Security Centre (NCSC) CEO Ciaran Martin, believe it’s a pragmatic step.
Earlier this year, speaking with TI, he said: “I can’t see the case against [mandatory reporting],” Martin said. “We need to measure the size of the problem. I don’t see how you can pay some of these sums and not disclose them.”
The current director of National Resilience at NCSC, Jonathon Ellison, echoed this view: “These new measures help undermine the criminal ecosystem that is causing harm across our economy.”
An industry divided…
Yet not everyone is convinced the measures will work as intended. Private sector cybersecurity advisors have raised concerns that the reporting rules could have unintended consequences and even criminalise victims.
Mark Jones, a partner at Payne Hicks Beach, said: “It is unusual for victims of a crime to be required by law to report that they have been a victim. Banning ransom payments risks criminalising the victims and may push ransomware groups further underground.”
Jones also referenced a survey in Italy, where payments are banned under existing laws but 43% of companies still admit to paying. “A key difficulty remains with holding the cyber criminals to account. More often than not, they are based in foreign jurisdictions with no international cooperation in place,” he added.
Kev Breen, senior director at Immersive, questioned the practical impact of the measures. “If the option is to recover quickly by paying versus not being able to recover because you’re banned from doing so, the temptation may be to pay and simply not report it,” he said.
Breen also warned that payment bans could provoke ransomware gangs into using “more brutal and destructive tactics.”
Earlier this year, Edward Lewis, CEO of CyXcel, a global cybersecurity consultancy, told TI that the policy was “a good thing in principle,” but warned of real-world risks. “We’ve seen how fragile many organisations are. Without proper contingency plans, being unable to pay a ransom could mean going out of business.”
Others, like Adam Blake, CEO of ThreatSpike, fear the measures could be easily circumvented. “Entities like schools and hospitals rely on managed IT providers, who may themselves become ransomware targets. If these MSPs aren’t covered under the ban, the policy won’t be fully effective.”
Potential ripple effects
Speaking at an event at RUSI in April this year, Verona Johnstone-Hulse, head of government affairs at NCC Group, flagged the risk of displacement. “If successful, the ban could displace attacks onto sectors that aren’t considered critical but are vital to the economy—like manufacturing or SMEs,” she said.
At the same event, Jamie MacColl, a research fellow at the Royal United Services Institute (RUSI), explained the government’s logic: “We can’t arrest our way out of the problem,” he said, “but we can stop the flow of money.”
Nevertheless, the policy’s success may hinge not only on compliance but also on whether sufficient support is given to organisations in the event of an attack. The government has emphasised the need for all organisations to maintain tested offline backups and continuity plans.
The road ahead
As the UK becomes one of the few countries to partially restrict ransomware payments, it will be closely watched by allies. Australia, which consulted on a similar ban, ultimately opted for mandatory reporting only. Whether the UK’s more aggressive approach proves effective may shape future international policy.
For now, businesses—particularly in enterprise IT and infrastructure—face a new compliance burden. But for many, the measures mark an overdue push toward resilience in the face of a growing and evolving threat.
As the Co-op’s CEO Shirine Khoury-Haq noted: “What matters most is learning, building resilience, and supporting each other to prevent future harm. This is a step in the right direction.”
