UK government moves to ban ransomware payments for public sector

Introduction

The government has confirmed it will move forward with proposals for a targeted ban on ransomware payments by public sector bodies and critical national infrastructure (“CNI”) owners and operators. This forms part of a broader strategy to disrupt the business model of cyber criminals and strengthen national cyber resilience. 

This commitment is outlined in the UK government’s response (published 22 July 2025) to the Home Office's public consultation launched earlier this year to address the escalating ransomware threat. 

Consultation Proposals

The consultation ran for 12 weeks and during this period, the Home Office sought responses to three of its proposals.  You can read more details about the consultation in our previous post. The three proposals are:

• A targeted ban on ransomware payments for all public sector bodies, including local government, and for owners and operators of CNI.  This ban would target cyber criminals’ business models as it would make public sector services less attractive for ransomware groups and less susceptible to attacks.
• A new ransomware payment prevention regime to cover all potential ransomware payments from the UK.  This would require victims to report their intention to make a ransomware payment, and for support and guidance to be provided to the victim prior to allowing payment. 
• A ransomware incident reporting regime that could include a threshold-based mandatory reporting requirement for suspected victims of ransomware.

Ransomware payment ban

The government has confirmed it will move forward with proposals for a targeted ban on ransomware payments by public sector bodies and CNI owners and operators, following strong support during the consultation.  While the proposal was broadly welcomed, respondents called for greater clarity on its scope – particularly around who would be included in such a ban, supply chains, and whether the proposal would have extraterritorial effect. 

There was positive support for including supply chains in the ban, although respondents noted that suppliers could require additional support given the complexities of implementation. The government is currently reviewing existing frameworks, including the Cyber Security and Resilience Bill (“Bill”) and other sector-specific reporting requirements to inform its approach for supply chains.

Opinions were divided on whether exceptions should be allowed to the proposed ban, with some respondents suggesting they may be necessary for national security or public safety reasons. 

The government is considering feedback on whether the proposed ban should be widened, with a quarter of respondents supporting a wider scope, and another quarter thinking it should be economy-wide. 

There were differing views on how penalties for non-compliance should be handled, with some stakeholders expressing concern that overly harsh measures could unfairly impact victims of ransomware attacks.  The government is continuing to assess the most appropriate and proportionate enforcement approach as part of its policy development.

Ransomware payment prevention regime

The government is continuing to develop its ransomware payment prevention regime following mixed feedback from the consultation. Of the proposed options, the most support was given to an economy-wide regime for organisations not already covered by the ban.  This approach was also seen as the most effective in reducing ransomware payments and supporting law enforcement investigations.

Respondents emphasised the need for clear, tailored guidance and support, particularly distinguishing between organisational and individual responsibilities. Most agreed that organisations should bear legal responsibility for compliance, with only limited support for holding individuals accountable.  The government is working with stakeholders to ensure any compliance framework is proportionate, practical, and aligned with the Bill.

The government intends to issue formal proof of engagement to victims who comply with the ransomware payment prevention regime. This documentation would serve as evidence that the victim followed the required procedures under the regime. It can be presented to intermediaries – such as payment brokers, banks, or insurers – to demonstrate compliance. 

Incident Reporting Regime

A new mandatory incident reporting system is also being proposed.  This would replace the current voluntary approach and require certain ransomware incidents to be reported to UK authorities within 72 hours.  The preferred measure – economy-wide regime mandatory reporting requirement – was seen as the most effective in helping the government understand and respond to ransomware threats.

The government is still considering whether the reporting obligations should apply to individuals, or only to organisations, and whether thresholds – such as company size or turnover – should be taken into account. 

There was also broad agreement on the need for support to help organisations comply. Most respondents called for tailored guidance, operational assistance, and access to threat intelligence. The government has committed to publishing detailed guidance before any new measures take effect.

What’s next?

The government is now working to refine the scope of these proposals, including key questions around thresholds, liability and enforcement.  Detailed guidance is expected ahead of implementation, but organisations, especially those in the public sector or CNI owners and operators, should begin preparing now.  With ransomware threats on the rise, operational resilience is no longer optional; it’s a critical business priority.  Now is the time for organisations to assess their readiness and ensure they have the right systems, processes and support in place to meet incoming regulatory requirements.

For advice on how the ransomware proposals will impact you or your business, please contact Martin Cook, Richard Hugo, Madelin Sinclair McAusland, Amanda Leiu, Justin Barrow or a member of Burges Salmon's Commercial & Technology team. 

This article was written by Mopé Akinyemi and Amanda Leiu.