New Ban on Ransomware Payments, New Notification Requirements Being Teed Up in the UK

After spending the first half of 2025 taking public comment on the matter, the UK government is moving ahead with legislation to ban ransomware payments for entities that receive public funds and critical infrastructure organizations. That will mean not just some private industry partners, but also local governments and schools that previously had some flexibility in their response to attacks.

The new legislation will touch all of the country’s businesses, however, as it also mandates making contact with the government before making any ransomware payments. If adopted, these rules would be more expansive than those of most countries and another concrete step toward normalizing the idea of total bans as a means of choking off this persistent avenue of cyber crime.

UK ransomware payments ban, Cyber Resilience Bill put new restrictions on new categories of organizations

While still nowhere near a blanket national ban on ransomware payments, which does not yet meaningfully exist anywhere in the world, this is a much closer step than most have taken. Along with the terms of the Cyber Resilience Bill, slated to soon go into effect, this reflects a much more hardline “tough on crime” posture that the UK has adopted in its cyber legislation in recent years.

Part of this is due to repeated high-profile and highly damaging attacks over the last several years, not the least of which saw NHS services thrown into disarray for an extended period and at least one patient death attributed to the situation. Attackers have also heavily targeted schools and local councils during this time, in the belief that they are more poorly defended. The UK government is now essentially telling all impacted organizations to harden themselves and ensure they are able to quickly restore from backups in the event of compromise, as that will be the only available option going forward.

Government notes high public support for ransomware payments ban

National Cyber Security Centre (NCSC) and National Crime Agency (NCA) findings indicate that ransomware is the leading cyber threat to the country and that it meets the threshold of being declared a national security matter. The push to ban ransomware payments appears to have been supported by the recent public commentary period, in which the government says 75% of the responses to the proposals it is implementing were positive.

All of this assumes impacted organizations will be ready, however. That means robust and regular backups, a practiced plan for restoring from them in a timely manner, and contingency plans for potentially operating without IT or core technology for at least several days. This also means planning for the expectation that stolen personal or sensitive data will be leaked, ideally by isolating it somewhere that hackers cannot readily reach. The fantasy scenario is that every organization is so well-prepared in this way that ransomware payments become unnecessary and easy to refuse, but reality has proven to be much more complicated and the UK’s new policies may well be a test case in demonstrating how feasible this vision really is.