6 August 2025

UK to Tackle Ransomware with Bans and Reporting Measures

By Jess Pembroke, Director of Information Law Services

Background 

Ransomware is a severe cybersecurity threat in the UK, classified as the most significant form of organised cybercrime. It involves malicious software that locks IT systems or data, often alongside data theft, and demands a cryptocurrency ransom for restoration or to prevent public release of information. 

Cyber-attacks such as those on the British Library in 2023, along with targeted attacks on various local councils and healthcare institutions as well as the retail sector, highlight the disruptive potential of ransomware across all sectors. These high-profile incidents not only result in immediate operational paralysis but also inflict enduring harm on reputation and organisational resilience 

Government Response 

On 22 July 2025, the UK Home Office announced legislative plans following a consultation process started in January 2025, aiming to curb ransomware threats. The proposals focus on restricting ransom payments and improving reporting. 

The consultation put forward three proposals:  

1: Targeted Ban on Ransom Payments 

• Applies to public sector bodies and operators of regulated critical national infrastructure. 

• Potential inclusion of essential suppliers under consideration. 

• Concerns raised about scope, extraterritorial effect, and compliance guidance. 

2: Ransomware Payment Prevention Regime 

• Targets organisations and individuals not covered by the outright ban. 

• Requires engagement with authorities before making any payment. 

• Authorities will provide guidance and have the power to block payments, especially if sanctions or terrorism laws may be breached. 

3: Mandatory Ransomware Incident Reporting 

• Requires reporting of all ransomware incidents, regardless of whether payment is intended. 

The goals are to minimise financial losses resulting from ransomware attacks, strengthen intelligence gathering on ransomware operations to enable more effective disruption and investigation, and help the government make decisions about the development of future policies. 

These proposed requirements will add to existing obligations, such as those under the UK GDPR, where organisations must already report data breaches. When these measures come into force organisations will need to ensure their internal processes are resilient and that they involve senior leadership in critical decision making around business continuity and incident reporting. This arguably adds costs and obligations to already stretched public services; however, the UK Government is being pushed to take action because “British businesses are suffering significantly more damaging losses from ransomware attacks compared to the rest of the world”,¹ 

Next Steps 

• UK Government will develop the targeted ban and clarify who is included. 

• Future consultations are likely, especially regarding essential suppliers and compliance details. 

• All organisations are encouraged to stay informed and participate in shaping future legislation. 

For more information on keeping your system secure, consider booking onto our Information Security and Data Breach Management course (half day; 3 CPD points), where participants will gain an understanding of the UK’s key data protection legislation including the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018 and how these relate to the broader field of information and cyber security.  

Or why not get in touch with us to learn more about our latest course, Data Protection and Cyber Security for Executives and Senior Leaders?  

All our training courses are available both online and in-house, offering flexible learning options to suit your organisation’s needs. To explore our full range of courses or discuss bespoke solutions, please get in touch at info@naomikorn.com.