The past year has seen two UK legislative proposals focused on the issue of ransomware payments by British businesses. This focus from the UK government could signal a shift towards outlawing such payments or leaving businesses facing difficult choices. Dan Raywood examines the details.

Last year, the UK government began a crackdown on cybercriminals with proposed legislation that would make the payment of a ransom illegal for certain sectors. Specifically, public sector bodies and operators of critical national infrastructure – including the NHS, local councils and schools – would be banned from paying ransom demands. Other businesses not covered by the ban would be required to notify the government of any intention to pay.

Security Minister Dan Jarvis said the proposal aims to “smash the cybercriminal business model” and protect essential services. By working with industry, he said, “we are sending a clear signal that the UK is united in the fight against ransomware.”

That consultation ran for 12 weeks (from 14 January to 8 April 2025) and proposed:

  1. A targeted ban on ransomware payments for regulated critical national infrastructure and the public sector.
  2. A ransomware payment prevention regime.
  3. A mandatory incident reporting regime.

These measures would represent the first specific UK legislation designed to counter ransomware, with the central aim of protecting public services and critical infrastructure from disruption.

Commenting, Crystal Morin, senior cybersecurity strategist at Sysdig, said that improving ransomware incident reporting is not a knee-jerk reaction but a strategic adjustment to a rapidly evolving threat landscape.

“High-profile incidents over the last year have demonstrated how ransomware can disrupt critical services and affect everyday life,” she said. “These events show that cyber-attacks, however isolated they may seem, pose real risks to national security and public well-being.”

Positive Response

Consultant and policy specialist Jen Ellis notes the “overwhelmingly positive response” to the government consultation around the idea of a ban. She suggests this is partly because companies want to be able to tell customers that they are legally unable to pay a ransom and are simply following the law.

She also points out that some believe ransomware is purely profit-driven and that removing the profit motive will eliminate the crime. However, this overlooks factors such as the involvement of organised crime groups linked to more violent activities, including trafficking.

“It doesn’t account for the scale of money being made or the lack of effective enforcement,” Ellis says. “Attackers operate with impunity and can target the most vulnerable organisations at little cost to themselves.

“It also ignores the fact that we operate on a global internet. A ban in the UK does not protect organisations from activity taking place elsewhere.”

New Factor

While the consultation awaits its next stage, a further development emerged in October when MP Bradley Thomas introduced a private member’s bill in 2025. The bill would require companies meeting specific criteria to report any cyber extortion or ransomware attack to the government within a defined timeframe.

Introducing the bill, Thomas noted that there is currently no requirement for companies to disclose when a ransom payment has been made, despite the financial burden such payments impose. His proposal would require any company registered under the Companies Act 2006 with annual turnover above £25m — or responsibility for critical national infrastructure — to notify the government within 72 hours of becoming a victim.

A further report would be required if any payment was made by the company or a third party on its behalf, again within 72 hours. Thomas acknowledged concerns about reputational damage but said robust legal protections would ensure reports remain confidential unless disclosure is deemed to be in the national interest.

“The absence of mandatory reporting, especially for ransom payments, leaves a dangerous blind spot in our national security,” he said. “When companies report these payments, our security agencies gain vital intelligence about who is being targeted and how attacks are evolving.”

Morin said mandatory reporting is not about shaming organisations but strengthening collective defence. “When organisations report incidents, security teams gain insight into emerging tactics and vulnerabilities, allowing them to respond faster and prevent wider damage.”

She added that while reputational fears are understandable, the proposed framework includes safeguards to limit disclosure to exceptional cases. “A mandatory but ‘shame-free’ reporting system recognises this reality.”

Deterring Ransomware Attacks

Looking at the proposals, Ellis told ISMS.online she does not believe a nationwide payment ban would significantly deter attacks. “Most victims are attacked opportunistically because they are connected to the internet. Infections just happen.”

“I don’t think a payment ban will be effective unless it is global,” she said. “Attackers will adapt.”

On reporting, Ellis said the key is normalising disclosure. “We need to take the sting out of reporting and improve our understanding of what’s happening. We can’t do that if people don’t report.”

“Reporting won’t solve the problem, but it will give us a better idea of its true scale.”

On whether businesses would still pay secretly if a ban were introduced, Ellis said this is hard to predict. She has spoken to business owners who believe they would have no choice if faced with an existential threat.

She also highlighted potential impact for cyber insurance. “If paying is illegal, insurance won’t cover it. Instead, insurers would have to cover recovery costs, which may lead them to demand stronger resilience measures.”

Thomas’ bill is due for its second reading in May, and both proposals aim to restrict ransom payments. However, for businesses where payment appears to be the only option, alternatives may be limited.

Research from Sophos in 2025 found that nearly 50% of companies paid a ransom to recover their data. Another proposal seeks to improve resilience standards for UK businesses.

Ultimately, most stakeholders appear supportive of reporting requirements, but the question of whether to pay will become more complex under a legal mandate. Now is the time for organisations to strengthen resilience and decide whether they can survive without buying their way out of cybercrime.