Ransomware remains one of the most serious cyber threats facing the UK today, costing the economy millions and threatening the functioning of a wide range of organisations, including those in critical sectors. In response, the UK Government recently confirmed that it will push ahead with new ransomware rules. The rules, originally proposed in a consultation in January 2025 (see our blog), would introduce a targeted ban, ransomware payment prevention scheme and mandatory notification requirements.
Government response to the consultation feedback
Proposal 1: Partial ban on ransomware payments
This proposes a ban on ransomware payments in the public and Critical National Infrastructure (CNI) sectors. The proposal builds on the Government’s existing stance that taxpayer funds should not be used to pay ransoms which has already resulted in a ransomware payment ban for central government departments.
Consultation feedback:
The consultation responses demonstrated strong support for a targeted ban on ransomware payments. However, questions were raised about how the scope of CNI would be defined, the disproportionate impact of additional measures on smaller businesses and whether the proposal would have extra-territorial effect.
Further, while the majority of the respondents supported extending the ban to include supply chains, concerns were raised about the complexities this entails. There was also mixed feedback on what the penalties should be for non-compliance. Particular concerns were raised about ‘revictimising victims’ and the liability for financial institutions asked to process payments discovered to be illegal.
Government response:
The government will develop this proposal in collaboration with industry, exploring the most appropriate and proportionate penalties and directly discussing liability concerns with the finance sector. The Home Office is also currently working with lead CNI government departments to consider the most appropriate approach to manage supply chains.
Plans will be aligned with existing requirements, including those proposed under the Cyber Security and Resilience Bill (you can read more about the CSRB in our article here).
Proposal 2: Payment prevention regime
The payment prevention regime would require ransomware victims (not subject to the above ban) to notify authorities of any intention to pay a ransom. Authorities would then check if there were any reasons to prevent such payment (e.g. sanctions).
Consultation feedback:
Feedback on the ransomware payment prevention regime was mixed. The consultation presented a number of options in relation to this (an economy wide regime, one with thresholds, one excluding individuals or certain organisations). The most supported option in the responses was an economy-wide regime. There were concerns that if it was not economy-wide, it could simply displace attacks onto those sectors not included. Respondents also felt that there should be different non-compliance measures for organisations and individuals, and there were significant practical concerns over how the regime would work in terms of timings, resources and its burden on smaller businesses.
Government response:
The Government is still exploring how to implement this regime, and is also working on what compliance guidance should accompany any new rules. It has, however, confirmed that its intention is that all victims who have complied with the ransomware payment prevention regime would get proof of engagement to demonstrate to any payment broker or facilitator that they had adhered to the regime.
Proposal 3: Mandatory reporting regime
The plan proposed a 72 hour mandatory reporting regime for all ransomware victims, regardless of their intention to pay, with a detailed follow-up within 28 days.
Consultation feedback:
There was strong support for an economy-wide mandatory 72 hour reporting regime for all organisations and individuals. This should aid real-time intelligence gathering, improve national awareness of the threat landscape, and lead to greater alignment with law enforcement and regulatory bodies like the Information Commissioner’s Office. Support for this proposal was significantly higher than continuing with the current voluntary system, although concerns were raised around resourcing, especially for organisations already subject to overlapping reporting obligations. Respondents also expressed a desire for additional support from the government for victims.
Government response:
The government will keep the suggested 72 hour reporting timeframe and will also work with ‘operational partners’ to consider “an appropriate and proportionate package for victim support.” Interestingly, the government did not discuss the fact that the new NIS regimes (NIS2 in the EU and the expected Cyber Security and Resilience Bill in the UK) introduce a new 24 hour reporting obligation for those in critical sectors.
What happens next?
There is currently no timeframe for ‘next steps’ in relation to these proposals, although it appears that the government is already liaising with regulators and impacted parties to further develop the plans. The response also reiterates in a number of places how the government wants to ensure that these plans align with the Cyber Security and Resilience Bill which is expected this year. However, progressing the plans is, in itself, seen as progress by the government. As Security Minister Dan Jarvis put it, “By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware.” Businesses should therefore continue to factor these reforms into their cyber and resilience planning.