The UK Government is proposing to introduce new legislation to combat ransomware following a surge in attacks which has led the National Cyber Security Centre and National Crime Agency to identify ransomware as one of the UK’s most significant cyber threats.
Victim numbers have doubled since 2022, with global ransom payments exceeding US$813 million in 2024. High-risk sectors include shipping, aviation and finance, where the average cost of an attack exceeds US$3 million.
Key Proposals
Following a 12-week consultation in early 2025, the UK Government published a proposal outlining a three-pronged strategy in September 2025 to counter ransomware:
- Targeted ban on payments – Prohibits ransomware payments by all public sector bodies and Critical National Infrastructure operators to reduce perceived profitability of attacks.
- Pre-payment notification regime – Organisations not covered by the ban must notify UK authorities before paying ransoms, enabling checks for sanctions or terrorism financing risks.
- Mandatory incident reporting – All UK organisations must report ransomware incidents (regardless of payment) within 72 hours and submit a full report within 28 days, improving national awareness and law enforcement response.
Consultation outcomes
While the targeted ban received strong public support, the notification regime received mixed views. Mandatory reporting gained 63% backing, with calls for GDPR alignment and clear guidance. Industry concerns include administrative burdens and necessary exemptions for life-threatening scenarios.
Next legislative Steps
While the timeline remains uncertain, the draft legislation is expected shortly. Although ransom payments are not broadly prohibited by law, they are subject to sanctions, anti-money laundering, terrorism and bribery laws. Any payments made to sanctioned or terrorist organisations are illegal.
Preparing for regulatory change and protecting against ransomware risks
Key steps businesses can take to strengthen resilience against ransomware and meet emerging compliance requirements, include:
- Understand new obligations: Prepare for reporting requirements and payment restrictions under UK and international laws.
- Plan for incidents: Develop or update response strategies to ensure operational readiness and legal compliance.
- Review insurance and contracts: Assess cyber insurance coverage and contractual protections including coverage for ransomware-related costs, regulatory fines and business interruption.
- Maintain audit trails: Preserve evidence and documentation to meet regulatory expectations and facilitate insurance claims.
- Train key teams: Ensure legal, compliance, IT and crisis teams are equipped to respond effectively.
For a more detailed analysis, please see HFW’s full briefing here: New Ransomware Legislation on the Horizon | HFW
