On 22 July 2025, the UK Government published its long-awaited response to the Home Officeâs consultation on legislative proposals to combat ransomware. The proposals mark a significant shift in the UKâs cybercrime strategy, with a focus on reducing the profitability of ransomware attacks and enhancing national cyber resilience. However, key details of the proposed way forward are still to be provided so much remains unclear at this stage.
In addition, while the proposal aims to prohibit ransomware payments across public sector organisations and critical national infrastructure (âCNIâ) providers, beneath its surface such a policy may inadvertently heighten the very risks it seeks to mitigate.
This article summarises the Governmentâs position on the three core proposals, outlines key compliance implications, and highlights what next steps are expected.
Governmentâs Three Core Proposals
1. Targeted Ban on Ransomware Payments
The Government supports a targeted ban on ransomware payments by:
- owners and operators of regulated CNI providers; and
- public sector organisations.
This approach is intended to remove the financial incentive for attackers while avoiding unintended consequences for the broader private sector. The ban will be underpinned by sector-specific guidance and enforcement mechanisms, though the precise legal definition of CNI providers for the purposes of the proposed ban remains to be clarified. It is also unclear at this stage whether any ban will also include supply chain to CNI and extraterritoriality.
Additionally, though the proposals intend to promote investment in cybersecurity infrastructure, many public sector organisations may struggle financially in complying with this shift towards resilience and preparedness.
2. Ransomware Payment Prevention Regime
The Government is considering the introduction of a broader regulatory framework aimed at discouraging ransomware payments. This proposed regime would impose specific compliance obligations on in-scope organisations, requiring them to adopt robust internal controls and governance measures around ransomware response. It may also require âproof of engagementâ (with the relevant government body) which can be provided to a payment broker or facilitator prior to the payment of a ransom.
It would also establish oversight mechanisms to monitor payment activity, enabling authorities to track trends, identify systemic risks, and intervene where necessary. In parallel, the regime would promote resilience-building by encouraging or mandating the development of incident response plans, employee training, and technical safeguards.
Although these measures may not apply universally across the private sector, the Governmentâs direction of travel clearly signals a move toward heightened regulatory scrutiny and a more proactive stance on ransomware preparedness and accountability.
3. Mandatory Incident Reporting Regime
A new mandatory reporting regime is also being proposed to improve visibility and coordination across the Government and industries; any victims of ransomware would be required to comply with the following timeframes:
- Initial notification: within 72 hours of detecting a ransomware incident.
- Detailed follow-up report: within 28 days of the initial notification.
The detailed report is expected to include technical analysis, impact assessments, and a summary of response actions taken, for example.
Some respondents to the consultation believe that such reporting regime will increase intelligence and ensure effective implementation of existing regimes (such as those under the UK GDPR, for example). Others highlighted concerns that the proposed mandate could create greater challenges for organisations already navigating a crisis, and, inadvertently, the Government may create a complex web of compliance – especially as organisations may already have to report incidents to multiple regulators depending on their sector.
Whatâs Missing?
While the Government has expressed broad support for the proposed ransomware measures, several critical aspects of the framework remain unresolved:
- Notably, it is currently ambiguous what is intended to fall within CNI for the purposes of the payment ban, leaving uncertainty around the scope of application.
- It is also unclear as to whether a centralised register of CNI entities will be established to support enforcement, hence creating uncertainty as to which organisations are subject to the proposed ban.
- Further, while the Government has noted it will consider the most appropriate and proportionate penalties, the response does not yet set out the enforcement mechanisms (such as how violations will be detected or prosecuted) that would apply in cases of non-compliance.
However, the Government has indicated that it will issue supporting materials to help organisations understand and meet their obligations. These may include sector-specific lists, notification protocols, and compliance tools. As such, these outstanding issues are expected to be addressed through further consultation and the development of secondary legislation in due course.
Final Thoughts
The Governmentâs response signals a clear intent to shift the UKâs ransomware approach from reactive to preventative. While the proposals are still evolving, they represent a critical opportunity for organisations to strengthen their cyber resilience and align with emerging regulatory expectations, and to start considering the potential impact on ransomware incident response plans and playbooks.
For further advice on how we can support you with your cyber incident response plans and procedures, please contact Amber Parslow and Paul Glass, or your usual contact at Baker McKenzie.
