For two decades, governments have publicly discouraged ransom payments while quietly tolerating them. The United Kingdom is now preparing to end that ambiguity. The Home Office's January 2025 consultation — closed in April 2025 and now feeding into the Cyber Security and Resilience Bill workstream — proposes the most ambitious ransomware policy package any major Western democracy has tabled: a categorical ban on payments by public sector bodies and critical national infrastructure operators, a mandatory notification regime for any UK victim contemplating a payment, and economy-wide mandatory reporting of all ransomware incidents.
If enacted in something close to its consultation form, the package will reverberate far beyond Britain. Global insurers will need to rewrite cyber policies. Incident-response firms operating across borders will face new compliance choke points. And multinationals with UK subsidiaries — which is to say most of the Fortune 500 — will discover that London's rules now travel with them.
What the proposal actually does
The three components do quite different things and deserve to be evaluated separately.
The targeted ban on payments by public sector organisations and operators of essential services (those covered by the NIS Regulations) is the headline measure. It builds on the October 2024 Washington summit of the Counter Ransomware Initiative, where 68 member states issued a joint statement discouraging payments and committing to deny ransomware actors safe haven. The UK ban would convert that political signal into binding domestic law for the entities most likely to be targeted by state-aligned criminal groups.
The mandatory notification regime is in some ways more consequential. It would require any UK-based victim contemplating a payment — public or private — to notify the government in advance. That notification triggers an opportunity for intervention: OFSI sanctions screening, possible alternative recovery options, and a check on whether payment would breach UK financial sanctions law (which already prohibits payments to designated entities, including many Russian-linked groups).
The mandatory incident reporting piece is the least controversial and arguably most valuable. The current picture is hopelessly fragmented: the National Cyber Security Centre sees a fraction of incidents, the Information Commissioner's Office sees personal-data breaches, Action Fraud sees what victims choose to report. Consolidating that into a single mandatory reporting channel would, for the first time, give policymakers a defensible empirical baseline.
The case for proportionate caution
The reporting requirement is straightforwardly good policy. Mandatory disclosure improves collective defence, helps the NCSC issue timely advisories, and aligns the UK with the trajectory of the EU's NIS2 Directive and the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Reasonable people can argue over thresholds and timelines, but the principle is sound.
The notification regime is also defensible. Victims under extortion duress benefit from a structured pause that surfaces sanctions risk, law enforcement options, and decryption alternatives. A 'speed bump' that injects expertise into a panicked decision is very different from prohibition.
The categorical ban is harder. Three concerns deserve serious weight:
- Hard cases involving life and safety. The 2024 Synnovis incident — which disrupted NHS pathology services across south-east London for months — illustrates how ransomware against healthcare providers can shade into life-threatening territory. A blanket ban must contemplate what happens when a hospital's only realistic path to restoration runs through a payment.
- Displacement, not deterrence. Criminal economics are adaptive. If UK public bodies are off the menu, attackers will shift toward UK private sector targets, supply-chain vendors, or simply more aggressive double-extortion tactics where data leakage is the primary lever. The evidence base on whether national-level payment bans actually reduce attack volume — as opposed to redistributing it — is thin.
- Extraterritorial chilling effects. Global cyber insurance is increasingly written into London-based syndicates. A UK ban that bleeds into reinsurance terms, broker conduct rules, and incident-response firm operating practices will shape how organisations in jurisdictions that have not chosen this path respond to attacks.
What good legislation would look like
A proportionate, innovation-friendly version of this package would do four things. First, it would keep the mandatory reporting regime broad and the thresholds sensible, with safe-harbour protections for good-faith disclosure. Second, it would preserve the notification regime as a structured intervention point rather than a back-door prohibition. Third, it would write narrow, well-defined exceptions into any payment ban for situations involving imminent risk to human life or safety, with ministerial sign-off and after-the-fact transparency. Fourth, it would invest the resulting visibility dividend back into capability — NCSC resourcing, free decryption tooling, and small-business support — rather than treating disclosure obligations as their own end.
The bigger picture
Britain's gambit is, in the deepest sense, a bet that legislation can reshape a criminal market. That bet may or may not pay off. But the global precedent it sets matters either way. Other CRI members — Australia, Canada, the Netherlands, France — are watching closely, and the international compatibility of incident-response practice depends on whether London's rules become a template or an outlier.
Done well, the UK package could be a model for collective defence. Done poorly — particularly if the ban hardens into an inflexible prohibition with no humanitarian carve-outs — it risks punishing victims while doing little to deter sophisticated criminal groups operating from jurisdictions beyond Western reach. The drafting choices made over the coming months will determine which outcome Britain delivers.