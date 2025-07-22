Share

The UK government is set to implement new measures aimed at dismantling the business model of cybercriminals and bolstering national defences against ransomware attacks.

Following extensive public consultation, the proposed regulations will prohibit public sector bodies and critical national infrastructure operators, including the NHS, local councils and schools, from paying ransom demands.

Ransomware (malicious software that encrypts systems or steals data until a ransom is paid) costs the UK economy millions annually and poses severe operational, financial and even life-threatening risks. Nearly three-quarters of consultation respondents supported the ban, which aims to make vital public services less attractive targets for criminal groups.

For businesses not covered by the ban, mandatory notification of any intent to pay a ransom will be required. This will allow the government to provide crucial advice and support, including warnings about potential breaches of sanctions by inadvertently funding sanctioned cybercriminal organizations, many of which are based in Russia.

Additionally, new mandatory reporting requirements are being developed to furnish law enforcement with critical intelligence to track and disrupt perpetrators, while also better supporting victims.

Security Minister Dan Jarvis emphasized the government’s resolve, stating:

“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on….That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change.”

Rebecca Lawrence, Chief Executive of the British Library, shared her institution’s experience, which suffered a devastating ransomware attack in October 2023. She confirmed, “as a public body, we did not engage with the attackers or pay the ransom. Instead, we are committed to sharing our experiences to help protect other institutions affected by cybercrime and build collective resilience for the future.”

