The U.K. government announced on Tuesday plans to lead a crackdown on cybercriminals by introducing new ransomware measures. These efforts aim to address the growing threat of ransomware and will be developed in collaboration with industry partners following a public consultation. The goal is to better protect businesses and critical services across the country.
The consultation focused on three key proposals, including a targeted ban on ransomware payments for owners and operators of regulated critical national infrastructure and the public sector, a ransomware payment prevention regime, and a mandatory incident reporting regime. If adopted, this package would mark the first time UK law introduces specific measures to counter ransomware.
Public sector bodies and operators of critical national infrastructure, including the NHS, local councils, and schools, would be banned from paying ransom demands to criminals under the measure, with nearly three-quarters of consultation respondents showing support for the proposal. The ban would target the business model that fuels cyber criminals’ activities and makes the vital services the public relies on a less attractive target for ransomware groups.
The Government’s response to the consultation outlines key findings, summarizes the feedback received, and details the next steps for policy development. A total of 273 responses were submitted—233 through the online survey or in the survey format, and 40 in other formats such as emails or written submissions. In addition, the Government hosted 36 engagement events to encourage wider participation, though insights from these sessions are not reflected in the formal response summary.
Overall, feedback was constructive and broadly supportive. The Government plans to move forward with the proposed measures in collaboration with industry and will provide guidance and supporting materials to help with implementation.
Under the proposals, businesses not covered by the ban would be required to notify the government of any intent to pay a ransom. The government could then provide those businesses with advice and support, including notifying them if any such payment would risk breaking the law by sending money to sanctioned cyber criminal groups, many of whom are based in Russia.
“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on,” Dan Jarvis, Security Minister, said in a media statement. “That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on as we deliver our Plan for Change.”
He added that by working in partnership with industry to advance these measures, “we are sending a clear signal that the UK is united in the fight against ransomware.”
“These new measures help undermine the criminal ecosystem that is causing harm across our economy,” Jonathon Ellison, NCSC Director of National Resilience, said. “Ransomware remains a serious and evolving threat, and organizations must not become complacent. All businesses should strengthen their defences using proven frameworks such as Cyber Essentials and our free Early Warning service, and be prepared to respond to incidents, recover quickly, and maintain continuity if the worst happens.”
The new measures will lead the way in tackling ransomware and have been designed to strike against cyber criminals’ business model, bolstering national security and protecting key services and businesses from disruption, delivering on the nation’s Plan for Change. They follow an extensive consultation with stakeholders across the U.K., which showed strong public backing for tougher action to tackle ransomware and protect vital services.
The U.K. government is proposing a targeted ban on ransomware payments for public sector bodies, including local governments, and regulated critical national infrastructure (CNI) operators. Nearly three-quarters (72%) of consultation respondents supported the move, believing it would reduce funds to ransomware groups. Around 68% felt it would be effective in cutting off criminal revenue, and 60% believed it could deter attacks on banned entities. Support was stronger among CNI and public sector respondents, with 82% in favor. Opinions were mixed on whether exemptions should be allowed or if the ban should extend to supply chains.
The government is considering a new ransomware payment prevention regime that would apply across the economy. While views were mixed, the most supported option—Measure 1, which proposes a blanket payment prevention regime for organizations and individuals not already covered by the targeted public sector/CNI ban—received 47 percent net agreement, slightly more than other options.
Respondents viewed Measure 1 as potentially more straightforward and less prone to loopholes than threshold-based approaches, which many feared could shift attacks toward exempted sectors or smaller entities. Measures 2 to 4 saw higher disagreement levels (48 to 53 percent), with concerns over loopholes, displacement effects, and unintended business behavior changes.
Although opinions were split on how effective the measures would be overall, Measure 1 again saw the most support: 27 percent believed it could effectively reduce ransomware payments, and 22 percent said it could help law enforcement better intervene and investigate. Respondents repeatedly called for more clarity on how the regime would work in practice, especially around payment decision timelines and coverage scope.
There is strong support for introducing a mandatory ransomware incident reporting regime in the UK, with significantly more backing than for maintaining the current voluntary system. The most favored option, an economy-wide mandatory reporting requirement for all organizations and individuals, received 63 percent net agreement, compared to just 41 percent for continuing voluntary reporting.
Roughly three-quarters of respondents believed this measure would improve the government’s ability to understand (79 percent) and respond to (74 percent) the ransomware threat. While many supported the move, feedback raised questions about whether thresholds, such as company size or turnover, should apply, and whether individuals should also be included.
Concerns were also raised about the added resource burden, especially for smaller organizations and those already subject to multiple reporting obligations.
A recurring theme across all proposals was the role of penalties. While respondents broadly supported penalties to enforce compliance, many raised concerns about proportionality. Questions were raised about whether penalties should be civil or criminal, how they should be calibrated, and the risk of unintentionally criminalising or revictimising those targeted by ransomware.
Another common thread was the need for tailored guidance and support. Respondents emphasized the importance of clear, accessible, sector-specific advice to help organizations understand and implement the measures. There was also a strong call for the government and law enforcement to provide direct victim support in the aftermath of ransomware attacks.
Apart from the proposed measures, the government continues to urge organizations across the country to strengthen their ability to maintain operations in the event of a ransomware attack. This includes having offline backups, tested plans to operate without IT for an extended period, and a strategy for restoring systems from backups.
Mandatory reporting is also being developed, which would equip law enforcement with essential intelligence to hunt down perpetrators and disrupt their activities, allowing for better support for victims. Consultation responses showed strong support for a new mandatory reporting regime to protect British organizations and industry.
Last month, the U.K. government announced its Spending Review 2025, laying out plans for a step change in investment in digital and artificial intelligence (AI) across public services, including in the NHS. The government will build strong digital and technology foundations, tackle urgent cybersecurity and technical resilience risks, modernize public service delivery, and drive a major overhaul in government productivity and efficiency. An additional £1.2 billion will be provided across the period to drive forward cross‑cutting digital priorities.
