In a move to fight back against cyber crime, the UK government is preparing to legally ban public bodies (including the NHS, schools, and local councils) from paying ransoms to hackers. The new regulation targets public sector organisations and critical national infrastructure, with an eye on stopping ransomware at the source.
Following several high-profile breaches in the private sector, including M&S and Co-op, the public sector has also been heavily targeted. So far in 2025, victims have included the Legal Aid Agency, the NHS, the British Library, and numerous local councils.
Why This Is a Game-Changer
– Clear deterrent: Although UK public bodies rarely paid ransoms in practice, this law sends a strong message that paying demands is off the table – no ambiguity, no grey area
–Targeting criminal profits: Global ransomware payouts hit about £652.7 million 2024. By cutting off public-sector payments, the UK aims to hit the hackers’ wallets and disrupt their business model
–New rules: The ban follows a public consultation launched in January, proposing three pillars: a payment ban, mandatory notification for private sector, and broader incident reporting
What It Covers – and Who’s Affected
Public sector & CNI
All publicly‑funded entities (NHS, schools, local government) and regulated Critical National Infrastructure organisations will be completely banned from making any ransomware payment
Private sector
Not covered by the ban – but any private company wishing to pay a ransom must first notify the government. This allows authorities to:
-Assess financial and legal risks (e.g. links to sanctioned groups)
-Offer advice, including possible routes that don’t involve payment
-Block payments in specific cases
Incident Reporting
Both public and private entities will face requirements to report ransomware incidents, expanding intelligence-gathering capabilities for law enforcement.
What Experts Say
-Security Minister Dan Jarvis emphasises the goal: “to smash the cyber‑criminal business model” and convey strong national opposition to ransom payments
-Cyber security veteran Alan Woodward notes that while UK authorities rarely paid ransoms, the clarity of this law may discourage attacks.
-Royal United Services Institute’s Jamie MacColl commends the approach but remains sceptical that a partial ransom payment ban will have the desired effect and make the UK less attractive to cyber criminals. He states that threat actors are unlikely to develop a rigorous understanding of UK legislation.
What This Means for Organisations
| Sector | Requirement |
| Public/NHS/CNI | Zero tolerance. No ransom payments allowed. Must have robust backups & recovery plans. |
| Private companies | Payment possible only after notifying authorities – and possibly blocked if it violates sanctions or anti-terror laws. |
| All sectors | Mandatory incident reporting and collaboration with national cyber-security authorities. |
The Takeaways:
-Public organisations must overhaul disaster-recovery and crisis-response planning now. They can’t rely on ransom payments, even as a last resort.
-Private businesses should ready themselves for government engagement before any payment and understand the legal frameworks (sanctions, terrorism finance).
– All organisations need to adopt strong cyber-security frameworks (e.g. Cyber Essentials, NCSC Early Warning) and practice resilience through drills and backups.
Final Thoughts
This law marks one of the strongest government measures globally against ransom attacks, following leaders like Australia. It aims to starve the ransomware ecosystem of vital funds and intelligence at a time when UK organisations remain top targets.
But the measure isn’t without trade-offs. Organisations must pivot convincingly toward cyber resilience, giving attackers no leverage and must be ready for incidents to be met not with payments, but with speed, transparency, and legal savvy.
We can strengthen your defences
If you’re unsure whether your organisation is prepared, we can help. From strengthening your cyber security posture to ensuring you’re incident-ready and compliant with new legislation, our experts are here to support you. Get in touch to see how we can reduce your risk and build real resilience.
