The UK Government’s proposal (which follows a public consultation) to prohibit certain ransomware payments marks a notable shift in national cyber policy landscape.
Presented as part of its broader ambition to disrupt the economics of cybercrime and reduce the appeal of UK entities as ransomware targets, the proposal has, understandably, prompted considerable debate.
Partner at Hunton Andrews Kurth LLP.
The proposal, outlined in the January 2025 consultation, centers on three key pillars:
1. A targeted ban on ransom payments by public sector bodies and operators of critical national infrastructure;
2. A payment prevention regime applicable to all other UK-based organizations and individuals, whereby proposed payments must be pre-notified to authorities who may prohibit them;
3. A mandatory incident reporting obligation for all ransomware incidents, applicable to all UK-based organizations, regardless of whether a payment is made.
Risk Transfer or Risk Reduction?
Currently in the UK, making a ransom payment is not illegal unless the payment involves terrorist groups, funds organized crime, or breaches sanctions or AML rules but it is strongly discouraged by regulators such as the information commission officer (ICO) and the National Cyber Security Centre NCSC.
The proposed ban sounds, in theory, great: by eliminating the financial incentive that underpins ransomware attacks, threat actors are less likely to deploy ransomware as their modus operandi.
However, this won’t disincentivize threat actors that have a primary goal of causing disruption, rather than seeking financial gain. We’ve seen how threat actors, often leveraging AI tools, are simply using Increasingly sophisticated methods to attack companies, so they would likely just change tactics in the face of a ban.
The proposed ban will apply only to the public sector and critical national infrastructure which has some sense although it will likely encourage threat actors to direct their focus towards the private sector, particularly those organizations providing services to the public sector which could ultimately have similarly detrimental effect.
The proposed payment prevention scheme applies to all UK-based organizations but such organizations , already in crisis – often facing extortion, reputational damage, operational paralysis, and regulatory risk – may now also face legal jeopardy if they attempt to pay a ransom without authorization, or if that authorization is delayed or denied.
This could have the unintended consequence of deterring disclosure, increasing non-compliance with breach reporting requirements, or incentivizing offshore payment routes to avoid UK jurisdiction altogether.
Overlap with Data Privacy and Breach Notification Law
We should also consider the intersection between these proposals and existing data protection regimes. Many ransomware incidents involve the encryption or exfiltration of personal data, triggering breach notification obligations under the UK GDPR/EU GDPR and international equivalents including U.S. state laws.
The introduction of a separate mandatory incident reporting obligation for ransomware has some merit in terms of facilitating increased intelligence on criminal activity but it adds to the challenges faced by victim organizations, particularly those operating globally and already grappling with notification requirements in multiple jurisdictions in the midst of a cyber incident.
There is a real need for alignment between the ransomware regime and data protection frameworks, particularly around timelines, thresholds, and regulatory touchpoints. The ICO, NCSC, and any newly designated authorities will need to work in tandem to provide consistent, coherent guidance.
Sectoral Considerations: Critical Infrastructure and Beyond
For operators of essential services, the proposed ban is particularly consequential. These entities already face heightened scrutiny under Network and information systems (NIS) Regulations (and potentially NIS2 if they are within scope, plus soon, its UK equivalent update), and often form the backbone of national and economic security.
Yet they may also be among those least able to absorb prolonged downtime caused by ransomware, especially if sector-specific contingency planning is underdeveloped.
While the policy intention is to promote resilience by removing ransom payment as a data recovery option, it assumes that the alternative measures – backups, restoration plans, cyber insurance – are sufficiently mature. That assumption may not hold across the board.
A legal prohibition should therefore be accompanied by a coordinated program of support, including investment in cyber maturity across the public sector.
Cross-Border Dimensions and Practical Uncertainties
From an international perspective, the proposals raise a host of jurisdictional and enforcement issues. For example, what happens if a UK-based subsidiary of a multinational is attacked but ransom negotiations are led by a foreign parent? Would UK authorities assert jurisdiction over offshore payments made on behalf of a UK victim?
Clarity is also required on the scope of the new mandatory reporting regime planned, including what the consequences and penalties might be for non-compliance. The consultation suggests harmonization across regimes, but little detail is provided as yet.
Preparation The measures are expected to become law, potentially under the anticipated Cyber Security and Resilience Bill, within the coming year. Organizations will therefore need to start thinking about how to navigate this new environment.
They should, for example and at a minimum, review their incident response governance programs and update incident response policies and continue to monitor developments in sanctions and data privacy and cybersecurity law to ensure a harmonized compliance posture.
Much of this will already be underway in organizations with a sophisticated incident response framework but it will need to be considered by all organizations.
More fundamentally, policymakers will need to work with legal specialists and industry to ensure that any legislation is workable, proportionate, and does not compromise the very resilience it seeks to build.
Conclusion
The question of whether to make ransom payments illegal in the UK raises complex legal, ethical, and practical considerations.
On the one hand, prohibition may help to deter cybercrime and remove the financial incentives driving ransomware.
On the other, it risks exacerbating harm to victims, pushing incidents underground, and creating difficult enforcement challenges.
From a legal standpoint, there is still time to shape the regime into one that encourages transparency, enhances resilience, and aligns with broader data privacy and cybersecurity objectives. It does however require careful drafting and industry collaboration.
A nuanced approach – balancing deterrence with victim support – may ultimately prove more effective than outright criminalization.
Learn how to protect yourself with the best online cybersecurity courses.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
