Article

UK Government ransomware legislative proposals: Key outcomes of the consultation

Update on the UK Government’s consultation on proposals to safeguard British businesses and infrastructure against the rising threat of ransomware attacks.

Following our recent article on laws to disrupt ransomware payments in the UK, we want to share an important update on the government’s consultation outcomes. The recent consultation, which received 273 responses, has confirmed widespread support for several key measures. Based on these responses, the government is actively developing all three proposals into legislation designed to deter ransomware criminals and limit the flow of ransom payments from UK businesses.

The first proposal involves a targeted ban on ransomware payments for public sector bodies, including local government, and for owners and operators of critical national infrastructure (CNI). This measure received support from 72% of respondents, with significant support from the CNI and public sectors, reflecting broad consensus on restricting payments to cybercriminals from these sectors.
The second proposal aims to establish an economy-wide ransomware payment prevention regime. This was supported by 47% of respondents, marginally more than a threshold-based approach. The government recognises that there are split views on the effectiveness of these measures in reducing ransomware payments and increasing law enforcement agencies’ ability to intervene and investigate ransomware actors. The government plans to continue to develop this proposal, including the process for reporting and timing for approvals.
The third proposal focuses on creating a mandatory incident reporting regime for all UK businesses hit with ransomware, whether they pay the ransom or not. 63% of respondents supported a system requiring organisations and individuals to report suspected ransomware incidents, with the aim of strengthening the UK’s threat intelligence and response capabilities.

As a result of these positive responses, the government intends to progress with the development and implementation of all three proposals into legislation.

However, several significant details are yet to be ironed out, including penalties for non-compliance; how such a scheme will be resourced; and the extent to which reports will result in tangible help from government agencies for victims. Concerns remain that these proposals may not have the deterrent effect the government hopes for, because many ransomware attacks are opportunistic in nature and not targeted at specific organisations or sectors. Furthermore, it is likely that the proposed measures will create additional stress and complexity for incident response teams during a time of crisis. The government has promised to publish “detailed guidance” before new reporting obligations come into force, and we eagerly await that guidance.

For more detailed insights into the consultation responses and findings, please refer to the full government response report here: Government response to ransomware legislative proposals: reducing payments to cyber criminals and increasing incident reporting.

We will continue monitoring these developments and keep you informed of further updates.

Report

UK Government ransomware legislative proposals: Key outcomes of the consultation

Our people

Holly Waszak

Helen Nuttall

Related insights

Five trends in UK cyber insurance in the first quarter of 2025

Debunking Generative AI myth #3: GenAI insurance issues

Debunking Generative AI myth #2: Its most pertinent risks

Debunking Generative AI myth #1: Who owns GenAI risks

Marsh.com Sign in

UK Government ransomware legislative proposals: Key outcomes of the consultation

Cyber incident management

Our people

Holly Waszak

Helen Nuttall

Related insights

Five trends in UK cyber insurance in the first quarter of 2025

Debunking Generative AI myth #3: GenAI insurance issues

Debunking Generative AI myth #2: Its most pertinent risks

Debunking Generative AI myth #1: Who owns GenAI risks