On 14 January 2025, the UK government announced a public consultation on legislative proposals on ransomware. The consultation closes on 8 April 2025. 

Proposal 1: Ban on making a ransomware payment for public sector bodies and critical national bodies

The first proposal is to introduce a targeted ban on making ransomware payments: Public sector bodies and owners and operators of critical national infrastructure (CNI) bodies will be banned from making ransomware payments in response to a ransomware incident. The owners and operators of CNI bodies will be subject to the bank only to the extent they are regulated bodies or have competent authorities. CNI consists of thirteen sectors (chemicals, civil nuclear, communications, defence, emergency services, energy, finance, government, health, space, transport, and water). There may be fines and/or criminal penalties for non-compliance with the ban.

Proposal 2:  Obligation on all organisations to notify the Home Office of an intention to make a ransomware payment

A second proposal is to introduce a legal requirement for all organisations that suffered a ransomware attack to notify the Home Office of an intention to make a ransomware payment. The Home Office will provide support and guidance to the notifying organisation and discuss options for non-payment. The Home Office may block the payment if it breaches sanctions or terrorism finance legislation. 

Proposal 3:  Obligation on all organisations to notify of a ransomware attack 

The third proposal is to require all organisations that suffered a ransomware attack to notify the Home Office of the ransomware attack within 72 hours regardless of their intention to pay the ransom.