Pentiq

Governance & Policy

UK Ransomware Policy: What Organisations Should Do Now

The UK ransomware payment ban, notification regime and mandatory reporting requirements explained — plus the controls that materially reduce impact.

Reviewed by: Lewis Warner, Chief Hacking Officer

Last updated:

UK Ransomware Policy: What Organisations Should Do Now

The end of the quiet-payment playbook — and what to do instead.

Ransomware has been the dominant cyber threat to UK organisations for several years, and the policy response has now caught up with the threat. The Home Office consultation that ran from January to April 2025, the Government response published in September 2025, and the alignment with the forthcoming Cyber Security and Resilience Bill together mark the most significant change to the UK’s ransomware posture in a decade. The era of organisations quietly paying ransoms — sometimes on the advice of their cyber insurers — is ending.

This article sets out what is changing, why ransomware has become a governance issue rather than a purely operational one, and which controls materially reduce the impact of an incident regardless of the policy direction. It is written for boards, general counsel and security leaders who need to translate a moving policy picture into concrete preparation.

Why ransomware is now a governance issue

Ransomware decisions used to belong to the security team and the incident response retainer. They now belong to the board, the audit committee, general counsel and — increasingly — the regulator. Several forces have pushed ransomware up the governance agenda:

  • Regulatory exposure. The ICO has been consistently clear that ransomware incidents involving personal data are reportable breaches under the UK GDPR, regardless of whether a ransom is paid. The 72-hour notification clock starts at awareness, not at conclusion of the incident.
  • Sanctions risk. Payment to a sanctioned entity is a criminal offence under UK sanctions law. Ransomware groups linked to designated persons or jurisdictions trigger this directly. The “you didn’t know who they were” defence has consistently failed.
  • Insurance reality. Cyber insurers now scrutinise control posture before paying out. Cover for ransom payments specifically is being narrowed or excluded in many policies, and reinsurers are pushing the same direction.
  • Operational severity. Recent high-profile incidents at UK retailers, NHS suppliers and local authorities have demonstrated that ransomware can suspend operations for weeks. Boards have noticed.
  • Public scrutiny. Customers, suppliers and the press expect transparency. Incidents handled quietly tend to surface anyway, and the reputational cost of being seen to pay is rising.

The practical consequence is that ransomware preparation is now a board-level responsibility. The questions a board should be able to answer — without referring to the CISO in the room — are: do we know what would be encrypted? do we know what we would do? do we know what we cannot legally do? and have we tested the answer?

What is changing in the UK

The UK Government’s three-part proposal, published in January 2025 and confirmed in the September 2025 response, represents the clearest policy direction the UK has issued on ransomware to date. The three elements are intended to work together.

1. Targeted ban on ransomware payments. A prohibition on ransomware payments by all UK public sector bodies — including local government, the NHS and arms-length bodies — and by owners and operators of regulated Critical National Infrastructure (CNI). This extends the existing convention (central government does not pay) into a hard prohibition with statutory weight. Consultation responses showed roughly three-quarters of respondents in support.

2. Ransomware payment prevention regime. For organisations not within the scope of the ban, a mandatory notification regime. A victim intending to make a ransomware payment must notify the authorities — expected to be the National Crime Agency — before paying. A short-form notification within 72 hours of the ransom demand, and a full report within 28 days. The authorities review the proposed payment for sanctions, terrorism finance and known-criminal links, and have powers to block payment where any of those concerns apply.

3. Mandatory incident reporting. A broader requirement to report ransomware incidents, intended to provide law enforcement with the intelligence needed to disrupt ransomware operations. The scope (economy-wide versus above a threshold) is still being finalised, with alignment to the Cyber Security and Resilience Bill to avoid duplicate reporting.

The Government has committed to developing the detail of these proposals in collaboration with industry, with guidance and clarifying documents to follow. Organisations should expect legislation rather than voluntary measures, and should not wait for final wording before preparing.

For boards, the strategic implication is that the historic “negotiate quietly, pay if necessary, recover” playbook is no longer available to public sector and CNI organisations, and is becoming increasingly constrained for everyone else. Recovery capability — not payment capability — has to be the assumption.

Controls that materially reduce impact

The controls that determine the severity of a ransomware incident are well-established. They overlap heavily with the controls in the NCSC Cyber Assessment Framework and Cyber Essentials Plus, and with the proposed scope of the Cyber Security and Resilience Bill. The differentiator is operational maturity, not control selection. The controls that consistently move the needle:

  • Tested, offline-capable backups. Backups isolated from the production identity boundary, immutable where possible, and tested by full restore rather than by integrity check. The most common cause of failed recovery is finding out, mid-incident, that backups were encrypted along with everything else.
  • Identity hardening. Phishing-resistant MFA, privileged account tiering, LAPS and detection of Active Directory reconnaissance. Ransomware almost always traverses AD; making that traversal slower and noisier buys recovery time.
  • Rapid patching of edge devices. The single most common entry vector for ransomware in 2024 and 2025 has been unpatched edge appliances — VPN concentrators, file transfer appliances and firewalls. CISA KEV-listed vulnerabilities on internet-facing assets should be treated as emergencies.
  • Network segmentation. Flat networks accelerate ransomware impact. Even basic segmentation between user, server and operational technology environments significantly slows lateral movement.
  • Incident response retainer with tested playbooks. A signed retainer that has never been exercised provides false comfort. Annual tabletop exercises that include legal, communications and the board are the minimum.
  • Documented decision-making. Pre-agreed decision authority during an incident, pre-drafted regulatory and customer communications, and a clear position on payment that the board has signed off in advance. The worst time to make a payment decision is at 02:00 with the production environment encrypted.
  • Logging and detection that supports investigation. Without forensic-quality logs (Windows event logs at sufficient verbosity, EDR telemetry, network flow data), incidents are recovered without ever understanding what happened. That guarantees the same incident, twice.

A useful exercise for any board: ask the CISO to walk through the first 72 hours of a hypothetical ransomware incident, with reference to the controls above and the regulatory timeline. The gaps surface quickly.

Frequently asked questions

Is paying a ransomware ransom illegal in the UK?

Not in general — but payment to a sanctioned entity is illegal, and the proposed legislation would prohibit payments by public sector bodies and regulated CNI operators. A payment prevention regime will require notification and may allow payment to be blocked.

When will the new UK ransomware legislation take effect?

The Government published its response to the consultation in September 2025 and has committed to legislating, with detail to be developed in collaboration with industry. Specific commencement dates have not yet been confirmed.

Does cyber insurance still cover ransom payments?

In some cases, yes — but cover is being narrowed. Insurers increasingly require evidence of control posture, may exclude payment where sanctions risk exists, and reinsurers are pushing the market away from payment cover.

What is the UK Cyber Security and Resilience Bill?

A forthcoming Bill that updates the UK’s cyber security legislation, including reporting obligations and protections for critical services. The ransomware proposals are intended to align with it.

Next Steps

Found this useful?

Share it with your network on LinkedIn.

Share on LinkedIn
Previous Article

What a Good Penetration Testing Report Should Include

Next Article

Penetration Testing vs Vulnerability Scanning

You might also like

Penetration Testing

External vs Internal Penetration Testing

A clear comparison of external and internal penetration tests — the different threat models they assess, how each works, and when you need both.

#pen-testing#infrastructure

Penetration Testing

How Often Should You Perform Penetration Testing?

How to determine the right penetration testing frequency for your organisation, based on risk, regulation, change velocity and exposure — with industry benchmarks.

#pen-testing#compliance

Penetration Testing

How to Prepare for a Penetration Test

A practical guide to preparing for penetration testing so the engagement produces actionable evidence with minimum disruption and maximum value.

#pen-testing#preparation