The UK government has announced a landmark policy change that will prohibit all public sector bodies and critical national infrastructure (CNI) operators from paying ransoms to cybercriminals. This move is a key component of the country’s evolving cybersecurity strategy, aimed at disrupting the ransomware business model and protecting vital public services from escalating digital threats.
A Targeted Ban on Payments
Under the new rules, it will become illegal for publicly funded organizations—including the NHS, schools, local authorities, and utilities providers—to pay ransom demands in the event of a cyberattack. The policy also applies to private operators that provide essential services defined as part of the UK’s CNI.
The government argues that paying ransoms incentivizes further attacks and directly funds criminal networks, including those with possible links to hostile states. By removing the possibility of ransom payments, officials believe public sector entities will present a less attractive target for cyber extortion efforts.
Legislative and Regulatory Measures
The ban, expected to be implemented through legislation later this year, follows a public consultation launched in January 2025. It received broad support from security experts, industry stakeholders, and the general public. As part of the forthcoming legal framework, the government is also considering a range of enforcement mechanisms, including civil or criminal penalties for non-compliance. These could involve financial sanctions and restrictions on executive positions for those who authorize illegal payments.
Private businesses, while not subject to the outright ban, will face new reporting requirements. Companies planning to pay a ransom must notify the government in advance and will receive official guidance on risk, legal obligations, and potential sanctions ramifications.
Strengthening the UK’s Cyber Resilience
The move comes amid a wave of high-profile ransomware attacks affecting public services. Notable incidents have included the 2017 WannaCry attack on the NHS, the 2023 ransomware breach at The British Library, and ongoing threats to local governments and education institutions.
By reducing the profitability of attacks against the state, the government hopes to shift the economics of ransomware in the UK’s favor.
Additionally, the policy forms part of a broader effort to improve cyber resilience across all sectors. This includes the introduction of mandatory ransomware incident reporting, helping law enforcement and security agencies coordinate responses and track trends in cybercriminal behavior.
All UK organizations, regardless of sector, are expected to benefit from increased government support and intelligence sharing in the event of a ransomware incident.
Reactions and Industry Concerns
While the move has received strong support from cybersecurity professionals and public advocacy groups, some experts caution that a targeted ban may have unintended consequences. A key concern is that cybercriminals may not distinguish between public and private sector targets, nor always recognize when their victim falls under the ban.
Critics also warn that in severe cases—such as ransomware disabling life-saving systems in hospitals or disrupting critical public utilities—the inability to pay could hinder timely recovery, leading to catastrophic real-world consequences.
The government acknowledges these concerns and has indicated that further consultation will explore the potential for narrowly defined exceptions, emergency response protocols, and additional investments in cyber defense capabilities for essential service providers.
A Global Signal
The UK’s decision reflects a growing international debate over the ethics and efficacy of paying ransoms. In taking this step, the UK joins a small but growing number of countries seeking to shift the international response away from reactive payments toward proactive defense and coordinated disruption of criminal networks.
By drawing a firm line against ransomware payments in the public sector, the UK aims to lead by example—dissuading attackers from targeting its institutions and contributing to the broader effort to weaken the global ransomware economy.
