New Ransomware Legislation on the Horizon

This article delivers a practical overview of the UK’s proposed ransomware legislation, highlighting the most significant legal changes, compliance requirements, and sector-wide implications.

Introduction

The UK Government is proposing to advance landmark ransomware legislation designed to curb payments to cyber criminals and strengthen incident reporting requirements. This initiative follows a marked increase in ransomware attacks across both public and private sectors, with the National Cyber Security Centre and National Crime Agency (NCA) identifying ransomware as the most significant cyber threat to UK national security. Private sector reporting to the NCA indicates the number of UK victims appearing on ransomware data leak sites has doubled since 2022. This is reflected globally, with industry estimates suggesting that in 2024 ransomware criminals received at least US$813m in ransom payments. These attacks are increasingly sophisticated and affect organisations across all sectors of the economy. Sectors such as shipping, aviation, and finance are particularly vulnerable, with the average cost of a cyber-attack in shipping now exceeding US$3 million.

Key Proposals and Consultation Outcomes

The UK Government launched a 12-week consultation from January to April 2025. The response, published in September 2025, outlines a proposed three-pronged legislative strategy aimed at curbing ransomware payments and enhancing incident reporting. If this package of proposals become a reality, the UK Government says that these “would be the first specific measures in UK law to counter ransomware.”

1. Targeted ban on ransomware payments for public sector and Critical National Infrastructure (CNI):

A full prohibition on ransomware payments will apply to:

• All public sector organisations (extending the existing ban on central government bodies).

• Operators of CNI, including those in energy, water, healthcare, transport, and telecommunications.

This targeted ban seeks to reduce the perceived profitability of attacking these vital systems and align public organisations with best practices in cybersecurity resilience.

2. Economy-wide payment prevention regime:

For organisations and individuals not covered by the targeted ban, a new pre-payment notification requirement will apply:

• Before making any ransomware payment, entities must notify relevant UK authorities.
• Authorities will assess whether the payment risks breaching sanctions or terrorism financing rules and may intervene accordingly.

This approach aims to improve intelligence sharing, disrupt criminal funding streams, and prevent inadvertent sanctions breaches. However, consultation feedback revealed mixed views, with many expressing concerns over operational feasibility and delays during critical incidents.

3. Mandatory incident reporting:

A new statutory reporting obligation will apply to all UK organisations, requiring them to report ransomware incidents regardless of whether a payment is made:

• Initial report: within 72 hours of becoming aware of the incident.
• Full report: within 28 days.

This measure is intended to improve national situational awareness, enhance law enforcement response capabilities, and bring greater transparency to the ransomware threat landscape.

Recent Developments and Industry Commentary

The targeted ban for public sector and CNI received strong support (72% of respondents), while the payment prevention regime saw split views (47% support). Mandatory incident reporting was supported by 63% of respondents, with calls for clear guidance and alignment with UK GDPR.

Industry experts highlight concerns about administrative burdens, the need for exemptions in life-threatening scenarios, and the complexity of integrating new reporting requirements with existing data breach obligations.

The UK’s proposals follow similar moves in Australia and the US, where governments are tightening rules on ransomware payments and reporting. Recent high-profile attacks, including those on NHS suppliers and law firms, have underscored the urgency for robust legal frameworks.

What Happens Next?

The government is actively considering feedback and is expected to progress to legislative reform in the coming months. While the exact timing for the tabling of the new legislation has not yet been confirmed, draft legislation and further details are hotly anticipated.

Although the payment of ransoms is not, in itself, currently generally prohibited under English law, such payments are subject to a myriad of laws relating to sanctions, anti-money laundering, terrorism, and bribery laws.

It is important to note that the payment of ransoms to terrorists or sanctioned individuals is illegal. This is particularly problematic given that several ransomware groups have appeared on US sanctions lists, and HFW regularly advises on the legality of paying ransoms to potential threat actors.

HFW’s involvement not only helps clients navigate these evolving risks but also ensures that legal advice and incident response are protected by privilege wherever possible – safeguarding sensitive communications and strategic decisions in a heavily regulated space.

How HFW Can Assist?

HFW’s cyber and regulatory specialists are closely tracking the development of this new legislative regime. We are advising clients across key sectors on how to proactively prepare for the expected changes, including:

Regulatory and Legal Compliance

Guidance on upcoming ransomware reporting obligations, payment restrictions, and alignment with existing UK and international laws, and responding to regulatory enquiries and investigations.

Incident Response Planning

Support in developing or refining response strategies to ensure operational readiness and legal compliance under the proposed regime.

Cyber Risk Management

Legal risk assessments and strategic advice on contractual protections and insurance coverage.

Training and Awareness

Tailored training for legal, compliance, IT, and crisis management teams, adapted to the evolving legal and regulatory environment.

Why HFW?

Legal Privilege Protection

Wherever legally possible, we ensure that advice and investigations into cyber incidents are protected by legal privilege – keeping sensitive communications and forensic work confidential to help mitigate regulatory and litigation risks.

End-to-End Incident Response

We manage all aspects of cyber incident response, from forensic investigations and system recovery to crisis communications and coordination with local legal and regulatory experts worldwide.

Ransomware and Regulatory Guidance

We advise on the legal implications of ransomware payments to ensure compliance and establish clear audit trails for potential insurance reimbursement.

Tracing and Recovery of Funds

With a proven track record, we assist in the recovery of diverted funds through local enforcement and civil remedies such as freezing injunctions across multiple jurisdictions.

Data Protection and Notification

Comprehensive advice on statutory notification obligations globally, engagement with regulators, and support in streamlining insurance claims.

Contractual and Insurance Expertise

Review, drafting, and negotiation of cyber insurance policies and contractual terms to align with your risk appetite and protect your interests.

Liability Management

Identification and mitigation of liabilities arising from cyber incidents, including data breaches, business interruption, and third-party claims—emphasising audit trail creation and evidence preservation.

Global Reach

HFW’s international network ensures access to local expertise and a rapid response wherever and whenever an incident occurs.

We will provide further updates as soon as the government publishes more details or confirms the legislative timetable.

Emma Triccó, Paralegal, assisted with the production and drafting of this briefing.