Following the UK Government's launch of a public consultation on its proposed legislative measures to combat the threat of ransomware (see Goodwin’s January 2025 analysis), the UK Government published its response to the consultation, setting out proposals to reduce payments to cyber criminals and enhance incident reporting.
Why are these proposed measures so significant for the UK? In the UK, ransomware is expected to remain one of the most significant cyber threats through 2026. As organisations continue to digitise their operations and rely on increasingly complex technology ecosystems, the ransomware landscape is evolving in ways that make attacks more frequent and sophisticated.
Ransomware remains one of the most impactful cyber threats identified by CISOs, according to the World Economic Forum’s Global Cybersecurity Outlook 2026. We anticipate the emergence of AI-enabled ransomware, alongside greater reliance on large language models and generative AI to support more targeted and effective attacks.
The continued growth of ransomware-as-a-service is further reshaping the threat environment. By leasing tools and infrastructure from multiple ransomware operators, attackers are less dependent on any single group and more resilient to law-enforcement disruption. This competitive, service-based model lowers barriers to entry, increases the volume of attacks, and accelerates innovation across the ransomware ecosystem.
Finally, supply chain vulnerabilities are becoming an increasingly attractive target. As organisations adopt more cloud services and rely on a wider network of suppliers, smaller vendors are often exploited as entry points.
The Proposals
The consultation considered three proposed legislative measures: (1) a targeted ban on ransomware payments for certain sectors, (2) a ransomware payment prevention regime, and (3) a mandatory incident reporting regime:
1) Proposal 1: Targeted Payment Ban
Proposal 1 proposes a targeted prohibition on ransomware payments by all public sector bodies (including local government) and by owners and operators of regulated critical national infrastructure (CNI), or those subject to oversight by competent authorities. Under this proposal, in scope organisations would be prohibited from making payments to threat actors following a ransomware incident.
The targeted ban received strong support from respondents, with 72% backing its introduction for public sector bodies and CNI operators. Most respondents also considered it effective, with 68% expecting it to reduce funds flowing to ransomware criminals and 60% believing it would deter attacks on these organisations. However, views were more divided on potential exemptions and on extending the ban to supply chains.
In its policy response, the UK Government indicated that it will continue to develop Proposal 1 in collaboration with the industry, including by refining its scope and considering whether the measures should have extraterritorial effect. It also confirmed that supply chain risks remain under consideration, including through proposals set out in the forthcoming Cyber Security and Resilience (Network and Information Systems) Bill (CSR Bill). While views on penalties were mixed (particularly in relation to concerns about revictimising ransomware victims), the UK Government stated that it will continue to explore proportionate enforcement mechanisms alongside appropriate support measures.
While the UK Government’s response does not expressly deal with extraterritorial application, the feedback in the consultation responses suggested a need for further clarity on the scope and definition of who would be included in the ban, including whether this proposal would have extraterritorial effect. It remains to be seen whether the UK Government will follow through on its intention “for any potential measures and associated guidance to clearly explain the scope of the ban.”
2) Proposal 2: Payment Prevention Regime
Proposal 2 introduces a “payment prevention regime” under which ransomware victims falling outside the scope of Proposal 1 would be required to engage with authorities via a central reporting mechanism before making any ransomware payment. Following notification, the UK Government would assess the proposed payment and engage with the reporting organisation to discuss next steps, including whether alternative courses of action should be pursued.
This proposal attracted mixed views, with 47% of respondents supporting the introduction of an economy wide mandatory reporting regime for all organisations and individuals.
Despite the mixed reaction, the UK Government has confirmed it will continue to develop Proposal 2. This includes clarifying whether reporting obligations will apply solely to ransomware incidents or extend to other types of cyber incidents (such as phishing), aligning the regime with the CSR Bill, and considering appropriate and proportionate penalties.
3) Proposal 3: Mandatory Incident Reporting
Proposal 3 proposes a mandatory ransomware incident reporting obligation, requiring organisations and individuals to notify the UK Government of ransomware incidents irrespective of whether a ransom payment is contemplated.
This consultation indicated broad support for the introduction of a new mandatory reporting regime. ‘Measure 2: an economy-wide mandatory reporting regime for all organisations and individuals’ received the highest backing, with 63% of respondents in favour. Around three quarters of respondents also thought that Measure 2 would be effective in improving the UK Government’s understanding of ransomware threats (79%) and its ability to respond to them (74%).
In its policy response, the UK Government confirmed that it will continue to develop Proposal 3, with further work to be undertaken on scope, reporting thresholds and penalties ahead of implementation. It also indicated that a 72 hour timeframe for initial reporting remains under consideration.
Conclusion
2026 is shaping up to be a watershed year for cyber regulation in the UK. The introduction of the CSR Bill, alongside the UK Government’s Cyber Action Plan, reflects a decisive move towards a more robust and coordinated regulatory framework for managing cyber risk. Together, these initiatives signal higher expectations around governance, incident preparedness and supply-chain resilience across both the public and private sectors.
While the final form of the ransomware regime is still taking shape, the UK Government’s consultation response leaves little doubt about its direction of travel. Ransomware payments are now a clear regulatory priority, with a targeted payment ban the most likely, and broader prevention and reporting measures under active consideration. For organisations operating in the UK, the message is clear: cyber incident response can no longer be treated as a purely technical or operational issue. It is fast becoming a core governance and compliance concern, requiring earlier engagement, clearer accountability and more disciplined reporting frameworks.
We would like to thank Geng To Law for their assistance with this alert.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.
Contacts
- /en/people/m/mccluskey-curtis
Curtis McCluskey
Partner