The UK Government has announced new measures requiring organizations to notify authorities before paying ransoms to cybercriminals, aiming to curb ransomware attacks targeting public sector entities like the NHS, local councils, and schools.

This legislation will ban public sector bodies and critical infrastructure operators from paying ransom demands, with the goal of reducing the incentive for cybercriminals.

The measures are designed to assist law enforcement in tracking cybercriminal networks through mandatory reporting, and the proposal has received strong public support, with nearly 75% of respondents backing the initiative.

The move follows several high-profile ransomware incidents, including the 2017 WannaCry attack on the NHS and a 2023 attack on the British Library, which have underscored the severity of the threat.

Security Minister Dan Jarvis emphasized that ransomware poses a serious threat to public safety and the economy, reinforcing the government's commitment to dismantling cybercriminal networks.

A recent NHS cyber attack has been linked to a patient's death, highlighting the critical risks and potential life-threatening consequences of such incidents.

The cybersecurity industry is responding to these regulatory changes with increased demand for advanced solutions, including AI-driven threat detection and incident response tools.

The recent cyber attack on Marks & Spencer earlier in 2025, causing an estimated loss of £300 million, has further fueled the push for stricter regulations.

UK cybersecurity firms saw significant growth in 2024, raising over £206 million and reaching a total revenue of £13.2 billion, with employment in the sector also increasing.

Recent high-profile ransomware attacks, such as those on M&S and the NHS, demonstrate the urgent need for government action to protect critical services and infrastructure.

Public support for the legislation is strong, with nearly three-quarters of surveyed individuals favoring the measures, which aim to deter cybercriminals and improve national cybersecurity.

Under the new law, organizations may face hefty fines—up to £100,000 daily or 10% of turnover—for failing to address security vulnerabilities after a breach.

The UK’s strategy, announced on July 22, 2025, by Home Office security minister Dan Jarvis, signals a significant shift in how the country approaches ransomware, potentially setting a precedent for other nations.