The omission of a ransomware payments ban from this year’s King’s Speech was striking. Not because the proposal had been formally abandoned, but because only months earlier it appeared to be one of the government’s headline cyber policy ambitions. It featured prominently in consultations, was discussed as part of a broader effort to strengthen national resilience, and was framed as a tougher stance against cybercriminal extortion. Yet in both the Cyber Action Plan earlier this year and in the King’s Speech, the proposal has been notably absent.
The government’s original proposal sought to prohibit ransomware payments across the public sector and critical national infrastructure (CNI), while introducing mandatory incident reporting requirements. On paper, the logic is understandable. Ransomware groups are financially motivated. Remove the ability to profit and, in theory, you reduce the incentive to attack.
The reality is far more complicated. Ransomware operators are opportunistic, adaptive and commercially minded. They do not operate according to government policy objectives, and they are unlikely to simply stop because a subset of organisations becomes legally restricted from paying. If anything, a ban limited to public sector bodies and CNI risks shifting the problem elsewhere. Threat actors will simply redirect their attention towards private sector organisations, supply chain providers, and smaller firms with fewer resources and weaker defences.
Ransomware does not match neat policy scenarios
That is one of the core weaknesses in the proposal. Unless payment bans become globally coordinated and universally enforced, ransomware remains financially viable. The criminal ecosystem adapts quickly. It always has.
There is also the uncomfortable reality that ransomware incidents rarely unfold in neat policy scenarios. In practice, organisations facing catastrophic operational disruption may find themselves balancing legal compliance against real-world harm. When hospitals cannot access patient records, or critical services grind to a halt, the debate becomes far less theoretical. Criminalising payments in these circumstances risks placing victims in an impossible position while doing little to deter the attackers themselves.
The bigger concern is that too much focus on banning payments risks distracting from the issue that matters most: why organisations remain so vulnerable in the first place.
Ransomware is typically the final stage of a compromise, not the starting point. Threat actors succeed because environments remain exposed through unpatched systems, weak identity controls, technical debt and insufficient visibility across increasingly complex digital infrastructure. A payment ban addresses the outcome of a breach, not the conditions that allowed it to happen.
If the government ultimately decides not to proceed with the ban, that should not be interpreted as inaction. In many ways, it presents an opportunity to focus on measures that could have a more meaningful impact on long-term cyber resilience.
That starts with investment.
For years, public sector organisations and parts of the UK’s critical infrastructure have struggled with chronic underinvestment in cybersecurity. At the same time, rapid digital transformation and aggressive AI adoption are expanding attack surfaces faster than many organisations can secure them. The gap between operational dependency on technology and the maturity of cyber resilience continues to widen.
Closing the resilience gap
Closing that gap requires more than policy announcements. It means sustained investment in reducing technical debt, modernising legacy systems, improving incident response capability, and helping organisations proactively identify and mitigate risk before attackers gain access.
The UK should also consider whether cyber resilience needs to be treated more like national resilience. Just as governments maintain emergency response capabilities for natural disasters or major incidents, there is a growing argument for dedicated national cyber response support for critical services during severe attacks. Faster coordination, operational assistance, intelligence sharing and recovery support could significantly reduce the pressure organisations face during ransomware incidents.
None of this removes the need to pursue the criminals themselves. Law enforcement collaboration, sanctions enforcement and disruption operations remain essential. But ransomware is not purely a law enforcement issue. It is an economic, operational and national resilience challenge.
The absence of the payments ban from the King’s Speech may ultimately signal a recognition of that complexity. If so, the conversation now needs to move beyond whether organisations should pay ransoms, and towards building an environment where they are far less likely to face that decision at all.
