There will be “national security exemptions” to the ransomware payment ban proposed by the UK government, according to British Security Minister Dan Jarvis.
The ban, which was subject to public consultation from January to April 2025 and received support from three-quarters of respondents, was confirmed in July and described in more details by the UK government in a policy paper published on September 2.
If adopted, the new legislative proposal would ban ransomware payments for public sector and critical national infrastructure (CNI) organizations as well as require other businesses to notify the government of any intent to pay a ransom to attackers.
Speaking at the Financial Times’ Cyber Resilience Summit: Europe, held in London on December 3, the minister said the proposition was his “personal priority.”
He also said that the current arrangements for each organization to choose whether to pay cybercriminals a ransom is “not sustainable” as it doesn’t offer organizations any meaningful guarantee they will get their data back.
Security Minister Pushes Ban Across Government and CNI Organizations
Asked about the next steps for the proposal, Jarvis said it will be adopted “when parliamentary time allows.”
He continued by explaining he is currently “seeking agreement across government” and consulting with CNI organizations and the private sector to “ensure that our proposals are going to work in the most effective way.”
Jarvis said that the government has acknowledged warnings that the ban may have nefarious consequences for UK businesses.
“That’s why we’re looking very carefully at national security exemptions, because we don’t want people to be facing an invidious choice between a hospital shutting down or going to jail,” he said.
Jarvis also said that the UK government was discussing with allies among the Five Eyes and G7 member states that were also interested to implement a similar ban.
