U.K. to introduce mandatory ransomware reporting, raising risk of ‘box-ticking’ compliance
By 
Neil Hodge2025-09-22T20:25:00
The U.K. plans to force companies to notify the government of ransomware payments, and while its demands have been largely welcomed, experts warn there is a risk that corporations may focus on “box-tick” compliance instead of planning for effective cyber-resiliency because it is the more affordable option.
Critics add that mandatory reporting could also open companies up to potential sanctions from data protection authorities, as well as legal action from customers, consumers, and investors due to personal information being hacked. According to tech security firm Sophos’ most recent State of Ransomware report released in June, the average total cost of recovery for U.K. organizations rose to USD $2.58 million, compared to USD$2.07 million the previous year (though recovery times have improved). The U.K. government’s own figures suggest that ransomware attacks on U.K. businesses have doubled in the past year, affecting some 19,000 businesses.
The U.K. proposals are part of a wider scheme called “Plan for Change,” which aims to bolster national security, provide crime agencies with better intelligence, and push companies to improve their cybersecurity and operational resilience.
Related articles
-
ArticleEU targets crypto, fintech firms in push to tackle money laundering
Europe’s banking regulator warns that weak compliance at fintech, regtech, and crypto firms may let money laundering and terrorist financing risks slip through. The EBA also found EU regulators’ approaches are often inconsistent and unclear.
-
PremiumEmployees may fail to report fraud unless U.K. whistleblower protection is beefed up
In September, the U.K. will enforce its third “failure to prevent” offense under sweeping anti-corporate crime laws, but experts question whether it will actually change corporate behavior or embolden whistleblowers.
-
ArticleU.K. proposes streamlining regime meant to hold fin serve executives to account
When growth slows, governments often cut rules to attract investment, as the U.K. has in its financial services sector, which contributes 8.8% of GDP, but easing the “compliance burden” raises concerns about oversight, governance, and prioritizing profits over safety.
More from Regulatory Policy
-
ArticleProsecutions of bribery, health fraud and market tampering are DOJ top priorities
Serious bribery, health care fraud and crimes that threaten U.S. investors are top enforcement priorities of the Trump Department of Justice, (DOJ), according to the acting head of the Department of Justice’s Criminal Division.
-
ArticleMore than 100 ‘anticompetitive’ federal regulations poised for the chopping block
About 125 federal regulations deemed anticompetitive by President Trump are poised for possible elimination, following recommendations delivered Wednesday to the Office of Management and Budget (OMB).
-
ArticleDigital wallets to speed up regulatory checks for recruitment, property transactions
You can already buy a coffee with your phone, but soon you could start a job or buy a house with it. Digital compliance wallets holding certificates and documents on smartphones are gaining traction worldwide.