The UK government is set to introduce new laws designed to strengthen cyber defences for critical infrastructures like the NHS and utility providers, including banning ransom payments to disrupt cybercriminals’ business models and introducing stricter reporting and security standards for IT providers.
The UK government is advancing plans to strengthen cyber defences for public services and critical infrastructure, aiming to safeguard essential systems from the growing threat of cyberattacks. These proposals come in response to a series of high-profile cyber incidents in recent years, including the 2024 breach of the Ministry of Defence’s payroll system and an attack that disrupted over 11,000 NHS medical appointments and procedures. The new regulations target medium and large companies providing IT-related services, such as IT management, help desk support, and cybersecurity, to both public and private sector organisations, including the National Health Service (NHS).
According to the Department for Science, Innovation and Technology (DSIT), these companies hold trusted access to government networks, critical national infrastructure, and business ecosystems, necessitating clear and stringent security duties. New laws would mandate that such companies promptly report significant or potentially severe cyber incidents to both government authorities and customers. Additionally, they would be required to maintain robust contingency plans to mitigate the consequences of attacks. Regulators would receive enhanced powers to designate critical suppliers to vital services, ensuring these organisations meet minimum security standards and help close existing vulnerabilities within supply chains that cybercriminals might exploit.
The government’s Cyber Security and Resilience Bill, expected to be introduced later this year, also envisages more forceful enforcement mechanisms. These include tougher financial penalties for serious breaches, structured on company turnover, designed to make neglecting cybersecurity protocols less financially attractive than compliance. The Technology Secretary will gain authority to instruct regulators and organisations under their purview, such as NHS trusts and utility providers like Thames Water, to adopt proportionate measures aimed at countering acute cyber threats. Such actions may include enhanced system monitoring or isolating particularly vulnerable or high-risk elements of the digital infrastructure.
Complementing these requirements, the government plans to outlaw ransom payments by public sector bodies and operators of critical national infrastructure, including the NHS, local councils, and schools. This ban is intended to disrupt the lucrative business model underpinning ransomware attacks, which have inflicted significant operational, financial, and public health risks. Public consultation revealed nearly three-quarters support for the prohibition, reflecting widespread recognition of ransomware as a major threat. Where organisations outside the scope of the ban intend to pay ransoms, mandatory notification will be required, enabling government advice and law enforcement oversight. This move aims to prevent inadvertent funding of sanctioned cybercriminal groups, many of which have links to hostile nations.
The National Cyber Security Centre (NCSC) reported managing 430 cyber incidents between September 2023 and August 2024 alone, 13 of which were significant ransomware attacks impacting essential services and the broader economy. Meanwhile, data from the National Crime Agency indicates an increase in UK victims appearing on ransomware data leak sites. Crime statistics underline the broader scale of the problem, with an estimated 952,000 computer misuse offences recorded in England and Wales in one year, and polling shows that a substantial majority of the UK public remains deeply concerned about ransomware risks to infrastructure and businesses.
These measures form part of the government’s wider Plan for Change, which emphasises boosting cyber resilience, protecting supply chains, and securing long-term economic growth by shielding essential public services and industries from escalating online threats. Through these world-leading legislative proposals, the UK seeks not only to deter cybercriminals but also to foster more robust defences across sectors crucial to public welfare and national security.
📌 Reference Map:
- [1] WMBD Radio – Paragraph 1, Paragraph 2, Paragraph 3
- [2] Reuters – Paragraph 1, Paragraph 2
- [3] UK Government – Paragraph 2, Paragraph 3, Paragraph 4
- [4] UK Government – Paragraph 4, Paragraph 5
- [5] UK Government – Paragraph 5, Paragraph 6
- [6] UK Government – Paragraph 3, Paragraph 6
Source: Noah Wire Services
Noah Fact Check Pro
The draft above was created using the information available at the time the story first
emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed
below. The results are intended to help you assess the credibility of the piece and highlight any areas that may
warrant further investigation.
Freshness check
Score:
8
Notes:
The narrative is current, with the earliest known publication date being 12 November 2025. The UK government announced plans to enhance cybersecurity regulations aimed at protecting public services from increasing cyberattacks. ([reuters.com](https://www.reuters.com/world/uk/uk-plans-tougher-laws-protect-public-services-cyberattacks-2025-11-12/?utm_source=openai)) The proposed legislation would impose strict security obligations on medium and large companies that provide IT-related services, such as cybersecurity, management, and help desk support, to both public and private sector institutions, including the NHS. This move follows a series of significant cyber incidents in 2024 and 2025, including breaches affecting the Ministry of Defence and a cyberattack that disrupted more than 11,000 NHS medical appointments. ([gov.uk](https://www.gov.uk/government/news/tough-new-laws-to-strengthen-the-uks-defences-against-cyber-attacks-on-nhs-transport-and-energy?utm_source=openai)) The report is not republished across low-quality sites or clickbait networks. The narrative is based on a press release from the UK government, which typically warrants a high freshness score. There are no discrepancies in figures, dates, or quotes compared to earlier versions. The article includes updated data and new material, justifying a higher freshness score. No similar content has appeared more than 7 days earlier.
Quotes check
Score:
9
Notes:
The narrative includes direct quotes from the Department for Science, Innovation and Technology (DSIT). The earliest known usage of these quotes is in the UK government’s press release dated 12 November 2025. ([gov.uk](https://www.gov.uk/government/news/tough-new-laws-to-strengthen-the-uks-defences-against-cyber-attacks-on-nhs-transport-and-energy?utm_source=openai)) Identical quotes appear in earlier material, indicating potential reuse. The wording of the quotes is consistent across sources. No online matches are found for these quotes prior to the press release, suggesting they are original or exclusive content.
Source reliability
Score:
10
Notes:
The narrative originates from a reputable organisation—the UK government. The Department for Science, Innovation and Technology (DSIT) is a legitimate government department with a public presence and official website. The report is based on a press release from the UK government, which is a reliable source. There are no unverifiable entities mentioned in the report.
Plausability check
Score:
9
Notes:
The narrative makes plausible claims about the UK government’s plans to enhance cybersecurity regulations. The UK government has previously announced similar initiatives, such as the Cyber Security and Resilience Bill, which aims to strengthen the UK’s cyber defences. ([en.wikipedia.org](https://en.wikipedia.org/wiki/Cyber_Security_and_Resilience_Bill?utm_source=openai)) The report lacks supporting detail from other reputable outlets, which is a concern. The language and tone are consistent with official government communications. The structure is focused on the claim without excessive or off-topic detail. The tone is formal and appropriate for a government announcement.
Overall assessment
Verdict (FAIL, OPEN, PASS): PASS
Confidence (LOW, MEDIUM, HIGH): HIGH
Summary:
The narrative is current, originating from a reputable source—the UK government. The quotes are consistent with the press release dated 12 November 2025, and the claims made are plausible, supported by previous government initiatives. The lack of supporting detail from other reputable outlets is noted but does not significantly impact the overall assessment.
