Hardly a week passes without another cyberattack hitting the headlines, affecting both public and private sectors alike. Yet the nature of the threat - and the options for response - differ sharply for each sector. For private companies, attacks are often financially motivated, with scope to take commercial decisions about how to respond. For public bodies, services that citizens rely on daily can be paralysed, and strict legal and budgetary limits leave far less room to manoeuvre. That is why the public sector needs a more tailored legal framework - one that reflects its unique risks, provides clarity around obligations, and supports effective responses when attacks happen.
The UK Government has now begun to take stronger action, recognising this need. Following its ransomware consultation, ministers have confirmed proposals that would ban all public bodies and operators of critical national infrastructure from paying ransoms, while requiring other non-public organisations to notify government before making any payment. Mandatory ransomware reporting requirements are also being developed to equip law enforcement with the intelligence needed to pursue perpetrators and disrupt their activities. For local authorities, these measures will be critical - not only in shaping how they are legally permitted to respond in a crisis, but also in determining how they manage the regulatory and data protection exposure that can follow, from scrutiny by the Information Commissioner’s Office (ICO) to statutory obligations under UK GDPR.
The ICO illustrates the dilemma at the heart of public sector cybersecurity. Although it has the power to impose fines, undertake audits and issue reprimands, it rarely issues financial penalties to public bodies for fear of worsening already stretched budgets. This cautious approach may be understandable, but it weakens the deterrent effect of regulation. Councils are left in an awkward position: held to the same obligations as private companies, but often without the resources to comply, or the sanctions that might otherwise drive improvement.
What the public sector needs is not more punitive regulation, but clearer and more practical rules. Financial penalties alone are a blunt tool; a tailored legal framework could instead provide enforceable standards, require realistic investment in resilience and set out accountability mechanisms that reflect the realities of public funding.
The government’s ransomware package is a step in the right direction. The ban on ransom payments is designed to undermine the business model of cybercriminals, while the notify-before-you-pay regime and mandatory reporting requirements aim to improve oversight and transparency. These measures show that sector-specific approaches are possible, but they do not resolve the wider legal uncertainties councils face when an incident occurs. Compliance alone is not enough; what matters is clarity. For public bodies, the most pressing challenges arise in three areas: data protection, procurement and governance.
Even where fines are rare, councils remain legally bound by UK GDPR obligations to conduct Data Protection Impact Assessments, maintain appropriate technical and organisational measures and report breaches to the ICO within 72 hours. The difficulty lies in what “appropriate” means in practice. For a local authority with limited resources, the benchmark cannot simply be drawn from the private sector. Clearer guidance from regulators is needed to set out what proportionate compliance looks like for public bodies. In the meantime, councils can strengthen their position by preparing incident and breach response plans, rehearsing reporting processes and recording why particular security measures have been judged appropriate. Having documented evidence of considered decision-making is not only good governance; it provides a vital basis for defence if those decisions are later challenged.
Procurement presents a further area of legal vulnerability. Councils depend heavily on third-party IT suppliers, and many of the most damaging incidents in recent years have stemmed from weaknesses in outsourced systems. While procurement law rightly prioritises transparency and competition, it can also restrict flexibility, with price often outweighing resilience. Councils must embed cybersecurity obligations into supplier contracts, covering notification duties and liability for breaches. Authorities should make more use of existing levers: giving weight to resilience in tender evaluations, monitoring supplier compliance and negotiating more robust contractual protections.
When a cyberattack hits, decisions must be taken quickly and often in the glare of public attention. Yet many councils lack clarity about who is empowered to act. Is it the Chief Executive, a committee of councillors or a delegated director? This uncertainty is dangerous. Councils should ensure that governance structures are explicit, formally recorded and rehearsed through crisis simulations. Delegated authority to notify regulators, manage communications and approve recovery measures should be settled long before a crisis occurs. A tailored legal framework could reinforce this by requiring public bodies to define and test their incident response governance - but there is nothing to stop councils taking these steps now.
The government’s ransomware package is a welcome start, but it must lead to a broader legal regime: one that sets realistic data protection standards, allows procurement to favour resilience and compels clarity in governance and accountability. In the meantime, councils should not wait for legislation. By strengthening incident and breach response planning, tightening supplier contracts and clarifying decision-making authority, they can take significant steps now to protect themselves. These measures are as much legal safeguards as operational ones, and will determine how effectively the public sector withstands the next major cyber incident.
David Gourlay, Partner, Public Sector Team, Morton Fraser MacRoberts.
You can read this article in Local Government Lawyer here.
