The Dutch government has stated that it does not support introducing a legal ban on paying ransoms to cybercriminals following ransomware attacks, according to a letter from the Ministry of Justice and Security.
Justice and Security Minister David van Weel said the government does not want to criminalize organizations that become victims of ransomware incidents. He stated that while ransomware attacks can cause significant disruption and financial damage, the decision on whether to pay a ransom should remain with the affected organization.
The minister noted that the government continues to advise against paying ransoms. According to the statement, paying attackers does not guarantee that systems will be restored, that stolen data will be deleted, or that it will not be shared or sold. The guidance also states that ransom payments contribute to the continuation of cybercriminal activity.
The position was outlined in response to parliamentary questions linked to a recent cyberattack involving Dutch telecommunications provider Odido. In that incident, attackers associated with the ShinyHunters group claimed to have stolen personal data from more than six million individuals and threatened to release the information online.
Despite concerns about the broader impact of ransomware, the government said there is an ongoing tension between the interests of individual victims and wider efforts to reduce cybercrime. Officials indicated that organizations may face immediate operational and financial pressures that influence their decision-making during an attack.
The minister stated that, as long as these competing considerations cannot be resolved clearly, the government will maintain its current approach. This approach aligns with policies in several other European Union countries, where paying a ransom is discouraged but not prohibited by law.
The statement reflects an ongoing policy discussion about how governments should respond to ransomware incidents and whether legal restrictions on payments would reduce or shift cybercriminal activity. No timeline has been provided for any changes to the current framework, and the existing guidance remains in place.