The Government's Cyber Action Plan and the future of UK resilience

Introduction

Cyber threats are existential risks. With the UK increasingly targeted by sophisticated state actors and organised crime groups, and vulnerable to non-malicious outages, the pressure on government and industry to strengthen cyber resilience has never been greater. The risk to public services, classified as “critically high”, is exacerbated by the fact that legacy systems are increasingly difficult to defend. What’s more, the target set out in the 2022 Government Cyber Security Strategy for all government organisations to be resilient by 2030 is now recognised as not achievable without a “radical shift in approach”.

Cyber security features prominently in the various defence and security strategies published in summer 2025, and is now explored in detail in its long-awaited Government Cyber Action Plan, backed by over £210 million in central investment. This is a government cyber action plan, distinct from the forthcoming National Cyber Strategy, expected later this spring, that affects the private sector as suppliers to government and arm’s-length bodies. ADS welcomes this as a pivotal step in strengthening our national cyber resilience, starting with the centre. The plan represents a move away from departmental responses toward a strong centre led by the newly formed Government Cyber Unit within DSIT. Crucially, the Government Cyber Unit will now establish formal partnerships with strategic suppliers, building cyber requirements directly into contracts to hold them accountable for the government-wide risk they manage.

Demonstrating a sense of momentum, the publication of the plan coincides with the second reading of the Cyber Security and Resilience Bill in Parliament (read our impressions here). In parallel, cyber resilience is being increasingly embedded in boards governance (find our Deputy Director for Cyber & Digital ‘s response to the ministerial letter on cyber security here). Increased subscription to the NCSC’s Early Warning service and wider adoption of Cyber Essentials will be key to building resilience into the private sector, especially in critical industries.

ADS and its members have played a vital role in ensuring industry perspectives are reflected in policy, and we will continue to do so. Our ongoing engagement through cyber-focused interest groups and councils, and collaboration with the National Cyber Security Centre (NCSC) and with ministerial departments, provides channels of expertise and best practice. We very much welcome the Plan’s emphasis on strategic partnerships with suppliers and the inclusion of several ADS members in the new Software Security Ambassador Scheme.

A unified Delivery Model

A much-needed step towards the whole of society approach to security and resilience, the Government Cyber Action Plan rightly centres on collaboration, between government and industry, and across the whole of government, including ministerial departments, arm’s-length bodies, and wider public sector organisations like the NHS. Assessing, improving, and monitoring public cyber resilience across the board will be overseen by a new cross-government body, the Government Cyber Unit within DSIT, which will encompass the Government Cyber Coordination Centre (GC3) and will work closely with the Government Security Group (GSG) in the Cabinet Office.

The Government Cyber Action Plan is highly process-oriented. It clarifies responsibilities and accountability and sets out quantified outcomes and clear delivery models. Its four strategic objectives are to raise the visibility of cyber risks through the GovAssure framework, address severe and complex risks within the Government Cyber Unit, improve responsiveness and recovery times, and operationalise central services.

Industry, both strategic partners of the Government Cyber Unit as well as all suppliers to government and public sector bodies, stand at the centre of these objectives. ADS will continue to support members in navigating these changes, ensuring that our sector remains a trusted partner in delivering secure, resilient public services.

A shift in culture

Security is everyone’s responsibility. The Government Cyber Action Plan is clear: meaningful change requires a shift in culture, embedding core behaviours across the public sector as part of wider whole of society efforts. These include ‘Defending as One’ by treating resilience as a collective mission, making data-driven decisions, and ensuring proactive ownership where senior leaders set a tone of security and continuous risk management. The plan also stresses transparency, encouraging the sharing of risks and best practices, building an empowered workforce with sustainable career paths, and a safe environment for threats reporting.

To support this, the plan mandates cyber risk training for all Accounting Officers and boards. It also launches the first Government Cyber Profession to set national accreditation standards within the public sector, supported by a Cyber Resourcing Hub designed to reduce the public sector’s reliance on contingent labour.

It is noteworthy that this plan introduces a shift in how risk is categorised. On the one hand, the Government Cyber Unit will create the frameworks and be the coordinator of cross-government incident response and a coherent portfolio of central cyber services. On the other hand, the plan introduces a clearer differentiation between government-wide cyber risk, and organisational cyber risks. The former will be managed by the new Government Cyber Unit, while the latter must be assessed by each organisation on their unique vulnerabilities, risks and potential impacts. This includes those created by supply chains, as all organisations must now undertake formal assurance of their supply chains’ resilience.

Conclusion

The plan will be delivered in three key phases: the establishment of the Government Cyber Unit and its central services by April 2027; key improvements and processes ongoing by April 2029; and continuous improvement beyond. By mapping outcomes against quantified milestones and fostering a culture of collaboration and accountability, the plan sets the stage for real progress.

The key objective of the previous Government Cyber Security Strategy, designed to span from 2022 to 2030, was to make government a significantly hardened target by 2025, and all government organisations across the public sector resilient by 2030. The government’s move to refresh the strategy in 2026, four years before the previous plan’s end date, highlights how the pace of cyber threats is outstripping earlier plans. Still, the Government Cyber Action Plan deserves credit for taking decisive steps ahead of schedule – particularly in centralising response and support functions, and with the significant funding now committed.

The Government’s Cyber Action Plan and the future of UK resilience

Introduction

A unified Delivery Model

A shift in culture

Conclusion

Related knowledge

Shaping 2026: ADS’ priorities for the year ahead

Shaping 2026: ADS’ priorities for the year ahead

Transforming Unmanned Aerial System (UAS) & Counter-Drone Capability

Transforming Unmanned Aerial System (UAS) & Counter-Drone Capability

NATO, Industry and Credible Deterrence in an Uncertain World

NATO, Industry and Credible Deterrence in an Uncertain World

What is a “Meet the Buyer” event?

What is a “Meet the Buyer” event?

2025 … what a whirlwind

2025 … what a whirlwind

The Government’s Cyber Action Plan and the future of UK resilience

Introduction

A unified Delivery Model

A shift in culture

Conclusion

Related knowledge

Members Area