Backed by funding of £210 million, the UK’s new Government Cyber Action Plan aims to improve both cyber defenses for and ease of access to the nation’s public services. The move was prompted in no small part by the recent disruptions of NHS health care services and Ministry of Defence payroll systems, among other major cyber attacks targeting critical infrastructure sectors and everyday services that Britons rely on.
Among its other measures the plan establishes a new Government Cyber Unit set to serve as a coordination center for cyber threat response, as well as creation and enforcement of minimum cybersecurity standards to be applied across government. Critics have raised questions about potential oversights in areas such as mobile devices and AI, however, and also whether the amount of committed funding will be adequate.
Plan for UK public services enters initial “build-up” phase, running through April 2027
The cyber action plan is set to unfold in phases through 2029, with the initial phase concluding in just a little over two years. The key piece of this initial portion of the plan is the establishment of the Government Cyber Unit, which will be part of the Department for Science, Innovation and Technology (DSIT) and headed up by a newly appointed Government Chief Information Security Officer. The unit will manage and coordinate cyber incident response across other government departments, to include fund disbursement. It will also play a lead role in establishing and enforcing baseline cyber security standards for both government departments and the nation’s critical infrastructure operators.
Though cybersecurity is a primary focus, the cyber action plan will also impact day-to-day use of public services by UK residents. The move is part of a broader UK government push to “digitalize” and centralize public services, sending Britons online to support tools that will likely heavily incorporate AI to reduce queue times and eliminate redundancy in filing processes. But the recent attacks on NHS in particular illustrate that moving services online creates more opportunity for threat actors to wreak havoc.
The government is also reaching out to software developers via its Software Security Ambassador Scheme, centered on its Software Security Code of Practice. This voluntary code recruits major hardware manufacturers and software developers such as Cisco, Palo Alto Networks, Sage, Santander and NCC Group as flag-bearers of practical implementation of security standards as well as a base of feedback as new procedures and practices are rolled out.
The cyber action plan aims to unify standards between these major private sector entities and government departments, putting all the key actors in securing critical infrastructure and vital services on the same page and with a same central “command and control” to refer to for best practices and threat response. But though the Software Security Code of Practice is voluntary, it also signals a regime of stricter regulations and greater “security by design” requirements. For their part government departments will be required to adopt better incident response capabilities, and the recent Cyber Security and Resilience Bill has further signalled a significant revision of base cybersecurity standards for all entities involved in critical infrastructure and essential services.
Cyber action plan addresses chronic “high risk” ratings for UK public sector cyber defenses
The cyber action plan assesses the current state of the public sector’s cyber defense as being “critically high” risk, pointing to chronic underinvestment that has fed “technical debt” and overreliance on vulnerable legacy systems as a central factor. Hackers have keyed in on these known vulnerabilities in public services, with not just the NHS outages but also attacks on entities such as the British Library and Royal Mail costing the national economy a cumulative total of billions of pounds in recent years. The Minister of State for Department for Science, Innovation and Technology has estimated that about 28% of government operations continue to use at-risk legacy systems that are in need of modernization and are of great interest to prowling cyber criminals.
These attacks also do not directly target public services. The recent NHS failure that led to over 11,000 medical appointment delays was not attributed to the health agency’s own systems, but a contractor called Synnovis that handles pathology services. At least one patient is thought to have died due to treatment delays caused by the fallout of this attack.
The UK government is touting the cyber action plan’s relatively minimal up-front cost as saving public services up to £45 billion in breach and business interruption costs annually. However some critics, such as Camellia Chan (CEO & Co-Founder of X-PHY), believe that the funding is too limited to address the sprawling government-wide totality of problems: ‘‘The new Government Cyber Action Plan is a positive step toward improving resilience and citizen confidence in public services, but £210 million is a drop in the ocean. Continuous cyber-attacks have shown that a single breach can disrupt supply chains, erode public confidence, and drag on growth – with the recent Jaguar incident alone estimated to have cost the UK economy £1.9 billion. This risk is even greater for the public sector, where cyber-attacks can disrupt entire communities who need unrestricted access to public services. Threat actors are moving with unprecedented speed and sophistication, using automation and AI to exploit weaknesses deep within the technology stack, well beyond the reach of traditional, software-only defences. It’s therefore crucial to invest in security across every layer of the government’s technology and operations to protect the services that citizens rely on every day.’’
Ted Miracco, CEO of Approov, also sees substantial blind spots in the scope of what the cyber action plan covers: “The UK government is right to invest £210 million to fix the ‘fragile foundations’ of its legacy systems. However, the plan leaves blind spots as it pushes for faster and more accessible digital services without setting concrete, mandatory rules for mobile devices or the data connections (APIs) they rely on. Currently, this plan groups mobile security under a voluntary Software Security Code of Practice and general Secure by Design goals. This is risky as the government acknowledges that ‘generative AI’ is a top-tier threat, yet it hasn’t established specific defenses for the mobile interfaces that AI tools will inevitably target next.”
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs, notes that it remains an overall positive development for the UK’s cybersecurity posture in spite of these questions: “The plan being proposed is timely given today’s cyber threat landscape. Heightening geopolitical tensions worldwide, combined with the rapid advancement of artificial intelligence, are materially changing both the volume and sophistication of cyber attacks. Threat actors continue to operate with increasingly greater capabilities, in an increasingly structured and organized space. Initial access vendors and ransomware creators now go as far as offering 24/7 customer support. This increasingly hostile environment has shifted cyber risk from a primarily technical concern that fell on IT, into a persistent strategic pressure on governments and societies. The line between the public and private sectors is also increasingly thin. Essential public services depend heavily on privately operated companies, meaning failures in one domain quickly affect the other. Treating private sector cybersecurity as a national security concern is therefore both forward-thinking and prudent.”
Findlay Whitelaw, Cybersecurity Strategist and Researcher at Exabeam, adds: “One thing that stands out is these feel less like policy changes and more like a shift towards how cyber effectiveness will be judged. The direction of travel isn’t just stronger standards or tighter supplier obligations, but how quickly risk is identified, prioritised and contained when things don’t go to plan. Technical dept and supply chain exposure amplify this challenge. To me, these changes signify a pivot from: do you have controls, to can you prove they work at speed and at scale.”

