uk - en

Americas
en
fr
UK
en
France
fr
Global
en
fr
Contact us
Home
Insights
Government Cyber Action Plan

Wednesday, 7 January 2026

Government Cyber Action Plan

Critical analysis summary
Ian Hirst

Ian HIRST

Cyber Threat Services Partner

security privacy protection anti virus encryption hacker system datum interface ai accuracy information error cyber warning enhance resilience enabling reliable digital operation
The Action Plan
Key Changes
Heart of the Plan
Our View
Where we can Help

The Government Cyber Action Plan, published 6 January 2026, is designed to fulfil the objective outlined in the Digital and AI Roadmap: ensuring that public services are secure, trustworthy, and resilient. 

It acknowledges that the ambition in the 2022 Government Cyber Security Strategy (GCSS), for all government departments to be resilient to known vulnerabilities and attack methods by 2030, is not achievable on the original timeline. It therefore proposes a more centralised, measurable, and directive model led by Department for Science, Innovation and Technology (DSIT). 

What is most significant (and different) is not simply “more cyber activity”; it is the shift in operating model

  • Cyber risk will be treated as a system-wide governance problem, rather than an isolated department issue. This will be supported by a named government-wide risk owner, a new Government Technology Risk Group, and clearer escalation and mandated routes.
  • Data, metrics, and assurance are prioritised, building on GovAssure and outcomes-based measurement (including use of Cyber Assessment Frameworks) with implementation milestones.
  • The plan is overt about the drivers of risk, including legacy technology, control maturity gaps (asset management, protective monitoring, response planning), and common dependencies/suppliers. It positions shared services and coordinated response as key countermeasures. 

From an industry perspective, the plan signals tighter expectations for suppliers and “defend as one” collaboration. There is also an increased focus on secure-by-design principles, shared detection content, and coordinated responses. 

The main execution risks are predictable but material: data quality and reporting burden, the reality of skills shortages, and whether funding and delivery capacity are sufficient to reduce risk faster than threat and dependency complexity increases. The plan attempts to address capability constraints through a new Government Cyber Profession and centralised support/services, but delivery discipline will be decisive.

What is the UK Government Cyber Action Plan? 

The Government Cyber Action Plan sets out a practical programme to strengthen the cyber security and digital resilience of public services, so citizens can rely on them for healthcare, benefits, tax, identity checks, and more. The headline is ambition; the substance is operational: this is a plan to measure risk, prioritise investment, raise accountability, and coordinate delivery at scale across government and the wider public sector. 

This matters beyond Whitehall. If you supply government, regulate public services, operate critical national infrastructure, or lead cyber security in any organisation that depends on public-sector platforms and data flows, the plan signals a clear direction of travel: more measurable expectations, more assurance, more coordinated response, and stronger supply-chain governance.

Why Government felt it needed a new plan 

The Action Plan is candid about the context. It links the push for digitised public services to the need for trust: as services move online, the “surface area” for cyber risk and operational failure grows. It also treats resilience failures broadly, covering malicious attacks and non-malicious outages, because both can remove access to critical services. The plan points to recent disruptions as evidence of impact. For example, it references the Synnovis incident affecting blood testing and surgeries, ransomware impacts on local authorities, the British Library ransomware attack, and the 2024 CrowdStrike outage, noting how a single supplier dependency can cause widespread disruption.

Most importantly, the government’s own assurance picture is uncomfortable. The plan states that GovAssure results showed “significant gaps” across departments, including low maturity in foundational controls such as asset management, protective monitoring, and response planning, and estimates that 28% of the technology estate is legacy technology and therefore highly vulnerable. 

The “radical shift”: from aspiration to a more centralised operating model 

A key line in the Action Plan is that the target in the 2022 Government Cyber Security Strategy, for government organisations to be resilient to known vulnerabilities and attack methods by 2030, is not achievable on the original timeline. The plan argues that a “radical shift” is needed, drawing on lessons from international and industry partners that strong central direction and active leadership can make a national-level impact. 

In practical terms, that means a stronger centre, delivered through a new/expanded Government Cyber Unit within DSIT, led by the Government CISO, and including the Government Cyber Coordination Centre (GC3) (jointly sponsored with NCSC) to coordinate operational response to threats, vulnerabilities, and incidents.

What are the key parts of the Cyber Action Plan?

Grouping strategic objectives

The Action Plan groups its intent into four strategic objectives:

  1. Better visibility of cyber and resilience risk (measure what matters, use data to understand systemic and departmental risks)
  2. Addressing severe and complex risks (invest centrally where individual organisations cannot remediate alone)
  3. Improving responsiveness to fast-moving events (better capability to manage evolving threats, vulnerabilities, and incidents)
  4. Rapidly increasing government-wide cyber resilience (shared services/support; focus on major vulnerabilities such as legacy tech; embed continuous improvement) 
Achieving the objectives

To achieve those objectives, government organises delivery into five strands:

  • Accountability (clear ownership and consequences)
  • Support (practical help and prioritised intervention)
  • Services (scaled services that reduce risk across many organisations at once)
  • Response and recovery (coordination, readiness, mutual aid, and recovery discipline)
  • Skills (a new Government Cyber Profession and wider learning pathways)
Splitting into phases

The plan is explicitly split into three phases:

  • Phase 1 – Building (by April 2027): stand up the model, core functions, refreshed governance, priority services/support, clear standards/targets, launch the cyber profession, and define structures in a Government Cyber Incident Response Plan.
  • Phase 2 – Scaling (by April 2029): use government-wide visibility to make investment cases for severe risks; deliver a pipeline of services/support; mature concurrent-incident capability; and have departments operating fully within governance for themselves, Arm’s Length Bodies (ALBs), and sectors.
  • Phase 3 – Improving (April 2029+): continuous improvement using shared insights, sustainable service pipelines, stronger supplier assurance, and profession-led transformation.

What are the changes for public sector leaders?

Accountability becomes sharper, and explicitly board-level

A major feature is the strengthening of “who owns the risk.” The plan states that the Accounting Officer (Permanent Secretary or CEO) has overall accountability for organisational cyber risk, extending, for lead government departments, to ALBs and parts of the wider public sector under their economic responsibility, and to appropriate assurance of suppliers. 

It also defines practical expectations: appointing an informed board member with cyber expertise; appointing senior leaders for cyber security (CISO) and digital/technology (CDIO); and ensuring routine reporting from CISO/CDIO to the board on the state of risk across the department, ALBs, public sector remit, and supply chain. 

Quality Tick signs checkbox

Risk split into “gov-wide” and “local” categories with clearer escalation route

The Action Plan distinguishes between: 

  • Government-wide risks (central risks) that are too severe/complex for a single organisation. Examples include nation-state targeting, common vulnerabilities exploitable at scale, common dependencies (platforms/major suppliers), and risks from widespread adoption of novel technologies such as generative AI.
  • Organisational risks (local risks) that primarily affect one organisation. Examples include insider threat, data breaches, and misconfigurations.

Government-wide cyber risk is owned by DSIT, managed by the Cyber Unit, and governed via the Technology Risk Group for escalation. 

CISOs should expect standardised risk appetite, reporting, and more scrutiny of cross-cutting risks across organisations and suppliers.

Set up cybersecurity technology protection concept.

Assurance and “CAF profiles” are positioned as the common language

The plan explicitly references use of Cyber Assessment Framework (CAF) outcomes and “appropriate CAF profiles” for reporting and assurance across ALBs and wider public sector sectors. 

In plain terms: government is aiming for a world where cyber maturity and resilience are described and compared in a more consistent way, reducing ambiguity and enabling prioritisation.

Zero trust protects data on each network through authentication and ensures remote access security for all devices

What it means for industry and suppliers

Expect a more joined-up customer, and more explicit expectations.

The plan recognises that suppliers “hold some cyber risk” by virtue of delivering services to government. It sets out an intent to define clearer expectations for how suppliers should engage with government customers on cyber security and resilience. 

Government also distinguishes strategic suppliers, where they intend to take a more “joined-up” approach, stating that the Government Cyber Unit will establish formal strategic partnerships with cyber and resilience requirements built in and will hold strategic suppliers to account for government-wide risk they hold.

Two colleagues laptop cyber data centre server racks

Secure-by-Design and spend controls drive early proof of resilience.

The plan targets 100% adherence to a government Secure-by-Design approach and includes the intent that organisations with government Critical National Infrastructure undergo regular assurance checks through Secure-by-Design integration in Digital and Technology Spend Controls. 

For suppliers, this often translates into earlier and firmer questions at bid and delivery stages: architecture, identity and access, vulnerability management, monitoring, incident response readiness, and resilience-by-design, not as optional add-ons, but as conditions of delivery.

Two colleagues laptop cyber data centre server racks

An accompanying signal: software supply chain focus

Alongside the plan, the government’s announcement highlights a £210m package and a new Software Security Ambassador Scheme to promote adoption of a Software Security Code of Practice. While that scheme is described in the accompanying announcement rather than the Action Plan itself, it reinforces the same theme: supply chain resilience is now a first-order concern.

Two colleagues laptop cyber data centre server racks

The Operational Heart of the Plan

Services at scale

The plan notes that services such as NCSC’s Protective Domain Name Service (PDNS) and the Government Cyber Unit’s Vulnerability Monitoring Service show that risks can be addressed at scale, but barriers prevent sufficient adoption, particularly in less mature organisations. 

It proposes a more coherent approach to developing and “productising” cyber services, including improved access via a service finder and service coordination, and a DSIT–NCSC strategic partnership framework for service collaboration. 

Colleagues collaborating on visual board

Detection and exercising standard content, shared learning

The Action Plan describes building a central library of intelligence-driven detection content that departments can consume for common platforms (“Detection for Government”), and an exercising capability through centrally developed methodologies and scenarios. 

Colleagues collaborating on visual board

Response and recovery

Government’s response model emphasises subsidiarity (decisions at the lowest appropriate level) but with stronger central coordination when incidents exceed local capability. It also proposes centrally managed access to NCSC-accredited incident response providers “of last resort,” and the definition of response structures through a Government Cyber Incident Response Plan.

Colleagues collaborating on visual board

Skills: A Government Cyber Profession

The plan explicitly calls out a demand/supply gap in cyber skills across government and proposes establishing the first Government Cyber Profession to attract, upskill, retain, and support cyber professionals, alongside clearer career pathways, and partnerships. 

For industry, this has two implications: 

  1. Competition for talent remains intense, but
  2. A more structured profession could improve capability maturity over time, particularly if paired with consistent standards, tooling, and shared services.
Colleagues collaborating on visual board

Talan’s critical view: what is strong, and what to watch

What the plan gets right
  • It is honest about feasibility and root causes. It explicitly revises expectations versus 2030 and foregrounds legacy, control maturity, and dependency risks.
  • It moves from narrative to operating model. Named risk ownership, governance groups, and defined responsibilities are a meaningful step change in accountability.
  • It treats resilience as more than “cyber defence”. Non-malicious outages and recovery complexity are treated as first-class concerns.
  • It recognises culture as a control. “Defend as One,” transparency, safe reporting, and empowered teams are explicitly described as behaviours to embed
The execution risks that will determine success
  • Reporting without action. More data and assurance only reduce risk if they drive prioritised remediation and sustained funding.
  • Skills and delivery capacity. A new profession helps, but building capability fast enough, while also delivering major remediation (legacy, monitoring, response readiness), is challenging.
  • Supplier dependency and leverage. Government can define expectations but enforcing them consistently across fragmented procurement routes is hard unless contractual and assurance mechanisms are aligned.
  • Balancing central direction with local autonomy. The plan’s model depends on clear thresholds for escalation and on trust in shared services, otherwise “defend as one” can become “defend alone but report more.”

What CISOs and leaders should do now 

Even if you are outside government, this plan provides a useful blueprint for how large, federated organisations can manage systemic cyber risk. For public sector CISOs, suppliers, and regulated operators, we recommend focusing on the next 90–180 days: 

  1. Reconfirm risk ownership and board reporting. Ensure board-level cyber expertise is in place and reporting covers suppliers and critical dependencies, not only internal controls.
  2. Align your maturity narrative to CAF outcomes (where applicable). If you operate in or supply government-aligned sectors, expect CAF-aligned language to become more common in assurance and sponsorship conversations.
  3. Build an “evidence pack” for secure-by-design delivery. Be ready to show how you embed security and resilience in architecture and delivery, including monitoring and response readiness.
  4. Map your top risks to the plan’s “government-wide” patterns. Look hard at common vulnerabilities exploitable at scale, shared platforms, and supplier concentration risks.
  5. Refresh incident response and recovery assumptions. Assume concurrent incidents and complex recovery; validate supplier support arrangements; and exercise for realistic service disruption.
  6. Start PQC planning if you have long-lived cryptography dependencies. The plan signals a government-wide approach and roadmap for post-quantum migration, which will cascade into supplier roadmaps over time.

Where Talan can support 

Talan works with public sector and critical service operators to turn plans like this into measurable delivery. Typical support aligned to the Action Plan includes: 

  • CAF-aligned maturity and resilience assessments and remediation roadmaps.
  • Board-level risk appetite facilitation and reporting design.
  • Secure-by-design governance and assurance for new digital services.
  • Supply-chain cyber assurance (including strategic supplier dependency risk).
  • Incident response exercising, recovery planning, and “lessons learned” operationalisation.
  • Post-quantum cryptography (PQC) readiness and migration planning.

Contact Us

Ian Hirst

Ian HIRST

Cyber Threat Services Partner

Linked capabilities

Cybersecurity
Discover
Cybersecurity
Discover
Data Privacy
Discover

Sources

Government Cyber Action Plan

We believe in the diversity of our profiles, the richness of our experiences, our differences of opinion - this is what creates the strength and relevance of the Talan collective.

Your career Our job offers