UK's Government Cyber Action Plan

On 6 January 2026, the UK Government unveiled a new Government Cyber Action Plan. The Plan recognises that whilst digitisation of public services offers huge advantages in terms of efficiency and value for money, these benefits can only be realised if public services are secured to be trustworthy and resilient. To achieve this underlying aim, the plan sets out significant changes for how suppliers will be held accountable and how the Government itself will organise its cyber capabilities. 

The Plan establishes a Government Cyber Unit, backed by over £210 million of central investment, to take the Plan forward. The intention is that the Cyber Unit will set a stronger central direction, whilst backing departments with expert support and demanding measurable progress.

Under the Plan, certain suppliers will be identified as "strategic" where they deliver services at significant scale or provide capabilities deemed critical to government operations. Rather than each department overseeing its own supplier relationships independently, high-risk suppliers will be subject to coordinated oversight, allowing the |Government to take a unified view of vulnerabilities that could have cross-cutting implications.

The Plan outlines a three-phase implementation strategy. Phase 1 (by April 2027) aims to build foundational infrastructure by establishing the Government Cyber Unit, implementing accountability frameworks, launching a cross-government Cyber Profession (to attract, upskill and retain cyber professionals), and publishing a Government Cyber Incident Response Plan. Phase 2 (April 2027-2029) scales the model by utilising data-driven decision-making, delivering cyber support services, and scaling response capabilities. Phase 3 (April 2029 onwards) is aimed at continuous improvement through sharing central cyber data insights, offering services at scale, leveraging the Cyber Profession for transformation, and ensuring departments proactively assure cyber risk across supply chains, ultimately supporting national security and growth.

The Plan was announced on the same day the Cyber Security and Resilience Bill went through its second reading in Parliament (see our earlier article here). The Bill is designed to update the existing Network and Information Systems Regulations 2018 in response to growing cyber threats targeting essential infrastructure. The Bill proposes expanded incident reporting requirements, designates "critical suppliers" and extends regulatory scope to data centres, load control services and managed service providers

The Plan comes as the Government seeks to strengthen protections across essential services. Like the Software Security Ambassador Scheme announced alongside other Government cybersecurity initiatives, the Plan represents a coordinated effort to raise security standards across both public and private sectors. The Ambassador Scheme, which includes companies such as Cisco, Palo Alto Networks, Sage, Santander and NCC Group, promotes adoption of voluntary security standards through practical examples and case studies. 

For more information, please contact Isabelle Heatley and Anthony Rosen.