The Prime Minister has been clear that the government exists to unite the country behind a shared purpose: to protect citizens, back public services, and secure opportunities for every family. In that spirit, this document sets out the practical, measurable steps we will take to rapidly improve the cyber security and resilience of the government and the public sector, to keep the British people safe and confident in digital government.
The digitisation of public services offers huge advantages to the UK: we can deliver services that are more efficient, convenient and better value for money for taxpayers. However, realising these benefits relies on securing public services so that they are trustworthy and resilient. Without achieving this, increasing digitisation exposes us to increasing levels of cyber and digital resilience risk.
The Government Cyber Action Plan defines how we will secure public services so they are trustworthy and resilient, as part of the broader Roadmap for a Modern Digital Government.
As the National Security Strategy 2025 sets out, protecting the UK and promoting British interests is becoming more difficult. We are increasingly targeted by state threats and organised crime groups who seek to exploit our vulnerabilities. The UK has experienced repeated, systemic failures in our digital resilience and we know from experience that they pose unacceptable costs to UK citizens, from compromised personal data, to loss of access to basic public services.
When digital systems fail, whether through a malicious cyber attack or a non-malicious outage, the impacts are immediate and profound. The cyber attack on Synnovis, which halted blood testing and forced the cancellation of surgeries across London, demonstrated how quickly a digital disruption can escalate into a major healthcare emergency. Similarly, ransomware incidents affecting local councils have incapacitated social care systems, leaving frontline workers unable to access vital information to protect vulnerable individuals. These failures are not hypothetical risks, they are recurring realities that result in service breakdown, harm to the public and erosion of trust in these services by the communities who rely on them.
Since launching the Government Cyber Security Strategy (GCSS) in 2022, we have taken important steps to understand complex government systems and reduce cyber risk. We established the Government Cyber Coordination Centre (GC3) to enable a single, whole of government response to incidents, threats and vulnerabilities. Our Secure by Design approach builds resilience into implementing future government digital services. Our new assurance framework, GovAssure, has, for the first time, given us an objective picture of resilience levels across government systems. These initiatives have delivered real improvements and given us the tools to understand the scale of the challenge we face.
That challenge is significant, and cyber risk to the public sector is currently critically high. The State of Digital Government Review in January 2025 identified the systemic challenges underpinning our current resilience status as:
GovAssure’s first year results found significant gaps in departments’ cyber security and resilience, including widespread low maturity in fundamental controls such as asset management, protective monitoring, and response planning. Nearly a third (28%) of the government technology estate is estimated to be legacy technology, and therefore highly vulnerable to attack.
In addition, the UK Government’s ability to defend against threats is not keeping pace with an ever evolving threat environment. The National Audit Office has highlighted the challenge of defending our digital estate from sophisticated cyber threats by nation states and organised crime groups, and the National Cyber Security Centre’s (NCSC) Annual Review 2025 sets out the evolution of the threat environment and the continued targeting of the public sector by both state and criminal actors. Malicious cyber attacks and non-malicious digital resilience failures alike continue to disrupt government as demonstrated by the 2023 British Library ransomware attack and 2024 CrowdStrike outage respectively.
Given this context, we now recognise that the target set out in the GCSS for all government organisations to be resilient to known vulnerabilities and attack methods is not achievable by the original target date of 2030.
To protect our critical national infrastructure, defend public institutions and maintain public confidence in essential public services, we must achieve a radical shift in approach and a step change in pace.
We’ve learned from international and industry partners that a strong, centralised approach, with clear direction and active leadership can make a huge national impact. We have worked with departments and NCSC to define and pilot what this will look like for the UK public sector.
The Government Cyber Action Plan sets out a new way forward. It was developed by the Department for Science, Innovation and Technology (DSIT), in close consultation with departments, public sector organisations, industry partners and the Government Cyber Advisory Board (GCAB).
It builds on the outcomes and approach of the GCSS by setting clear expectations of how government organisations of all kinds should manage cyber security and resilience through more measurable objectives and outcomes. These are set out at a high level in the ‘Who is responsible for what’ section at the beginning of each chapter.
Read the full plan below.
Source: UK Government: https://www.gov.uk/government/publications/government-cyber-action-plan
The Critical Supply Group consists of companies and professionals committed to secure and resilient critical supply chains. CSG is managed by MAP UK & International. For more details, including how to get involved, or to make contact with any of the entities involved, please email info@mapukinternational.com.