The U.K. government provided a summary of research on the economic impact of cyber attacks, which now rank among the nation’s top national security threats, targeting critical systems and economic infrastructure. As digital technologies connect billions of devices, the government’s Plan for Change aims to strengthen defenses, protect citizens, and safeguard the nation from increasingly sophisticated state-backed and criminal cyber threats.
Recognizing that the scale of the problem is undeniable, the government noted that, as the experts on helping organizations respond to and recover from cybersecurity incidents, the National Cyber Security Centre (NCSC) managed 204 significant or highly significant cyber incidents in the year leading up to September 2025. “These are the incidents defined as having a serious impact on essential services, public safety, or economic stability. The NCSC managed, on average, one of these significant incidents every two days. Last year alone, 43% of U.K. businesses reported experiencing a cybersecurity breach or attack – equivalent to over 600,000 organizations.”
The government is clear that decisive action is required to tackle the increasing cyber threat, to protect the public and the economy, and to maximize the opportunities for the U.K. domestic cyber sector. Its planned National Cyber Strategy refresh will articulate a vision and agreed collective action in partnership with businesses, devolved governments, regulators, law enforcement, and the public to head off the proliferating cyber threat, strengthen the nation’s cyber security and resilience, and maximize growth opportunities from the U.K. cyber sector. It will also demonstrate that the U.K. remains a global leader on cyber, taking a proactive, strategic, and collaborative approach to securing national interests in an increasingly complex digital world.
Last week, the U.K. introduced the Cyber Security and Resilience (Network and Information Systems) Bill to increase defenses against cyber attacks for the services that the public and businesses rely on every day, including water, energy, healthcare, transport, and digital services. The Network and Information Systems Regulations 2018 have fallen out of date and are insufficient to tackle the threats faced.
The Cyber Security and Resilience Bill will update the regulations to more effectively safeguard the cyber resilience of essential and digital services. It will deliver a fundamental step change in the U.K.’s national security, making essential and digital services more secure in the face of cyber criminals and state actors who want to disrupt critical operations. The reforms will underpin greater economic stability, helping grow the economy for working people, reduce business costs and disruption, and support investment.
The government is providing businesses with enhanced guidance and support to strengthen cybersecurity. The Cyber Essentials program, which issued over 51,000 certificates in the year to June 2025, demonstrates measurable benefits, with organisations following its controls filing 92% fewer insurance claims. Boards and directors are supported through the Cyber Governance Code of Practice and accompanying training, helping them implement critical resilience measures.
To promote secure technology, the government has issued codes of practice for apps, software, and AI, with enterprise technology guidance forthcoming, alongside pioneering product security legislation.
The NCSC’s Share and Defend capability protects public and business systems at scale by blocking access to malicious websites and preventing cyber-enabled fraud. Additionally, the NCSC offers comprehensive guidance online, including the Cyber Assessment Framework, which helps critical national infrastructure operators identify and manage cyber risks effectively.
