The U.K.’s National Cyber Security Centre (NCSC) is warning that organizations delivering critical services must urgently prepare for a ‘severe cyber threat’ environment, as increasingly capable adversaries combine rising intent with advanced technologies such as AI to carry out disruptive attacks on nationally significant targets. This comes as a severe cyber threat can result in attacks that lead to extended operational downtime, with direct customer impact, significant financial loss, long-term reputational damage, and increased risks to public safety and national security.
The guidance frames cyber risk not as a technical issue but as a core business continuity and national resilience challenge, with potential impacts ranging from prolonged operational outages and financial losses to threats to public safety and security. It stresses that preparation is a leadership responsibility and cannot be improvised during a crisis, highlighting a widening gap between the pace of escalating threats and existing resilience, and calling on organizations to act now to build the capabilities, coordination, and recovery planning needed to withstand sustained cyber disruption.
“Recent high-profile cyber incidents demonstrate a clear and accelerating trend: highly capable threat actors are increasing both their intent and their ability to target organisations of national economic significance, to cause real-world operational disruption,” Jonathon Ellison, director of national resilience at NCSC, wrote in a Monday blog post. “At the same time, new technologies – like frontier AI – risk increasing the speed, scale and ease of attacks. This is what we mean by severe cyber threat.”
Ellison notes that given the escalating intent and capability of cyber threat actors, organizations must treat the prospect of severe cyber threats as a credible and pressing risk.
He added, “Preparing for this is a leadership responsibility. Effective preparation not only protects your organisation’s value, reputation and continuity of operations, it also serves a wider purpose. The ability to continue delivering essential services under sustained cyber pressure is critical to the UK’s national resilience and security.’
The NCSC guidance makes clear that resilience, not prevention, is the defining requirement in today’s threat landscape. Cyberattacks will not always be stopped at the perimeter, and organizations must be able to sustain operations and recover while under pressure. That starts with a clear understanding of critical systems, realistic planning for operating through degraded IT or OT environments, and rehearsing actions such as network segmentation, isolation, and system rebuilds.
It also requires leadership to confront the trade-offs between maintaining operations and tightening security controls, recognizing that resilience is measured by the ability to function through disruption, not simply avoid it.
It also underscores that preparation cannot be deferred until a crisis is underway. Many of the actions required during a severe cyber event, from rapidly hardening defenses to isolating networks, are complex, resource-intensive, and potentially disruptive to business operations. These measures may seem disproportionate in normal conditions, but they cannot be improvised in the moment.
Without prior investment in capabilities, processes, and decision-making frameworks, organizations will be unable to respond effectively when the threat escalates. The message is direct: build and rehearse these capabilities now, or risk being unprepared when they are needed most.
Ellison also linked to the NCSC’s Cyber Assessment Framework (CAF) that helps organisations responsible for essential services achieve and demonstrate an appropriate level of cyber resilience.
“The new guidance builds on this by focusing specifically on how organisations should prepare for and respond to severe cyber threat. This context is the key distinction,” he wrote. “An organisation may meet the expectations of the CAF under normal operating conditions, but may not have fully considered how its risk profile and response actions would change in the context of severe cyber threat. Organisations will need to revisit the CAF principles through this lens, and adjust their response actions as necessary.”
Last October, the NCSC warned that the U.K. faced four nationally significant cyberattacks per week, with 204 incidents recorded in the year to September, more than double the previous year’s total. These attacks, targeting critical infrastructure, essential services, and government operations, highlight a widening gap between the scale of cyber threats and the country’s ability to defend against them. The NCSC is urging operators of essential services to act now by strengthening resilience, preparing to sustain operations during disruption, and implementing measures such as enhanced threat hunting and isolating operational technology systems before threats escalate further.
