The UK Department for Science, Innovation and Technology released its “Government Cyber Action Plan” today, which admits that the public sector’s digital defenses have reached a crisis point. The 108-page document reveals that nearly a third of government technology systems run on legacy platforms that sophisticated attackers can easily compromise.
“The cyber risk to government is critically high,” the plan stated, marking a rare moment of transparency from a government acknowledging its vulnerabilities.
The admission follows a string of devastating incidents. A 2023 ransomware attack that crippled the British Library for months, forcing most online systems offline and exposing user data. The 2024 CrowdStrike software failure, though not malicious, cost the UK economy up to £2.3 billion and exposed how fragile digital infrastructure enables cascading failures across essential services.
The cyber action plan establishes a Government Cyber Unit, a centralized authority backed by more than £210 million in funding. The unit will coordinate cybersecurity efforts across departments, set mandatory standards, and hold agencies accountable for their digital resilience.
Also read: UK Tightens Cyber Laws as Attacks Threaten Hospitals, Energy, and Transport
Under the new framework, departmental accounting officers—typically permanent secretaries or chief executives—bear personal responsibility for cyber risk management. The plan creates the Technology Risk Group, which will review aggregate risks and hold leaders accountable when organizations fail to manage threats appropriately.
“Every public sector leader bears direct accountability for this effort,” Minister of State Ian Murray said. Departments must urgently invest in replacing legacy systems and fixing foundational vulnerabilities.
The Government Cyber Coordination Centre, or GC3, will expand its role beyond incident response to cover non-malicious digital resilience failures. The center will publish a Government Cyber Incident Response Plan defining structures and responsibilities when systems fail.
The plan also launches the first Government Cyber Profession, addressing chronic skills shortages that plague the public sector. Nearly half of UK businesses and 58% of government organizations report basic cyber skills gaps, according to the 2025 Cyber Security Skills in the UK Labour Market report.
Additionally, a new Cyber Resourcing Hub will coordinate recruitment across departments, competing with private sector salaries through competitive pay frameworks and emphasizing government-unique benefits like job security and mission-driven work. The profession will create clear career pathways and professional development opportunities.
GovAssure, the government’s assurance framework, found significant gaps in fundamental controls across departments. Asset management, protective monitoring, and response planning all showed low maturity levels in first-year assessments.
The plan acknowledges that strategic suppliers pose aggregated risks across government. The Government Cyber Unit will establish formal strategic partnerships with major vendors, building cyber requirements into contracts and holding suppliers accountable for the risks they create.
Lead government departments will assume responsibility for cyber resilience across their arm’s-length bodies and wider public sectors. The Department of Health and Social Care, for instance, must ensure NHS trusts and other healthcare organizations maintain adequate defenses.
Implementation spans three phases through 2029 and beyond. By March 2027, the plan aims to establish core governance structures, launch priority services, and publish cross-government incident response protocols. The second phase through 2029 focuses on scaling services and developing role-based learning pathways for high-risk specialisms.
The document represents a fundamental shift from previous strategies. Where the 2022 Government Cyber Security Strategy set optimistic targets, this plan acknowledges those goals proved inadequate and resets expectations with measurable milestones.
“We are not starting from scratch,” Murray wrote. “We are scaling what works, learning from successes across the public sector and our international partners.”