The plan, announced on 6 January 2026, introduces a Government Cyber Unit, which will drive the plan’s integration over a number of years, while backing departments support the plan and measure its progress. Backed by £210 million of central investment, it intends to raise government standards and drive skills and innovation in the cyber industry.
“We must be clear-eyed about what is at stake. We are more connected than ever before, and that progress brings immense benefits to our economy and our society,” said Minister of State for the Department for Science, Innovation and Technology, the Honourable Ian Murray.
“As we innovate and expand, the surface area for risk grows with it. Cyber attacks have inflicted real damage on our institutions. Whether the goal is financial theft or strategic disruption, the intent to strike at the heart of our public sector is real.”
The plan is made up of a three-phase implementation, which will take place over the next three or more years.
Phase 1, which is to be achieved by April 2027, will build a foundation for the plan through the establishment of the Government Cyber Unit, launching a cross-government Cyber Profession to attract new cyber professionals, as well as upskilling and retaining current ones, and implementing accountability and governance frameworks for cyber risk.
Phase 2, which will take place between April 2027 and 2029, will scale and mature response and recovery capability regarding concurrent major cyber incidents, utilising “government-wide cyber risk visibility to make data-driven decisions and a compelling investment case for managing severe and complex cyber risks”, according to the UK government, and developing role-based learning pathways that are high-impact and sector-wide for top “high-risk cyber specialisms.
It will also deliver cyber support and services to aid departments in meeting their cyber obligations and aims to have departments operating within reporting structures and governance independently.
Phase 3, which will take place beyond April 2029, will see the model continuously improved and fine-tuned to establish better government-wide cyber security and resilience.
To do this, the plan will see central cyber data insights shared at all levels of government, enabling prioritisation and decision making, offering central cyber support at scale based on the individual identified needs, utilising the Government Cyber Profession from phase one as an “engine for transformation through career framework and sector-recognised accreditation standards”, driving professional growth, supporting national security objectives and having departments actively assure cyber risk across supply chains through a central management of strategic suppliers.
“We are not starting from scratch; we are scaling what works, learning from successes across the public sector and our international partners. This plan will go further than we have before, prioritising cyber resilience and ensuring we have strong central leadership driving cross-government response,” said Murray.
“It will enable departments, through central services and targeted support, and will see the launch of a new Government Cyber Profession, which will not only ensure we continue to attract and retain the best talent but also support development skills throughout the UK.
“This is more than just a change; it is a steadfast commitment to defending the state and protecting the daily lives of working people. By fixing these foundations, we will build a government that is resilient, secure, and ready for national renewal.”
The Cyber Security and Resilience Bill
The announcement of the plan coincides with the Cyber Security and Resilience Bill going through its second reading in Parliament. The bill intends to respond to the growth in cyber threats by updating the current Network and Information Systems Regulations 2018 with expanded incident reporting requirements, designation of critical suppliers and the extension of regulatory scope to include load control services, managed service providers and data centres.
However, the bill not including the central government has raised concerns, particularly with former digital secretary and current shadow deputy PM, Sir Oliver Dowden.
Responding to Murray, Dowden requested that the exclusion of the central government from the bill be reconsidered, raising concerns of accountability following past reports that highlighted major security flaws in government systems.
Murray argues that “the government should not need to legislate for themselves; we should just get on with making sure that we are leading the charge and that the cyber action plan strengthens the government’s cyber resilience”.
Dowden responded by saying that while he acknowledges the comments about the public sector, he feels the government not being held accountable by the bill could lead to the security risks being overlooked.
“I welcome the minister’s comments about the obligation on the public sector. However, I caution him that, in my experience, cyber security is one of those things that ministers talk about, but then other priorities overtake it,” Dowden said.
“The advantage of legislative requirements is that they force ministers to think about it. I urge the minister to look at that point again as the bill passes through Parliament. There is a case for putting more stringent requirements on the public sector in order to force ministers’ minds on the point.”
Daniel Croft