In January 2026, the UK’s Department for Science, Innovation and Technology (DSIT) announced a £210 million Government Cyber Unit (GCU) and a new Government Cyber Action Plan, presented as a “radical shift” in how the state approaches digital resilience.
Behind the confident language sits a striking concession: the government now accepts that its own flagship ambition – to make all public bodies resilient to known cyber vulnerabilities and attacks by 2030 – is “not achievable by the original target date”.
That admission matters more than the new money.
It marks an end to the assumption that a loose framework of standards, guidance and departmental autonomy would be enough to bring a sprawling public sector to an acceptable level of cyber maturity.
The new experiment is different. It is an attempt to centralise ownership of cyber risk across Whitehall, build shared services, and enforce minimum standards on hundreds of organisations that have historically guarded their independence. The question is whether the GCU can succeed where a decade of scattered strategies has not.
From ambition to retrenchment
The story begins with the Government Cyber Security Strategy 2022 to 2030. When the Cabinet Office published it in January 2022, the goals were clear and time bound: by 2025, “government’s critical functions” would be significantly hardened to cyber attack; by 2030, “all government organisations across the whole public sector” would be resilient to known vulnerabilities and attack methods.
The numbers appeared to back this up. The United Kingdom invested £650 million in cyber security between 2011 and 2016, followed by an estimated £1.9 billion National Cyber Security Programme from 2016 to 2021, and a further £1.3 billion earmarked for cyber and legacy IT remediation in the 2021 Spending Review. The creation of the National Cyber Security Centre (NCSC) in 2016 gave the UK a respected technical authority, and there was confidence that a mixture of central guidance and departmental efforts could close the resilience gap.
Reality proved less forgiving.
By early 2025, the National Audit Office (NAO) warned in a report that “the cyber threat to the government is severe and advancing quickly” and concluded that “the government will not meet its aim for its ‘critical functions’ to be resilient to cyber attack by 2025”.
“The cyber threat to the government is severe and advancing quickly…the government will not meet its aim for its ‘critical functions’ to be resilient to cyber attack by 2025.”
Independent assessments under the new GovAssure regime found “multiple fundamental system controls” at low levels of maturity, particularly in asset management, monitoring and incident response. DSIT’s State of digital government review reported that cyber risk to the public sector was “critically high”.
A run of incidents made those assessments concrete: A ransomware attack on the British Library in 2023 forced manual workarounds and partial services for months, with direct remediation costs reported in the hundreds of thousands of pounds. The Synnovis pathology supplier attack in 2024 led two London NHS trusts to postpone more than ten thousand outpatient appointments and over a thousand procedures. And in late 2025, three London councils – Kensington and Chelsea, Westminster, and Hammersmith and Fulham – activated emergency plans after a cyber incident took key systems offline.
As one former local government IT leader put it, “when such an event occurs, it feels as though your world has been turned upside down, and it quickly becomes clear how difficult it is to restore normalcy”.
At the same time, the NCSC’s Annual Review 2025 showed the pressure increasing. In the year to August 2025, 204 of 429 incidents handled by the NCSC were classed as nationally significant, more than double the previous year. The Centre warned that the gap between the threat facing critical national infrastructure and the ability of operators to defend against it was widening.
Against this backdrop, the Action Plan’s statement that the 2030 resilience goal is not achievable on time is less a surprise than a formal recognition of a position that the evidence already implied. The interesting question is not why the old ambition has slipped, but what the state is prepared to change in response.
How the old model failed
For much of the past decade, responsibility for securing government systems rested primarily with individual departments and agencies. The Government Security Group in the Cabinet Office set minimum standards and issued guidance; the NCSC provided technical advice and incident response support. Accounting Officers were formally responsible for their organisations’ cyber risks, but in practice they operated with considerable discretion about how to interpret and implement central expectations.
Several design flaws became apparent once independent assurance was introduced.
First, the centre did not have a reliable picture of risk. Before 2023, departments largely self-assessed their compliance against Government Functional Standard GSG004, which the NAO found “did not give the government a good understanding” of their true cyber resilience. Services were often reported as compliant on paper while key controls were partially implemented or absent in practice.
Second, skills shortages were chronic and unevenly distributed. The NAO reported that around one in three cyber security posts across central government were vacant or filled by temporary staff, with some high-risk roles – such as security architects – overwhelmingly staffed by contractors. That dependency increased costs and made it difficult to sustain institutional knowledge. The NAO described the skills gap as “the leading risk to building cyber resilience”.
By March 2024, 53 per cent of the government’s 228 legacy IT systems with known vulnerabilities still lacked fully funded remediation plans, and around a quarter were assessed as high‑risk systems.
Third, funding arrangements worked against long-term remediation. The 2021 Spending Review’s £1.3 billion allocation for cyber and legacy IT remediation was bid for and held by departments. When wider fiscal pressures intensified, many departments “de-scoped” their plans, diverting resources back towards operational priorities. By March 2024, 53 per cent of the government’s 228 legacy IT systems with known vulnerabilities still lacked fully funded remediation plans, and around a quarter were assessed as high‑risk systems.
Finally, departments and their sponsored bodies struggled to act as effective system leaders. The NAO found that some lead departments had “insufficient funding, number of staff, and oversight mechanisms” to understand or improve cyber resilience across their sectors, including arm’s-length bodies and local service providers. Sharing of incident intelligence was inconsistent, reducing the opportunity for others to learn and prepare.
The result was not a complete absence of cyber defence – some large departments invested heavily and developed mature capabilities – but a structurally uneven landscape. Critical national infrastructure and frontline services relied on a web of public and private organisations with highly variable resilience, connected by shared platforms and suppliers that no single body fully controlled.
The new model: the Government Cyber Unit and shared risk ownership
The cyber action plan is an attempt to address these structural problems by redefining who owns cyber risk and how it is managed at scale.
The first move is formal. The Permanent Secretary of DSIT becomes the Government Technology Risk Owner, accountable for government-wide cyber and technology risk. The GCU, led by the Government Chief Information Security Officer within DSIT, manages that risk day to day: setting mandatory policies and standards, running assurance, directing cross-government remediation, managing strategic supply-chain relationships, and coordinating incident response.
The second move is functional. The plan distinguishes between two categories of risk:
- “Government-wide risks” such as nation-state campaigns, systemic vulnerabilities in widely used software, and common platform failures, which are now explicitly owned and managed by the centre.
- “Organisational risks” such as insider threats or local configuration errors, which remain the responsibility of Accounting Officers but must be managed within centrally defined risk appetites.
To understand how this fits into the wider machinery, it helps to see the division of roles clearly.
The GCU and Government Technology Risk Owner take primary responsibility for cyber and technology risk governance across government. The NCSC remains the national technical authority, producing guidance, providing threat intelligence, and coordinating incident response support at the national level. The Central Digital and Data Office (CDDO), now based alongside the Government Digital Service in DSIT’s expanded digital centre of government, continues to set digital, data and technology standards and to lead digital transformation and service design across departments.
The Action Plan’s aim is not to replace the NCSC or CDDO, but to create a focal point that can align risk decisions, investment and governance with the technical and digital work already underway.
From governance design to accountability
On the ground, the plan makes Accounting Officers personally accountable for cyber risk across their department, their arm’s-length bodies and their supply chain. Each must appoint a board member with cyber expertise, ensure that a Chief Information Security Officer and a Chief Digital and Information Officer have clear authority, and require regular risk reporting to the board. Serious risks that exceed the organisation’s appetite must be escalated to the Government Technology Risk Owner and the new Government Technology Risk Group (TRG), which will in turn escalate to the Civil Service Operations Board where necessary.
The delivery roadmap is set out in three phases. Phase 1, running to April 2027, focuses on establishing the GCU, strengthening governance, launching initial central services and defining the Government Cyber Profession. Phase 2, to April 2029, scales those services, uses improved risk data to guide investment towards severe and complex risks, and brings all departments fully inside the new accountability framework with costed cyber-improvement plans. Phase 3, beyond April 2029, is intended to move the system into a mode of continuous improvement, with mature shared services and proactive supply-chain assurance.
A significant part of the plan is devoted to central support. The GCU will curate a portfolio of shared services – such as protective DNS (a central service that blocks access to known malicious domains), vulnerability scanning, and logging or monitoring platforms – and will decide which are mandatory and how they are funded. It will operate a “service finder” function to help public bodies identify secure-by-design solutions, and a pipeline for targeted support where risk is highest or capability weakest.
Supply-chain risk is treated explicitly rather than as an afterthought. The plan defines “strategic suppliers” whose products or services underpin multiple departments and critical functions. The GCU will establish formal partnerships with these firms, embedding resilience requirements and holding them to account for the risk they hold on behalf of government.
All other suppliers will be subject to minimum contractual and assurance requirements set by departments within central parameters. This responds directly to the lessons of the CrowdStrike update failure in 2024, which the plan cites as demonstrating how a single software dependency can cause nationwide disruption, and which DSIT estimates cost the UK economy between £1.7 and £2.3 billion.
Finally, the plan tackles the skills gap through the creation of a Government Cyber Profession, with a career framework, learning pathways and accredited standards across the civil service. A Cyber Resourcing Hub will target the most acute shortages, such as incident response and security architecture. This does not by itself increase pay, but it does aim to systematise recruitment, development and deployment of cyber professionals in a way that fragmented departmental hiring has not.
Centralisation meets constraint
For all its innovations, the new model inherits some of the constraints that undermined the old one.
On funding, the scale of the risk dwarfs the new £210 million package. The pot must cover the GCU’s operations, build and run shared services, and support departments in addressing severe risks. It sits alongside, rather than replaces, departmental budgets for cyber and legacy IT, which remain under pressure. The NAO has already found that cost pressures led departments to cut back cyber remediation plans after the 2021 Spending Review and there is no guarantee that future spending rounds will protect these budgets.
Legacy IT remains an unresolved structural challenge. The NAO reported that the centre and departments “do not have a detailed understanding” of the cyber security risks posed by all legacy systems, and that many lack clear business cases or agreed replacement plans.
The Action Plan recognises this and includes legacy risk in its priorities for central attention, but replacing or securing ageing systems is expensive and politically difficult when they underpin core services. It is not clear that the combination of central funding and departmental contributions will be enough to reduce this risk at the pace implied by the plan’s timelines.
The skills gap will be hard to close. The Government Cyber Profession provides a framework, yet the NAO describes government cyber skills initiatives as “partially funded” and notes that salary constraints and competition from the private sector will continue to make it difficult to recruit and retain specialists. A more coordinated approach may help departments share scarce expertise, but the overall pool of talent remains limited.
From cyber policy to operating model
Departmental adoption is another uncertainty. The plan envisions Accounting Officers embracing central risk appetites, allowing the TRG to challenge and direct investment decisions, and accepting scrutiny where controls lag. That implies a cultural shift from compliance with a standard to active management of a shared risk picture. It also means that the GCU will sometimes need to recommend decisions that conflict with short-term operational or political priorities. How far the centre is prepared to push, and how far departments are prepared to bend, will only become clear in practice.
Nor will institutional coordination be straightforward. The GCU, NCSC and CDDO each have legitimate roles that overlap at the edges, and the NAO has already found that departments sometimes struggle to understand who does what. The Action Plan provides a clearer map, but aligning risk governance, technical authority and digital transformation is an ongoing process rather than a one-off structural fix.
Finally, the plan notes that alignment with devolved governments will be pursued “where practicable”. Cyber is a reserved matter, but public services such as health, education and many local functions are devolved. A centralised model for UK government risk will have to coexist with distinct digital and cyber governance frameworks in Scotland, Wales and Northern Ireland, each with its own political dynamics.
Why this matters beyond cyber
For regulators and public bodies, the GCU is more than a cyber story. It is a test of whether the state can design and run a model that manages systemic digital risk across organisational boundaries.
The parallels with other regulatory domains are clear. Financial supervisors trying to oversee common cloud platforms used by multiple banks, environmental regulators relying on shared data platforms that aggregate monitoring from dozens of operators, and health regulators dealing with outsourced diagnostics and digital records all face the same foundational question: who owns the risk, and how is it governed when no single organisation controls the whole system?
The GCU model answers that question by centralising ownership of certain classes of risk, creating shared services, mandating minimum standards, and trying to back this with better data, clearer accountability and targeted support. If it succeeds, it will demonstrate that a large, complex public sector can move beyond high-level strategies and periodic reviews to an operating model in which cyber resilience is treated as a shared, actively managed asset rather than a compliance obligation.
If it fails, the lesson will be more sobering. RUSI has already argued that the United Kingdom’s cyber strategy has “lost momentum” and that an approach which “continues to largely rely on market forces and voluntary measures” is “no longer sustainable”.
The Action Plan is, in effect, the state’s response to that critique in its own backyard. Failure would not only prolong current vulnerabilities; it would also raise doubts about whether similar centralising experiments in other domains – from digital identity to shared regulatory platforms – can be made to work.
The stakes are therefore larger than one unit or one strategy: how the Government Cyber Unit performs will be an early test of whether states can move from fragmented defences to a genuinely shared model of digital resilience in practice, not just in policy.
