The proposed legislation aims to deliver a “step change” in the UK’s cyber resilience
The UK government has released new research outlining the growing economic and national security impact of cyber attacks, which now rank among the country’s most significant threats. As digital systems expand and billions of devices become interconnected, the government’s Plan for Change aims to reinforce national cyber defences and protect essential services from increasingly sophisticated state-backed and criminal actors.
According to the government’s summary, the scale of the threat is “undeniable.” The National Cyber Security Centre (NCSC) managed 204 significant or highly significant cyber incidents in the 12 months leading to September 2025 averaging one major incident every two days. These events involved serious disruptions to essential services, public safety, or economic stability. Over the past year, 43 per cent of UK businesses more than 600,000 organisations reported experiencing a cyber breach or attack.
In response, the government is preparing a refreshed National Cyber Strategy, which will outline the collective actions required to counter rising cyber threats and strengthen national resilience. The updated strategy will be developed in collaboration with businesses, regulators, law enforcement, devolved governments, and the public. Officials said the refresh will reaffirm the UK’s position as a global cyber leader by taking a “proactive, strategic, and collaborative” approach to national security.
Last week, the government introduced the Cyber Security and Resilience (Network and Information Systems) Bill, designed to strengthen protections for critical services such as water, energy, healthcare, transport, and digital infrastructure. The bill replaces the outdated Network and Information Systems Regulations 2018, which ministers say no longer reflect the scale or complexity of current cyber risks.
The proposed legislation aims to deliver a “step change” in the UK’s cyber resilience, reducing business disruption, preventing critical service outages, and reinforcing economic stability. It is expected to help lower operational costs for organisations, increase investor confidence, and support long-term growth in the domestic cyber sector.
Alongside legislative reforms, the government is ramping up support for businesses. The Cyber Essentials programme issued over 51,000 certifications in the year to June 2025, with organisations meeting its requirements reporting 92 per cent fewer insurance claims related to cyber incidents. Senior leaders are also being guided through the Cyber Governance Code of Practice, backed by training to help boards implement essential resilience measures.
To promote safer digital products, the government has published new codes of practice for apps, software, and AI, with enterprise technology guidelines expected next. These initiatives sit alongside new product security legislation aimed at raising baseline security in consumer and enterprise devices.
The NCSC continues to expand its defensive capabilities. Its Share and Defend service blocks malicious websites at scale and helps prevent cyber-enabled fraud across public and business networks. The centre also provides extensive online guidance, including the Cyber Assessment Framework, which helps critical national infrastructure operators assess and mitigate cyber risks.
