The UK Government has published its Government Cyber Action Plan, setting out how it will strengthen cyber security and resilience across public services. Published in January 2026, the Plan recognises that cyber risk to government is high and increasingly systemic, and that existing approaches have been too fragmented and inconsistent. Rather than setting new ambitions, the Plan focuses on delivery, assurance and accountability.
At its core, the Action Plan aims to ensure that digital public services are secure, resilient and trustworthy, treating cyber risk as a fundamental operational risk rather than a purely technical concern.
What is the Plan and what does it change?
The Government Cyber Action Plan is a cross-government delivery framework that builds on the Government Cyber Security Strategy. It introduces clearer expectations for departments, sustained central oversight, and more than £200 million of investment to address long-standing weaknesses, including legacy technology, skills shortages and uneven assurance practices.
A key change is the creation of the Government Cyber Unit (GCU), which coordinates cyber risk management across government, monitors assurance outcomes, tracks progress against agreed targets and escalates systemic risks affecting multiple organisations. For senior leaders, this marks a clear shift: cyber resilience can no longer be delegated solely to IT, OT or security teams. Leaders will be expected to evidence measurable improvement against NCSC Cyber Assessment Framework (CAF) outcomes and to explain where material risks remain.
Who does it affect?
The Plan primarily applies to central government departments, arm’s-length bodies, and public sector organisations that fall under government cyber assurance regimes. This includes around 25 central government departments, several hundred ALBs, and a significant proportion of NHS organisations.
The focused is on strengthening cyber resilience within central government and the wider public sector, rather than introducing new regulatory powers over private-sector operators. Energy, water, transport and telecoms operators remain regulated by their existing sector regulators. However, suppliers and shared service providers should expect rising assurance expectations as departments are held to stronger cyber standards.
Assurance, CAF and NCSC Secure by Design
The Plan reinforces the Cyber Assessment Framework (CAF) as the standard mechanism for assessing cyber resilience across government, with GovAssure providing structured assurance and scrutiny. CAF outcomes become the common language for understanding cyber maturity, risk and improvement priorities.
The National Cyber Security Centre (NCSC) remains the UK’s national technical authority for cyber security. The Government Cyber Action Plan aligns delivery with NCSC guidance, including the Cyber Assessment Framework (CAF) and Secure by Design principles, to strengthen cyber resilience across government. NCSC guidance underpins CAF outcomes and informs remediation activity across government.
How does it fit with future legislation?
While the Action Plan does not introduce new statutory duties, it is closely aligned with the forthcoming Cyber Security and Resilience Bill (CSRB). Public bodies are currently outside the direct scope of CSRB, making the Government Cyber Action Plan the primary mechanism for embedding assurance, oversight and accountability across central government and the wider public sector ahead of wider statutory cyber obligations across regulated sectors.
Why it matters
The Government Cyber Action Plan marks a shift from cyber security as “best practice” to business as usual. By combining CAF-based assurance, NCSC Secure by Design principles, and central oversight through the GCU, it lays the foundations for more resilient public services and a more regulated cyber future.
Find out more
To discover how we can help you integrate resilience, meet regulatory expectations, and drive secure growth:
About this author
Gary Fildes
Cyber Security Senior Consultant
Gary is a Senior Cyber Security and Resilience professional at CGI with over 25 years’ experience across Critical National Infrastructure, government regulation, and complex IT and Operational Technology (OT) environments. He brings deep technical, regulatory, and assurance expertise, having previously held roles at Ofgem and ...
