The UK today launches its Government Cyber Action Plan, committing £210 million ($282 million) to strengthen defenses across digital public services and hold itself to the same cybersecurity standards it’s imposing on critical infrastructure operators.
The funding will establish a Government Cyber Unit, led by the UK’s CISO and overseen by the Department for Science, Innovation and Technology (DSIT), to improve risk identification, incident response, and recovery capabilities.
The unit will also create a dedicated Government Cyber Profession, elevating cybersecurity from its current placement under the broader Government Security Profession.
Announced alongside the second reading of the Cyber Security and Resilience Bill, the plan subjects government departments to the same security requirements as cloud providers, search engines, and operators of critical infrastructure, including datacenters. The UK estimates this investment will save up to £45 billion annually across the public sector.
“Cyberattacks can take vital public services offline in minutes – disrupting our digital services and our very way of life,” said digital minister Ian Murray.
“This plan sets a new bar to bolster the defenses of our public sector, putting cybercriminals on warning that we are going further and faster to protect the UK’s businesses and public services.”
The announcement follows mounting security failures. The Foreign Office confirmed an October intrusion widely attributed to Chinese state-sponsored actors, while the Legal Aid Agency – overseen by the Ministry of Justice – suffered a major breach in April.
A scathing report by the National Audit Office (NAO) twelve months ago found 58 of 72 critical IT systems it reviewed across central government contained “multiple fundamental system controls that were at low levels of maturity.”
Further, ministers were advised that government security risk is “extremely high.” In March 2024, auditors identified at least 228 legacy systems, 28 percent of which were flagged as having a high likelihood of operational and security risks.
DSIT also today launched a Software Security Ambassador Scheme to drive adoption of its Software Security Code of Practice. Initial ambassadors include Cisco, NCC Group, Palo Alto Networks, Sage, and Santander, who will champion secure development practices and contribute to future policy.
The initiative mirrors CISA’s Secure by Design pledge, which recruited more than 340 organizations in 2024 to commit to improvements like multi-factor authentication and mandatory patching.
Some onlookers pointed out the size of the £210 million funding pot in the context of the financial disaster that Jaguar Land Rover faced in 2025.
“£210 million sounds impressive until you remember the Jaguar Land Rover hack cost 0.5 percent of GDP. That’s the real benchmark here. Not whether we have a plan, but whether this plan can actually plug holes faster than an army of attackers find them,” said Colette Mason, author and consultant at Clever Clogs AI.
“The Government Cyber Unit is operating within a sprawling patchwork of national and international suppliers, contractors and legacy systems holding up every digital service. You can’t secure a leaky bucket by pouring in more money if you haven’t mapped and patched every crack first.”
Craig Wentworth, principal analyst at TechMarketView, said of the action plan: “the challenge extends beyond funding to legacy infrastructure, fragmented estates, and the expanding attack surface created by rapid digital transformation itself.
“Suppliers demonstrating security-by-design architectures and transparent supply chain practices will find receptive audiences; those promising rapid transformation without addressing fundamental vulnerabilities will struggle.” ®