Skip to content
All Blogs

Inside the UK's £210m cyber action plan

Published
Inside the UK's £210m cyber action plan
Inside the UK's £210m cyber action plan
2:49

 

 


TL;DR

 

On 6 January 2026, the UK government published its Cyber Action Plan, backed by over £210 million and a new Government Cyber Unit within DSIT. It holds public-sector bodies to the same standards being imposed on critical infrastructure, and its findings, especially on legacy technology and rising incident volumes, are a wake-up call for every UK organisation, not just government.

The UK government has put a number on its cyber ambitions. The Government Cyber Action Plan, published on 6 January 2026 to coincide with the CSR Bill's Second Reading, is backed by over £210 million of investment and led by a new Government Cyber Unit within the Department for Science, Innovation & Technology (DSIT), headed by the UK Government's CISO. It is a statement that the government intends to hold itself to the standards it is now demanding of critical infrastructure operators.

 

The plan's diagnosis is sobering. It estimates that nearly a third (28%) of the government technology estate is legacy technology and therefore highly vulnerable to attacks. Against that, it frames a significant prize: full digitisation of public sector services could unlock over £45 billion per year in savings and productivity benefits.

 

The threat context cited alongside it, drawn from the NCSC's Annual Review 2025, is starker still: 204 of 429 incidents handled by the NCSC in the year to August 2025 were nationally significant, more than double the 89 recorded the year before.

Why should a private-sector GRC leader care about a public-sector plan?

This national initiative signals the direction of travel. The same expectations, measurable outcomes, faster patching, and resilience treated as core business risk are being written into the CSR Bill that will govern private operators. The legacy-technology finding is also universal: most organisations carry systems they can't easily secure or even fully see, and those blind spots are exactly where risk concentrates.

 

Closing that visibility gap is a governance problem before it is a technology one. 6clicks helps organisations map their control environment, capture evidence continuously, and give leadership a real-time view of where controls are strong, where evidence is stale, and where remediation is underway, including across the legacy and restricted systems that cloud-first tools often can't reach. On Sovereign GRC Infrastructure, that oversight extends into on-premises and air-gapped environments without sacrificing UK data residency, so the systems most likely to be "highly vulnerable" are the ones you can actually govern.

Frequently asked questions

A UK government strategy published on 6 January 2026 to strengthen public-sector cyber resilience, backed by over £210 million and a new Government Cyber Unit in DSIT. 

It signals the standards and outcomes-based expectations that the CSR Bill will extend to private operators, and its findings on legacy tech and incident volumes apply broadly. 

That an estimated 28% of the government technology estate is legacy and therefore highly vulnerable to attack. 

Of the 429 incidents responded to by the UK National Cyber Security Centre in the year to August 2025, 204 were nationally significant, more than double the previous year's 89. 

 

 

Turn national strategy into your action plan. Meet the 6clicks team at our in-person UK roadshow to see how leading organisations are closing their legacy-tech visibility gaps. Save your seat. 

Ready to transform GRC with 6clicks?

Let’s show you how it works for your team.

awards-mobile-v3