As part of a broader cybersecurity push, the UK’s Department of Science, Innovation, and Technology (DSIT) presented a new Government Cyber Action Plan (GCAP) on January 6. The plan introduces new cybersecurity guidance that will have direct impacts on supplier relationships, particularly as it relates to the centralization of the UK’s cyber authority and modifications to procurement processes. The plan also signals how the UK Government is thinking about cybersecurity risk in 2026 and beyond.
Context
The UK’s cyber systems are under tremendous strain. An independent report published by the UK Government in November 2025 estimates that significant cyber attacks could set the UK economy back £14.7 billion annually, representing .5% of the country’s GDP.
Accordingly, shoring up cybersecurity has become a key policy imperative for the Labour government. Last week, the highly-anticipated Cyber Security and Resilience Bill (CSR) underwent its second reading in Parliament. Originally introduced in November 2025, the CSR aims to modernize outdated regulations from 2018 and affords regulators more scope to hold the private sector accountable for cyber outcomes. However, there has been marked debate about the bill’s exclusion of the public sector in its sweeping regulatory changes.
Coinciding with this development, DSIT presented the GCAP last week, which details a new public sector-focused cybersecurity mandate. The timing of this release is likely no accident, given that it relieves some pressure from the criticism of the CSR as too narrowly focused on private businesses.
Together, the CSR and GCAP lay the foundation for a larger cybersecurity “refresh,” culminating in a sweeping National Cyber Action Plan anticipated later this year. Although the GCAP has a much narrower scope than its counterpart in Parliament, it still offers important insights for the cybersecurity industry.
Cyber Risk as a Moving Target
The Government’s previous Cyber Security Strategy published in 2022 set an ambitious goal of equipping “all government organisations to be resilient to known vulnerabilities and attack methods” by 2030. The new GCAP candidly acknowledges that the Government will fail to meet this target and accepts that cyber threats are advancing faster than government systems can adapt to them.
The new Cyber Plan outlines a phased, open-ended strategy to modernize legacy systems and enhance Government cybersecurity. The flexibility of the plan allows for continuous iteration and improvement of cybersecurity competencies from 2029 onwards. Backstopped with a £210 million investment, the Plan has three main phases:
- Phase 1 (By April 2027): Build out a new model for government cyber, anchored by the establishment of a new Government Cyber Unit.
- Phase 2 (by April 2029): Scale and leverage the Cyber Unit and integrate new cyber guidance across government.
- Phase 3 (April 2029 and beyond): Improve government-wide cyber security and resilience on a continuous basis.
Takeaways for Industry:
- Ensure Secure By Design (SbD) language is integrated into supply tenders and related marketing materials.
- Showcase your ability to facilitate pilots, simulations and exercises, particularly related to intelligence-driven detection and control libraries.
- Illustrate post-event response and recovery capabilities as well as the ability to provide clear, timely and transparent communication during incidents.
Centralizing Cyber Management
The flashiest element of the new plan is the introduction of a new central body, the Government Cyber Unit. This centralization of cybersecurity management departs from the 2022 strategy, which empowered individual government offices and departments to “manage their cyber risks.” However, cyber risk often cuts across departments where one single point of failure could have wide-reaching impacts.
The new Unit will be responsible for driving government-wide cybersecurity initiatives and will provide targeted, active support and guidance for government organizations. The establishment of the Unit is a priority of Phase 1 of the GCAP set to be completed in April 2027.
Competencies of the new Government Cyber Unit include:
- Establishing out a technical advisory function, a community of practice and an appropriate delivery mechanism for cybersecurity guidance to departments;
- Supporting government organizations through the expansion of the “Cyber Uplift” program;
- Developing a plan for post-quantum cryptography transitions; and
- Improving partnership agreements with strategic suppliers, which are companies that enter into especially large or critical relationships with the Government, typically totalling over £100 million.
Takeaways for Industry:
- Expect intermediation or influence from the central Cyber Unit on potential or existing contracts with individual departments and offices.
- Emphasize whole-of-chain cybersecurity capabilities and ability to adapt as legacy systems modernize.
- Look for inroads to support DSIT’s forthcoming post-quantum cryptography plan and develop appropriate supplier marketing strategy.
Clear Accountability Lines
The GCAP aligns with the Government’s broader aim to clarify accountability for cyber incidents, both within government and in the private sector. The Plan outlines new responsibilities for government organizations entering into contracts with suppliers, including “applying appropriate mechanisms to ensure that supply chain organisations understand their accountability and responsibility for government cyber security and resilience.” Although it is unclear what precise changes this would make to procurement processes, the plan signals that cybersecurity outcome ownership will become a more prominent component of technology supplier contracts. This is notable in the context of the UK Government’s broader procurement refresh that went into effect last February, which aimed to make the general process more agile for smaller companies to compete for public sector contracts.
For the 39 companies currently designated as strategic suppliers, this element of the GCAP is particularly relevant. Strategic supplier procurement differs from general contracts in that the process is overseen by a designated Crown Representative, who is a singular person responsible for overseeing all of their public sector contracts across all departments. These working relationships have been dictated by somewhat informal MOUs since 2011. The GCAP tasks the newly-formed Government Cyber Unit with “formalizing strategic partnership agreements” with strategic suppliers.
Takeaways for Industry:
- Contracts of all sizes will be subject to new “appropriate mechanisms" for relegating cybersecurity accountability and responsibility, though specific details are forthcoming.
- Technology suppliers working on critical projects could be designated as strategic suppliers even if their total revenue is under the typical £100 million threshold. As the Government’s cybersecurity priorities come into greater focus, companies should be aware of the possibility that their contracts could potentially fall under this designation.
Interested parties can engage DSIT on upcoming cybersecurity priorities through their Mapping of the AI and Software cyber security services market open survey.
