The UK Government’s newly published Cyber Action Plan (January 2026) represents a watershed moment for public sector cyber security. While the plan primarily targets government departments and public sector organisations, it sends clear signals about the standards and expectations that will increasingly cascade into the private sector through supply chain requirements, regulatory frameworks, and the Cyber Security and Resilience Bill.

As a CISO working with organisations across multiple sectors, I see this plan as a roadmap not just for government, but for any business serious about cyber resilience. Here’s what you need to focus on now.

The reality check: Cyber risk is critically high

The State of Digital Government Review didn’t pull punches in declaring cyber risk to the public sector as “critically high.” Nearly a third of government technology is legacy, and fundamental controls like asset management and protective monitoring show widespread low maturity. If government is facing these challenges, private sector organisations should ask themselves: are we any better prepared?

The plan’s acknowledgment that the original 2030 resilience target is unachievable tells us everything about the scale and pace of the threat. Adversaries are moving faster than defences, and the technical debt from years of underinvestment is coming due.

Five critical areas to address

1. Clear Accountability and Risk Ownership

The plan establishes unambiguous ownership of cyber risk at the Accounting Officer level, with board members required to have cyber expertise. This isn’t just a government requirement anymore. Your board needs members who genuinely understand cyber risk, not just individuals who nod along during security updates.

Action: Ensure your C-suite and board have designated cyber risk owners with genuine authority and understanding. The plan specifies that Accounting Officers must appoint an informed board member with cyber security and resilience expertise. If your CEO can’t articulate your organisation’s top three cyber risks, you have work to do.

2. Supply Chain Assurance

Government departments will be required to assure the cyber security and resilience of their supply chains, with strategic suppliers held to formal partnership agreements. By Phase 3 (April 2029 and beyond), the plan targets at least 90% of lead government departments and 50% of arm’s-length bodies undertaking supply chain assurance, with a minimum requirement of annual Cyber Essentials checks.

If you supply government or critical infrastructure, expect increased scrutiny. But more broadly, your own supply chain vulnerabilities are your vulnerabilities.

Action: Start implementing rigorous third-party risk assessments now. Cyber Essentials should be your baseline, not your ceiling. Build security schedules into contracts and conduct regular supplier audits.

3. Legacy Technology Remediation

The elephant in the room is legacy technology. The plan reveals that nearly 28% of the government technology estate is legacy technology, which is “highly vulnerable to attack.” The document states that legacy systems “often cannot be defended by modern cyber security measures” and explicitly calls for departments to “urgently invest in replacing legacy systems and fixing foundational vulnerabilities.”

Many organisations have kicked this can down the road for years. The Government Cyber Action Plan makes clear this approach is no longer viable.

Action: Conduct an honest assessment of your technology estate. Identify systems that can’t support modern security controls and develop a costed remediation plan. If you can’t replace them immediately, implement compensating controls and accept the residual risk with eyes wide open.

4. Incident Response Preparedness

The establishment of the Government Cyber Incident Response Plan and mandatory exercising requirements signals a shift from theoretical planning to practical preparedness. The plan expects 100% of organisations to have comprehensive incident response plans and to regularly exercise them.

Action: Don’t just have an incident response plan; test it. Run tabletop exercises. Engage your leadership team. Ensure you have access to incident response capabilities, whether in-house or through retainers. The time to figure out your response isn’t during an actual incident.

5. Security Culture and Skills

Perhaps most importantly, the plan recognises that technology alone won’t solve the problem. The establishment of a Government Cyber Profession, mandatory cyber awareness training for leaders, and emphasis on “Defend as One” culture reflects a holistic understanding of cyber resilience.

Action: Invest in your people. Ensure cyber security awareness training is role-specific and engaging, not just annual box-ticking. Build security champions across business functions. Make security everyone’s job, not just IT’s problem.

The Secure by Design imperative

The plan’s embrace of “Secure by Design” principles is particularly significant. Security must be embedded from the planning stage through procurement, configuration, and decommissioning. This approach will increasingly become non-negotiable in government procurement and regulated sectors.

If you’re building products or services for government or critical infrastructure, you need to demonstrate security is built in, not bolted on afterward.

Looking ahead: Regulatory convergence

The Government Cyber Action Plan doesn’t exist in isolation. It explicitly references the Cyber Security and Resilience Bill, which will mandate cyber security measures for essential and digital services across healthcare, water, transport, and energy sectors.

The direction of travel is clear: standards being set for government will flow through to regulated sectors and then to their supply chains. Rather than waiting for mandatory requirements, forward-thinking organisations will adopt these principles now.

Final thoughts

The Government Cyber Action Plan is refreshingly honest about the scale of the challenge and the inadequacy of previous approaches. Its emphasis on clear accountability, practical action, and cultural change over technological silver bullets is exactly right.

For businesses, the question isn’t whether these standards will affect you, but when. The organisations that get ahead of this curve by implementing robust governance, addressing legacy technology, building genuine incident response capability, and investing in security culture will be the ones that thrive.

The organisations that wait for compliance deadlines will find themselves perpetually reactive, expensive to defend, and ultimately vulnerable.

The time to act is now. The government has laid out the blueprint. Will your organisation follow?

Contact us today to discuss any of your cyber security needs.