On 6 January 2026, the UK Government published the Government Cyber Action Plan, setting out how cyber resilience is expected to be strengthened across central government, local authorities, public services, and the suppliers they rely on.
At face value, this is a delivery plan. It outlines how responsibility is organised, how capability will be developed, and how resilience will be measured and improved over time. It sits alongside the National Cyber Strategy and focuses on execution rather than aspiration.
But taken as a whole, the plan does something more significant than introduce new structures or funding. It reflects a shift in how cyber risk itself is being understood at a national level. Not as a technical failure to be eliminated, and not as a compliance problem to be managed, but as an operational reality that must be planned for, led through, and responded to when it inevitably occurs.
What is striking about the document is not any single control or initiative, but the assumptions it makes. It assumes systems will fail. It assumes suppliers will have incidents. It assumes people will be required to make decisions under pressure, often with incomplete information. From those assumptions, it builds an argument for preparedness, coordination, and human judgement as core components of resilience.
This matters because it moves cybersecurity away from the idea of perfect prevention and towards a more realistic model of risk. One that accepts complexity, interdependence, and uncertainty as normal features of modern digital services.
Although the Cyber Action Plan is formally aimed at government, the way it frames cyber risk will feel familiar to many organisations. The challenges it describes — legacy systems, supplier dependency, skills gaps, and the difficulty of responding calmly when things go wrong — are not unique to the public sector.
In that sense, this is not just a policy document. It is a statement of how cyber risk is now expected to be understood, owned, and managed in practice.
What the Cyber Action Plan Is Actually About
At its core, the Government Cyber Action Plan is not a strategy document. It does not attempt to redefine cyber threats, invent new principles, or introduce a novel security model. Its purpose is much more practical. It exists to turn years of high-level cyber strategy into concrete, measurable action across the public sector.
That distinction matters, because much of the frustration around cybersecurity policy comes from the gap between intention and reality. Strategies describe what “good” looks like. Action plans are about what actually changes on the ground.
The Cyber Action Plan is explicitly concerned with delivery. It looks at how cyber resilience is organised, funded, coordinated, and sustained across a system that is large, fragmented, and uneven in capability. It acknowledges that public services operate with different levels of maturity, different legacy constraints, and very different risk profiles, yet are increasingly dependent on shared digital infrastructure.
One of the clearest signals in the document is that cyber risk is no longer viewed as something that can be solved department by department. The plan treats it as a system-wide problem, where weakness in one area can have consequences elsewhere. This is why there is such a strong emphasis on central coordination, shared services, and common standards. Not to enforce uniformity for its own sake, but to reduce the fragility that comes from disconnected decision-making.
Another important aspect of the plan is its focus on operational reality rather than idealised security models. The document repeatedly references incidents, outages, and failures that have already happened, including those caused by suppliers, software updates, and internal misconfigurations. These are not presented as exceptional events, but as evidence of how modern digital systems behave under strain.
By including non-malicious incidents alongside hostile attacks, the plan broadens the definition of cyber risk. It is no longer just about defending against adversaries. It is about ensuring that public services can continue to function when technology behaves unpredictably. This reframing is subtle, but significant. It moves cybersecurity away from a narrow focus on threat actors and towards a broader concern with service continuity and public impact.
The plan also places heavy emphasis on accountability and visibility. It is not enough for organisations to believe they are secure. They must be able to demonstrate readiness, exercise response plans, and understand where their dependencies and weaknesses lie. This is why the document places such importance on assurance mechanisms, reporting, and the ability to measure progress over time.
Importantly, the Cyber Action Plan does not assume that improvement will come from a single intervention. Instead, it treats resilience as something that must be built and maintained continuously. Skills development, leadership engagement, supplier management, and incident response are all treated as ongoing capabilities, not one-off projects.
Taken together, the plan is less about cybersecurity in the abstract and more about governance, coordination, and preparedness in a digital world that is already fragile. It recognises that public services are now inseparable from the systems that support them, and that failure in those systems has direct consequences for people.
In that sense, the Cyber Action Plan is not asking organisations to become perfect. It is asking them to become honest about risk, deliberate about preparation, and coordinated in their response when things go wrong.
A Shift Away From the Idea of Perfect Prevention
For a long time, cybersecurity has been framed around the idea of prevention. The dominant assumption has been that with the right combination of tools, policies, and controls, organisations should be able to stop incidents from happening at all. When something did go wrong, it was often treated as evidence that a control had failed or that someone had not followed process.
The Cyber Action Plan takes a noticeably different stance.
Rather than starting from the question of how to prevent every incident, the document starts from the reality that incidents will occur. This includes hostile cyber activity, but also system outages, supplier failures, configuration errors, and unexpected interactions between complex technologies. These are not framed as edge cases. They are treated as part of the normal operating environment of modern digital services.
This matters because it changes what organisations are expected to prioritise. Instead of focusing exclusively on building ever more layers of prevention, the plan places increasing weight on preparation for disruption. This includes understanding how systems fail, where dependencies exist, and how quickly services can be restored when something goes wrong.
The plan repeatedly emphasises the importance of response and recovery alongside prevention. Not as secondary considerations, but as core capabilities. Organisations are expected to know how incidents will be handled, who will make decisions under pressure, and how information will be shared when time is limited. Exercises and testing are treated as essential, not optional, because plans that only exist on paper rarely hold up in practice.
By taking this approach, the Cyber Action Plan aligns cybersecurity more closely with other forms of operational risk management. In fields such as health and safety, emergency planning, or resilience engineering, failure is assumed. The objective is not to eliminate risk entirely, but to limit impact and prevent a single failure from escalating into widespread harm.
Importantly, this shift does not dismiss the value of preventative controls. The plan is clear that good security hygiene, technical safeguards, and risk management remain necessary. What it challenges is the idea that prevention alone is enough. When controls fail, or when events fall outside what controls were designed to handle, outcomes depend on how well organisations are prepared to respond.
In that sense, the Cyber Action Plan is not lowering expectations. It is raising them. It asks organisations to move beyond the comfort of believing that security can be solved through prevention alone, and to take responsibility for what happens when reality does not behave as expected.
Cyber Risk as a Leadership Responsibility
One of the clearest signals in the Cyber Action Plan is that cyber risk is no longer framed as something that sits neatly within IT or security teams. The document consistently treats it as an organisational responsibility, with leadership accountability at its core.
This is not because leaders are expected to understand the technical details of cyber threats or system architecture. The plan does not suggest that boards or senior managers need to become cybersecurity specialists. Instead, it recognises that the most significant consequences of cyber incidents are rarely technical. They are operational, reputational, and human.
When systems fail, services stop. Decisions need to be made quickly, often with incomplete information. Trade-offs are required between speed, safety, transparency, and continuity. These are not technical decisions. They are leadership decisions.
The plan reflects an understanding that cyber risk is inseparable from how organisations are led. Choices about investment, prioritisation, legacy systems, supplier relationships, and tolerance for disruption all shape how resilient an organisation really is. These choices are typically made well above the level of day-to-day technical management.
Another important aspect of this shift is the recognition that delegation does not remove accountability. While technical teams may be responsible for implementing controls and responding to incidents, leaders remain responsible for whether the organisation is prepared to cope when those controls fail. The plan places emphasis on visibility and assurance, not to create additional bureaucracy, but to ensure that senior decision-makers understand their organisation’s exposure and readiness.
This framing also challenges a long-standing habit of treating cyber risk as abstract or hypothetical. By tying cyber resilience directly to service delivery and public impact, the plan makes it harder for leadership to see cybersecurity as a background concern. It becomes something that directly affects people’s ability to access services, trust institutions, and rely on systems that are now fundamental to daily life.
In this context, leadership responsibility is less about setting policy and more about creating the conditions in which good decisions can be made under pressure. That includes clear ownership, realistic expectations, open reporting cultures, and a shared understanding of what matters most when something goes wrong.
The Cyber Action Plan does not frame this as a cultural aspiration. It treats it as a practical necessity. In complex, interconnected systems, resilience depends as much on how people lead and communicate as it does on how technology is configured.
The Role of People and Judgement
One of the most consistent threads running through the Cyber Action Plan is its focus on people. Not as a problem to be controlled, but as a capability that needs to be understood and supported.
This is a significant shift from how cybersecurity has traditionally been discussed. For years, human behaviour has been framed as the weakest link, something to be constrained through rules, automation, or removal of discretion. The underlying assumption has often been that people are the source of risk, and that better security means fewer decisions being left to humans.
The plan quietly challenges that view.
It recognises that many cyber incidents do not begin with technical failure alone. They begin with ordinary situations that require judgement. An unexpected request that appears legitimate. A supplier issue that creates urgency. A system behaving in a way that is confusing rather than clearly broken. In these moments, technology rarely provides clear answers. People do.
The document repeatedly returns to the idea that resilience depends on how decisions are made when systems and processes no longer guide behaviour. When information is incomplete. When time is limited. When there is pressure to keep services running.
In those situations, rigid rules are often insufficient. What matters is whether individuals understand the context they are operating in, feel confident to question what they are seeing, and know how to escalate concerns without fear of blame or embarrassment.
The plan’s emphasis on skills and capability reflects this reality. It is not limited to technical expertise. It includes the ability to recognise risk, to communicate clearly during uncertainty, and to act appropriately when something feels wrong but cannot yet be proven to be wrong.
This is where the idea of judgement becomes central. Good judgement is not about memorising rules or following scripts. It is about understanding intent, recognising patterns, and knowing when normal behaviour no longer applies. The plan treats this as something that can be developed through experience, discussion, and rehearsal, rather than enforced through policy alone.
Importantly, the document also acknowledges the environment in which people are asked to make these decisions. Pressure, workload, unclear ownership, and fear of consequences all shape behaviour. When people are expected to prioritise speed over caution, or compliance over clarity, mistakes become more likely and less visible.
By focusing on preparedness, exercises, and shared understanding, the Cyber Action Plan signals that resilience is built before an incident occurs. It is built through creating conditions where people feel able to pause, ask questions, and raise concerns early, rather than being rewarded for silent compliance.
This is a subtle but important reframing. Instead of asking how organisations can remove humans from the equation, the plan asks how organisations can better support the humans who are already there.
In doing so, it positions people not as a vulnerability to be managed, but as the final safeguard when systems behave in ways no control was designed to anticipate.
Why Supply Chains Feature So Prominently
Supply chains appear repeatedly throughout the Cyber Action Plan, not because supplier security is a new concern, but because the document treats interdependence as one of the defining characteristics of modern digital services.
Public services no longer operate in isolation. They rely on shared platforms, managed service providers, cloud infrastructure, software vendors, and specialist partners to function day to day. This creates efficiency, but it also creates concentration of risk. A single failure can affect many organisations at once.
The plan does not present this as a problem that can be solved through assurance alone. It acknowledges that even well-managed, well-assured suppliers will experience incidents. The risk, therefore, is not simply whether a supplier is secure, but how disruption is handled when something goes wrong.
By framing supply chains as a systemic risk, the plan shifts the focus away from blame and towards design. How dependencies are understood, how information flows during an incident, and how quickly organisations can adapt when a supplier fails all become central concerns.
This is why the plan places emphasis on visibility, coordination, and shared response, rather than assuming that risk can be fully transferred or outsourced. Trust remains necessary, but it is no longer treated as a control.
In this context, supply chain resilience is less about choosing the “right” suppliers and more about ensuring that failures do not cascade unchecked across interconnected services.
Incident Response and Recovery as Core Capabilities
Where the Cyber Action Plan becomes most practical is in its treatment of incident response and recovery. This is the point at which the document moves away from abstract discussions of risk and into the reality of what happens when something actually goes wrong.
The plan is clear that having response plans is not enough. Plans that exist only on paper, or that have never been exercised, are unlikely to hold up under real-world pressure. Instead, incident response is treated as a capability that must be developed, maintained, and tested over time.
This reflects an understanding that incidents rarely unfold in neat or predictable ways. Information is incomplete. Systems behave inconsistently. External parties may be involved. Decisions often need to be made before the full picture is clear. In those moments, the effectiveness of a response depends less on documentation and more on whether people have practised working together under uncertainty.
The plan places emphasis on clarity of roles and decision-making authority during incidents. When responsibilities are ambiguous, time is lost and risk increases. Knowing who is empowered to act, who needs to be informed, and how escalation works in practice is treated as essential, not optional.
Recovery is given similar weight. Restoring systems is only part of the process. Organisations must also manage communication, prioritise services, and make deliberate choices about what is brought back online and when. These are not purely technical decisions. They involve judgement about impact, risk, and public confidence.
The document repeatedly returns to the idea that resilience is revealed during disruption, not before it. Exercises, simulations, and rehearsals are therefore positioned as critical mechanisms for learning, not compliance artefacts. They expose gaps in understanding, surface assumptions, and allow organisations to improve before those gaps are exposed by a real incident.
Importantly, the plan also acknowledges the human dynamics of incident response. Pressure, fatigue, fear of blame, and uncertainty all shape behaviour during a crisis. Effective response depends on environments where people feel able to report issues early, challenge assumptions, and communicate openly without hesitation.
In this way, incident response and recovery become collective skills rather than isolated procedures. They rely on shared understanding, trust, and experience built over time. The Cyber Action Plan treats these capabilities as foundational to resilience, recognising that when systems fail, it is people — working together under pressure — who determine the outcome.
How the Cyber Action Plan Fits With Existing Obligations
The Cyber Action Plan does not introduce new legal duties in the way that legislation such as GDPR does, nor does it replace established frameworks like ISO 27001 or sector-specific standards such as PCI DSS. Instead, it sits alongside them, providing context for how those obligations are expected to function in practice.
Where existing regulations and standards tend to focus on what organisations should have in place, the Action Plan is concerned with how those things behave under pressure. It assumes that policies, controls, and governance structures already exist to some degree, and then asks a more difficult question: what happens when they are tested by real-world disruption?
This is why the document places so much emphasis on preparedness, response, and recovery. Compliance frameworks are largely static. They define requirements, controls, and responsibilities. The Cyber Action Plan focuses on the dynamic moments that sit between those requirements, when decisions need to be made quickly and imperfect information is all that is available.
In this sense, the plan does not compete with existing obligations. It complements them. GDPR still governs how personal data must be protected and how breaches are handled. ISO 27001 still provides a structured approach to managing information security risk. PCI DSS still applies where payment card data is involved. What the Action Plan adds is an expectation that these obligations are not treated as endpoints, but as foundations.
The emphasis shifts from demonstrating compliance to demonstrating resilience. Not whether controls exist on paper, but whether organisations can continue to operate, protect people, and recover trust when those controls are strained or fail.
A Quiet but Important Change in Direction
The Government Cyber Action Plan does not announce a dramatic overhaul of cybersecurity policy. It does not promise to eliminate cyber risk, nor does it introduce sweeping new rules. In many ways, it is deliberately understated.
That is precisely why it matters.
Rather than chasing the language of transformation or innovation, the plan reflects a more mature understanding of how cyber risk actually behaves. It accepts complexity. It acknowledges fragility. It recognises that modern digital systems are deeply interconnected and that disruption, whether malicious or accidental, is inevitable.
This marks a subtle but important change in direction. For years, much of the conversation around cybersecurity has been dominated by the idea of prevention and control. The implicit promise has been that if organisations follow the right frameworks and implement the right tools, failure can be avoided. When incidents occurred, they were often framed as exceptional or avoidable.
The Cyber Action Plan quietly moves away from that narrative. It does not lower expectations, but it reframes them. The emphasis shifts from trying to prevent every possible incident to ensuring that organisations can withstand disruption without losing control, confidence, or trust.
What stands out is how consistently the document returns to people, decision-making, and preparedness. Resilience is not presented as something that emerges automatically from compliance or technology. It is presented as something that is built deliberately, through leadership, shared understanding, and practice.
From a Cyber Rebels perspective, this shift is significant because it aligns closely with what we see in the real world. Most organisations do not fail because they lack policies. They fail because, when something unexpected happens, people are unsure how to respond, afraid to escalate, or pressured to prioritise speed over judgement.
The plan’s focus on response, recovery, and human capability reflects an acceptance that cybersecurity is ultimately about behaviour under pressure. Tools and frameworks matter, but they only take organisations so far. When systems behave in ways no control was designed to anticipate, outcomes depend on how people think, communicate, and act.
What is encouraging about the Cyber Action Plan is that it says this openly, without framing it as a weakness. It treats human involvement not as a liability to be minimised, but as a reality to be supported. That is a more honest foundation for resilience than the promise of perfect prevention.
This does not make cybersecurity simpler. It makes it more grounded. It recognises that resilience is not achieved through paperwork alone, but through preparedness that is lived rather than documented.
In that sense, the Cyber Action Plan does not introduce a radical new idea. It brings official recognition to a reality that many organisations already experience. Cyber risk is not something that can be fully designed away. It must be understood, managed, and responded to by people who are prepared to deal with uncertainty.
That quiet acknowledgement is what makes this plan important. It signals a move away from performative security and towards a more realistic, human-centred understanding of what it takes to keep organisations functioning when things do not go to plan.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
