Is the Government’s Cyber Action Plan Fit for Purpose?

By Phil Muncaster • 12 February 2026

It’s not often the government admits it was wrong. Yet at the start of the year, we were treated to a rare mea culpa: a recognition that a previous target to make Whitehall resilient to all known vulnerabilities and attack methods would not be achievable by 2030. That admission was buried away in the text of the Cyber Action Plan (CAP), the latest effort by the latest administration to improve the security posture of central government.

It’s a detailed plan with plenty of promise, and one which will have an impact far beyond the public sector. But is it enough?

Why Government Needs a Plan

That the government needs a plan to bolster cyber resilience is in no doubt. A Government Security Group (GSG) assessment in 2023-24 found that 58 critical departmental IT systems had “significant” security gaps, creating “extremely high” risk. A separate National Audit Office (NAO) report last year found that 28% of 228 legacy IT systems had a high likelihood of operational and security risks occurring. Skills gaps and funding shortages have worsened the picture, it claimed.

Since then, there have been major breaches at the Legal Aid Agency, an Afghan settlement scheme which could cost the taxpayer hundreds of millions of pounds, and at least two serious security incidents at MoD contractors. At a time when money is in short supply and public services are declining, the government can ill-afford more costly breaches, and anything which imperils much-needed digital transformation.

The CAP points to multiple failings:

Institutionalised fragmentation
Persistent legacy, cybersecurity and resilience risk
Siloed data
Under-digitisation
Inconsistent leadership
A digital skills shortfall
Diffuse buying power
Outdated funding models

What’s in the CAP?

The CAP promises a “strong, centralised approach, with clear direction and active leadership”, which will set clear expectations of how departments should manage security and resilience through more measurable objectives and outcomes. The over-arching goal is to improve visibility into cyber risk and deliver stronger centralised action on the toughest challenges (that can’t be handled by departments on their own). It promises to improve the speed and quality of incident response and provide centralised support for remediating legacy issues.

To achieve its goals the CAP sets out three phases for implementation:

Phase 1 (by April 2027): Establishing a Government Cyber Unit, implementing accountability frameworks, launching a cross-government Cyber Profession to attract, upskill and retain cyber professionals, and publishing a Government Cyber Incident Response Plan.

Phase 2 (April 2027-2029): Scaling the CAP through data-driven decision-making, as well as delivering cyber-support services, and scaling response capabilities.

Phase 3 (April 2029+): Continuous improvement through the sharing of central data insights, offering services at scale, leveraging the Cyber Profession for transformation, and making sure departments proactively assure cyber risk across their supply chains.

The government claims that, by enabling it to securely digitise public services, the CAP could unlock as much as £45bn in productivity savings. Yet it has only allocated £210m to the initiative.

Separately, it launched a new Software Security Ambassador Scheme to drive adoption of the Software Security Code of Practice – a voluntary initiative aimed at minimising software supply chain risk and disruption. Cisco, Palo Alto Networks, Sage, Santander, NCC Group and others have agreed to become ambassadors. They will champion the code across sectors, “showcasing practical implementation, and providing feedback to inform future policy improvements”.

Suppliers in the Spotlight

Tristan Watkins, director of services innovation at IT services company Advania UK, broadly welcomes the CAP as being “underpinned by clear-eyed assessments of our current root problems”. He argues that it will mean different things to different suppliers.

“The government’s ‘strategic suppliers’ will have cybersecurity and resilience requirements built into their agreements, which we can expect to come into force by March 2027,” he tells IO. “These details are still to be pinned down. For other suppliers, we can expect to have more clarity after April 2027, which is the first milestone for establishing the Government Cyber Unit.”

Arctic Wolf regional VP solutions engineering, Nick Dyer, claims that suppliers will at a bare minimum be expected to carry out annual Cyber Essentials checks if they want to remain compliant. F5 senior solution architect, Keiron Shepherd, agrees. “Suppliers should be ready for more in-depth assessments and tighter reporting expectations,” he tells IO. “This shift towards continuous assurance is a stronger approach than current point-in-time compliance.”

A Work in Progress

However, neither expert believes the funding announced will be sufficient. Arctic Wolf’s Dyer says it will “certainly not be enough” to achieve the hoped-for results.

“Sustained investment and adherence to the roadmap set out by the government will be critical to its success,” he tells IO. “The proposed three-stage approach leading up to full implementation by early 2027 is a practical one. However, its success will depend on commitment. Priorities can shift and circumstances can change in a year, meaning continued oversight is essential to ensuring the plan delivers its intended outcomes.”

There are also question marks over the Software Security Ambassador Scheme. Advania UK’s Watkins welcomes the initiative but argues that organisations shouldn’t take it as a sign to ease off on supply chain risk management.

“Ultimately, the code of practice and the scheme should be seen as good counterparts to the new CAP and the Cyber Security and Resilience Bill, reaching a related concern in a timely way,” he says. “But I would recommend that organisations focus their internal security efforts on software supply chain concerns, as we can’t rely on a code of practice to satisfy those needs.”

Arctic Wolf’s Dyer goes further, warning that, as a voluntary code it may lead to “inconsistent adoption” across organisations.

“Mandating the code, on the other hand, would increase the consistency of adoption and make accountability measurable,” he adds. “Legally enforcing it would ensure software developers meet essential security practices which would arguably have been a more effective way to protect critical government systems.”

F5’s Shepherd agrees. “The scheme is constructive, but if the ambition is to reduce risk across the entire software supply chain, voluntary measures alone won’t achieve this,” he concludes. “We will soon reach a point where mandating secure‑by‑design style standards will be the most effective way to achieve consistency and close the gaps.”

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

WEF Report: Fraud Is Now CEOs’ Biggest Cyber Concern, but It’s Not the Only One

Five years is a long time in cybersecurity. Yet that’s how long the World Economic Forum (WEF) has been polling CEOs for its Global Cybersecurity O...

Phil Muncaster

Cyber security 27 January 2026

Privacy Matters: What Compliance Teams Can Expect in 2026

January 28 is Global Privacy Day – an occasion to celebrate the right to data privacy and protection that many of us take for granted today. It was...

Phil Muncaster

Cyber security 20 January 2026

Closing the AI Governance Gap with ISO 42001

The UK has an AI governance problem. This might not have been an issue a few years ago, when projects were piecemeal in most organisations. But tod...

Phil Muncaster