UK's National Cyber Action Plan Stalled Amid Political Turmoil, Raising Security Concerns
Britain's ambitious **National Cyber Action Plan**, designed to bolster the economy against state-backed and criminal hacking, has been delayed again following Prime Minister **Keir Starmer**'s resignation. This marks another setback for critical cybersecurity initiatives in the UK, fueling concerns about the political prioritization of national digital defenses.
# UK's National Cyber Action Plan Stalled Amid Political Turmoil, Raising Security Concerns
Britain's highly anticipated **National Cyber Action Plan**, a comprehensive strategy aimed at fortifying the wider economy against sophisticated state-backed and criminal hacking threats, has been postponed. The delay, attributed to the political uncertainty surrounding the governing Labour Partyβs leadership contest, casts a shadow over the UK's commitment to cybersecurity.
Initially slated for publication this Monday, the plan's unveiling is now on hold, with the leadership contest set to open on July 9. A government spokesperson affirmed their commitment to the plan, stating, "Protecting national security is our first duty, which is why we're taking action: strengthening our defenses through the **Cyber Security and Resilience Bill**, improving businesses' security with the national **Cyber Resilience Pledge**, and providing expert support to organizations across the country every day through the **National Cyber Security Centre**."
Despite the broader delay, a key component of the launch is still expected to proceed: a number of **FTSE 350** companies are set to sign the government's **Cyber Resilience Pledge** on Tuesday, a voluntary commitment to enhance their digital defenses.
## A History of Delays
The **National Cyber Action Plan** was first conceptualized as an update to Britainβs **National Cyber Strategy 2022**. Its timeline has consistently shifted, from an initial promise by then-Chancellor of the Duchy of Lancaster **Pat McFadden** for a pre-2025 release, to "this summer" by Security Minister **Dan Jarvis** in April 2026, alongside a rebranding from a "strategy" to an "action plan."
This latest postponement is not an isolated incident. The **Cyber Security and Resilience Bill (CSRB)**, intended to update the country's critical infrastructure cyber laws, took over four years to reach Parliament and is now not expected to be enforced until 2028 β a decade after the **NIS Regulations** it was meant to replace. Even proposals for mandatory ransomware attack reporting, a licensing regime for extortion payments, and a ban on ransoms for critical infrastructure were scuppered when **Rishi Sunak** called a general election.
## Cybersecurity as a Low Political Priority?
The repeated delays contribute to a growing concern among cybersecurity professionals that national digital defense remains a low political priority in Westminster. This sentiment was echoed during the 2024 election campaign, where a ransomware attack on pathology provider **Synnovis** by the Russia-linked **Qilin** group forced London hospitals to declare a critical incident, yet neither main party addressed the attack in detail.
"Fundamentally, until there is a major incident⦠[cybersecurity] is just not going to get the coverage or the political will it deserves," commented **Jamie MacColl**, a research fellow at the **Royal United Services Institute (RUSI)**.
**Tim Stevens**, who leads the cybersecurity research group at **King's College London**, added that cyber has "always been a de-politicized" issue in Britain, treated as "low politics." He warned, "Once you make it a political issue, if you don't fix it, it can come back and bite you on the ass."
Past incidents underscore the economic impact of such inaction. A September 2025 cyberattack on **Jaguar Land Rover (JLR)**, one of Britain's largest manufacturers, halted vehicle production for over a month. The **Cyber Monitoring Centre** estimated this to be the most economically damaging cyber event ever to hit the UK, costing the British economy Β£1.9 billion ($2.5 billion) and affecting over 5,000 organizations in JLR's supply chain.
## Inside the National Cyber Action Plan
While official details are scarce, the **National Cyber Action Plan** is understood to encompass three core pillars: Threat, Growth, and Resilience.
**Richard Horne**, the **NCSC**'s chief executive, offered the clearest public glimpse into the governmentβs approach in a June lecture to **RUSI**. He advocated for a "full court press" across the "near, mid and far spaces" of cyberspace, a framework expected to shape the plan's structure.
* **Near space**: Focuses on the defense of individual organizations.
* **Far space**: Encompasses offensive actions against adversaries.
* **Mid space**: Refers to the shared "cloud, technology and telecommunications infrastructure," much of which is privately owned. Here, the government aims to partner with providers to "harden the mid space and disrupt attacker activity."
Horne also revealed the **NCSC** is working towards a **National Cyber Defense Capability** to "join up intelligence and actions in the far, mid and near space in real time" in what he termed "an agentic AI world." Between June 2024 and May 2026, the **NCSC** handled over 200 incidents affecting critical national infrastructure and its supply chain, with 75% linked to state actors.
A crucial element of the action plan is the **Cyber Resilience Pledge**. Companies signing this pledge commit to making cybersecurity a board-level responsibility, joining the **NCSC**'s **Early Warning** service β which provides intelligence on imminent ransomware attacks β and mandating **Cyber Essentials** certification across their supply chains. Despite the broader plan's delay, the launch event for the pledge, where ministers have urged hundreds of firms to sign, is still expected to proceed.
