The UK Government published its long-awaited Cyber Action Plan on 6 January 2026, marking a fundamental shift in how the public sector approaches cybersecurity, backed by a £210 million investment and the creation of a new Government Cyber Unit with real enforcement powers.
The plan, presented to Parliament by the Minister of State for Digital Government and Data, sets out how the government will transform cybersecurity and resilience across the public sector. It establishes clear accountability, mandatory requirements, and comprehensive central support.
The newly formed Government Cyber Unit will drive the plan forward, setting much stronger central direction and demanding measurable progress. This investment is part of the broader Roadmap for Modern Digital Government and is designed to protect critical infrastructure, including healthcare services.
The plan explicitly references the 2024 Synnovis ransomware attack, which halted blood testing and forced the cancellation of surgeries across London hospitals, demonstrating how quickly a digital disruption can escalate into a major healthcare emergency.
It also cites ransomware incidents affecting local councils that incapacitated social care systems, leaving frontline workers unable to access vital information to protect vulnerable individuals.
The British Library ransomware attack in October 2023 and the 2024 CrowdStrike outage, which cost the UK economy between £1.7 and £2.3 billion, are also referenced as evidence of systemic failures.
These are not hypothetical risks. They are recurring realities that result in service breakdown, harm to the public, and erosion of trust. The plan moves beyond guidance to a new era of accountability, where public sector leaders bear direct responsibility for cyber resilience.
The Government Cyber Action Plan is being implemented across three phased timelines :
Phase 1: Building (Now – April 2027)
The Government Cyber Unit is being established immediately, with critical functions operational by April 2027. During this phase, the government will establish refreshed accountability and governance frameworks, publish the Government Cyber Incident Response Plan, and begin systematic assessment of critical and legacy IT systems. NHS organisations should expect to see new mandatory reporting requirements and assurance processes introduced during this period.
Phase 2: Scaling (April 2027 – April 2029)
This phase focuses on embedding the new model across all government departments and the wider public sector. By this stage, 100% of departments will be expected to have established costed cybersecurity and resilience implementation plans, and all organisations will be required to implement defined governance structures with clearly documented roles and responsibilities.
Phase 3: Improving (April 2029 and beyond)
The final phase aims for maturity, with targets including two-thirds of systems assessed by GovAssure meeting 75% or more of Cyber Assessment Framework outcomes, and at least 90% of departments undertaking supply chain assurance processes.
What This Means for NHS Suppliers:
Whilst the full implementation extends to 2029 and beyond, the impact on NHS suppliers will be felt immediately. The Government Cyber Unit is operational now, and NHS organisations are already under pressure to demonstrate compliance with new accountability frameworks. Procurement processes are being updated, and suppliers should expect tougher security questions in contract renewals and new tenders from 2026 onwards.
|
Pillar
|
Key Change
|
Implication for NHS Suppliers
|
|
Mandatory Standards & GovAssure
|
Shift from voluntary frameworks to mandatory, enforced standards.
|
NHS clients will be under intense pressure to comply, and this scrutiny will flow down the supply chain.
|
|
Tackling Legacy IT
|
Urgent call to replace the 28% of government IT that is legacy and vulnerable.
|
A major opportunity for suppliers of modern, secure solutions; a significant risk for those reliant on outdated tech.
|
|
A New Model of Accountability
|
Public sector leaders are now directly accountable for cyber resilience.
|
Expect tougher security questions in procurement. Demonstrating a robust security posture is now non-negotiable.
|
The plan introduces a shift from voluntary frameworks to mandatory requirements. GovAssure, the new assurance framework, provides an objective picture of resilience levels across government systems. Its first-year results found significant gaps in departments’ cybersecurity and resilience, including widespread low maturity in fundamental controls such as asset management, protective monitoring, and response planning.
Implication for Suppliers: Your NHS clients will be under pressure to meet these standards, and that scrutiny will flow down the supply chain. Your own compliance will become a key differentiator. Suppliers who can demonstrate robust security posture and alignment with the Cyber Assessment Framework (CAF) will have a significant competitive advantage.
The plan reveals a shocking statistic: nearly a third (28%) of the government technology estate is estimated to be legacy technology and therefore highly vulnerable to attack. The plan includes an urgent call for departments to invest in replacing outdated systems and fixing foundational vulnerabilities.
Implication for Suppliers: If your solution integrates with or relies on NHS legacy systems, you need a plan to manage that risk. Conversely, if you offer modern, secure solutions that can replace or work alongside legacy infrastructure, this represents a major opportunity. The government's commitment to addressing technical debt will drive procurement decisions for years to come.
The plan emphasises direct accountability for public sector leaders. Every public sector leader now bears direct accountability for cybersecurity, and departments must urgently invest in replacing legacy systems and fixing foundational vulnerabilities. The Government Cyber Unit will provide expert support whilst demanding measurable progress.
Implication for Suppliers: Expect more rigorous security questions in procurement and contract renewals. Your ability to demonstrate robust security posture, provide evidence of compliance, and articulate how you manage risk will be non-negotiable. The days of vague assurances are over.
Companies should proactively assess their own security controls against the Cyber Assessment Framework (CAF), which underpins GovAssure. Understanding where you stand against these standards will help you identify gaps and prepare for the inevitable questions from NHS procurement teams.
The CrowdStrike incident demonstrated how a single supplier dependency can create widespread disruption. It is essential to understand and document the security of your own dependencies, including third-party software, cloud services, and subcontractors. Supply chain security is now a first-order concern.
NHS procurement processes will increasingly demand evidence of security posture. Prepare documentation such as penetration test reports, ISO 27001 certification, DSPT submissions, and evidence of secure development practices. Being able to provide this evidence quickly and clearly will be a competitive advantage.
If your product integrates with older NHS infrastructure, identify and mitigate the risks. This might include implementing additional security controls, offering secure API gateways, or providing clear guidance to NHS clients on how to manage the integration safely.
While the Government Cyber Action Plan is a welcome and necessary step, from our perspective as a cybersecurity consultancy on the front lines, the implementation timeline feels dangerously long. The threat landscape does not operate on multi-year strategic plans; it evolves in weeks and months.
A phased approach extending to 2029 and beyond, particularly for critical areas like supply chain assurance, gives adversaries a significant window to exploit the very vulnerabilities the plan aims to fix.
Recent incidents like the Synnovis attack demonstrate that the consequences of these vulnerabilities are immediate and severe. With 28% of the government's IT estate classed as legacy, waiting until 2029 to achieve mature supply chain assurance is a high-risk strategy.
Industry best practice and the sheer pace of technological change suggest a more aggressive approach is warranted. Accelerating the replacement of legacy systems and implementing robust supply chain assurance requirements now—not in a future phase—would more accurately reflect the urgency of the threat and provide the resilience the NHS needs today.
The Government Cyber Action Plan represents a significant shift towards mandatory, enforced cybersecurity standards across the NHS. For suppliers, this is not a burden but an opportunity. High-quality suppliers who can demonstrate robust security will distinguish themselves in a market where trust is the most valuable currency. In this new environment, robust cybersecurity is no longer a feature—it is the foundation of a trusted partnership with the NHS.