Turning policy into practice: Implementing the UK Cyber Action Plan

Cyber resilience, or the lack of it, continues to exact a huge cost on public sector organisations. The ability to withstand a cyberattack, recover quickly and safely, and continue operating at a minimum viable level has never been more urgent.

To put this in perspective, the latest Annual Review from the National Cyber Security Centre (NCSC) revealed that the UK was “experiencing four ‘nationally significant’ cyberattacks every week”. In total, a record 204 incidents were handled in the year to September 2025, up from 89 the previous year.

Recent examples highlight the stakes for public services. The 20 October 2025 AWS outage disrupted digital services at HMRC, triggering operational resilience concerns and renewed scrutiny of third-party dependency risk. Meanwhile, the 2024 Synnovis ransomware attack did more than hit IT systems: it cancelled operations, disrupted blood testing, and prompted a national appeal for donors. Both incidents demonstrate that resilience should be defined by staying functional when technology or suppliers fail and returning to essential operations cleanly and confidently.

Dr Richard Horne, chief executive of the NCSC, summarised the urgency perfectly: “Cybersecurity is now a matter of business survival and national resilience.”

A line in the sand for public sector resilience

The UK Cyber Action Plan feels like a real line in the sand moment. For years, the UK has told critical national infrastructure what “good” cyber resilience should look like, while the public sector has been left a little in the dark when it comes to bona fide resiliency recommendations and guidance. That’s not a criticism; it’s the reality of a sector that’s permanently stretched.

For the first time, the public sector now has clear guidance on what “good” resilience actually looks like and the funding and governance to support it. The plan finally says: here’s how you actually make resilience real.

At its core, the plan is about levelling up. It aligns the public sector with the Cyber Security and Resilience Bill, which itself strengthens UK cyber posture in key areas such as NIS2. Backed by £210 million in central investment and a dedicated Government Cyber Unit, it emphasises practical delivery, supply chain robustness, and a “just culture” that encourages early reporting. Small cracks can be caught and addressed before they escalate into crises, which is essential in public services where failure affects people’s lives.

From ambition to delivery: a more realistic cyber future

While the plan is labelled “public sector only”, the reality is much broader. Public services do not operate in isolation. When either public or private organisations stumble through cyber weakness or broken supply chains, the impact is immediate and harsh across society.

The government recognises that its original 2030 ambitions were “not achievable”. In response, the Cyber Action Plan resets expectations, taking a pragmatic, urgent, and delivery-focused approach. Resilience must now be operational, not theoretical, and achievable for overstretched departments with finite resources.

Minimum Viable Company: the foundation of real resilience

Operational resilience begins with a clear understanding of what truly needs to keep running. Most firms already have well-defined disaster recovery (DR) plans, often using impact tolerances to establish resilience categories and prioritise recovery based on criticality. These plans can be extended to inform and define cyber resilience outcomes by testing regularly and repeatedly.

This is where the Minimum Viable Company (MVC) concept becomes particularly valuable. MVC defines the essential systems, processes, and services required for an organisation to continue operating during a disruption. In other words, it identifies the absolute minimum needed to sustain operations across IT, security, and business functions when the worst happens.

Rather than attempting to recover everything at once, departments can focus on restoring core operations, identity and authentication services, critical operational systems, financial platforms, and essential communications tools. This approach provides breathing space for teams to manage full recovery without halting essential public services.

Crucially, MVC criteria must be defined in advance, not during an incident. This ensures that decisions are made with visibility, confidence, and alignment to organisational priorities. It also provides a framework for testing whether critical services can be restored within acceptable timeframes, turning abstract resilience objectives into measurable operational capability.

From compliance to board-level confidence

Regulation alone will not make the UK resilient. The Cyber Security and Resilience Bill and the Cyber Action Plan provide legal and strategic frameworks, but operational capability requires translating policy into everyday practice.

Many public sector organisations equate disaster recovery with resilience, but cyber incidents introduce a different dynamic: compromised systems, corrupted backups, and inaccessible policies. Metrics such as Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are insufficient—they measure speed, not clean recovery. Organisations should consider Mean Time to Clean Recovery (MTCR): how long it takes to restore services to a safe, trusted state.

RTO and RPO remain (alongside other metrics such as MTTR) vital for operational and disaster recovery capability measurement, alongside impact tolerances. These should be revisited within the context of MTCR to define cRTO and cRPO, adding a critical cyber dimension to clean and safe recovery measurement.

Education at leadership level is vital. Board members and senior managers must understand dependencies, operational priorities, and realistic recovery timelines to bridge the gap between compliance on paper and operational reality. Resilience should be approached as a governance issue, not just an IT responsibility.

Cyber Essentials Plus is a strong example of a higher-level, government-backed certification used to verify an organisation’s cyber security posture. It is a requirement for parts of the public sector that supply goods or services to the government. Understanding and adhering to this certification is another important step in strengthening cyber resilience.

Governance as an enabler

Historically, governance and compliance were seen as a control layer that could slow delivery. The shift toward formalised cyber resilience changes that dynamic. Governance now plays a central role in ensuring resilience requirements are embedded from the outset, not added retrospectively.

Regulation empowers governance teams to challenge assumptions, validate preparedness, and intervene when operational resilience is insufficient. Embedding these considerations early reduces operational risk and ensures compliance obligations are met. Far from a barrier, governance becomes the enabler that transforms resilience from abstract policy into real-world capability.

The UK Cyber Action Plan provides clear direction, practical guidance, funding, and governance to make resilience real. By focusing on operational delivery, protecting the Minimum Viable Company, and embedding governance-led resilience, public services can move from theoretical compliance to confident, measurable capability.

For overstretched public sector bodies, this should act as a roadmap to staying functional and serving the public even under pressure. The line has been drawn, and it’s now it’s time to deliver. The timescales set out in the Cyber Action Plan can serve as useful guardrails, but in reality, organisations should be accelerating their efforts to stay ahead of cyber risk. Threat actors will not wait for you to be ready; they will act when opportunity arises.