UK National Cyber Action Plan Delayed Amid Labour Leadership Crisis
What happened
Britain’s National Cyber Action Plan has been delayed again following Prime Minister Keir Starmer’s resignation and the uncertainty around the Labour Party leadership contest, which opens on July 9. The plan had reportedly been due for publication on Monday and is intended to set out how the government will defend the wider economy against state-backed and criminal hacking.
A government spokesperson said the UK remains committed to publishing the plan and pointed to ongoing efforts such as the Cyber Security and Resilience Bill, the National Cyber Resilience Pledge, and support from the National Cyber Security Centre. One part of the wider launch is still expected to move forward: a number of FTSE 350 companies are set to sign the Cyber Resilience Pledge, a voluntary commitment to improve digital defenses.
The document was originally expected before the end of 2025 as an update to the UK’s National Cyber Strategy 2022. By April 2026, the target had shifted to “this summer,” and the document had been rebranded from a strategy to an action plan. The Record reported that the plan is expected to include three pillars focused on Threat, Growth, and Resilience, although its full contents have not been officially disclosed.
The delay adds to broader concerns that UK cyber policy has struggled to maintain political momentum. The Cyber Security and Resilience Bill, intended to update critical infrastructure cyber rules, took more than four years to reach Parliament and is not expected to be enforced until 2028. Separate ransomware proposals covering mandatory reporting, ransom payment licensing, and a ransom ban for critical infrastructure operators were also delayed after the 2024 general election was called.
Who is affected
UK businesses, public-sector organizations, critical infrastructure operators, and technology providers are affected because the delayed action plan is intended to guide national cyber defense priorities across the wider economy.
FTSE 350 companies are also directly involved through the Cyber Resilience Pledge, which asks companies to make cybersecurity a board-level responsibility, join the NCSC’s Early Warning service, and require Cyber Essentials certification across supply chains.
Organizations waiting for clearer policy direction on resilience, ransomware reporting, critical infrastructure rules, and public-private cyber coordination may face continued uncertainty until the action plan and related legislation move forward.
Why CISOs should care
The delay matters because national cyber strategy shapes regulation, reporting expectations, public-private coordination, and board-level security priorities. When policy timelines slip, CISOs may have less clarity on future requirements and enforcement expectations.
The Cyber Resilience Pledge is still important even without the full action plan. Its focus on board accountability, early warning, and supply-chain certification gives CISOs a preview of where UK policymakers want large organizations to move.
The broader context also reinforces the business impact of cyber resilience. The Record cited major UK incidents affecting Synnovis and Jaguar Land Rover, including severe disruption to hospitals, manufacturing, and supply chains.
For CISOs, the lesson is not to wait for government timelines. Organizations can already prepare for stronger reporting, supplier security expectations, ransomware response obligations, and closer cooperation with national cyber authorities.
3 practical actions
Brief boards on likely UK cyber policy direction: Even with the action plan delayed, the Cyber Resilience Pledge points to board accountability, early warning, and supply-chain certification as priorities. CISOs should use this moment to align leadership before formal requirements arrive.
Review ransomware and incident reporting readiness: Delayed proposals have included mandatory reporting, payment licensing, and restrictions on ransom payments for critical infrastructure. Security teams should prepare response workflows, legal escalation paths, and reporting playbooks now.
Strengthen supply-chain cyber assurance: The pledge includes Cyber Essentials certification across supply chains. Organizations should assess key suppliers, define minimum security requirements, and prioritize vendors that support critical business operations.
Recent cyber incidents in the news:


