The Government Cyber Action Plan
The Government Cyber Action Plan, published in January 2026, sets out a radical shift in how the UK public sector manages cyber security and digital resilience. It moves away from fragmented, siloed defences toward a "Defend as One" model led by a new Government Cyber Unit within the Department for Science, Innovation and Technology (DSIT).
The plan aims to secure public services so they are 'trustworthy and resilient' through five delivery standards: Accountability, Support, Services, Response and Recover, and Skills.
Accountability: Shifts responsibility to senior leaders who are now personally accountable for their organisation's cyber risk. Risks are defined and categorised. The senior leader should appoint a board member with expertise in cyber security and resilience. All organisations must also assure the cyber security and resilience of their supply chain.
Support: The Government Cyber Unit will manage government-wide risks, backed by over £210 million in investment, while departments manage local risks. There will be a sharing of lessons learnt to reduce duplication and inconsistency. Best practice advice will be provide on security controls for cloud environment productivity tools. Support will be provided through a partnering function, building CISO community and engagement model to drive collaboration on shared outcomes.
Services: Scaled services will be developed, delivered and accessed to address cyber security and resilience challenges. The Government Cyber Unit will take a strategic approach to the provision of services at scale in order to meet its objectives. Services may be delivered by different organisations, but the Government Cyber Unit will maintain a comprehensive view of their overall effectiveness and accessibility.
Response and Recovery: As well as proactively reducing risk, government must be able to quickly and effectively manage incidents when they occur. The intention is for improved responsiveness to fast moving events and increased visibility of risks across government. Clear structures for detection across government and the public sector and provide central services which enable foundational capabilities and collaboration between organisations, and work with NCSC to address systemic challenges will be created.
Notes for Schools:
Adoption of 'Secure by Design': schools should be aware of the secure by design requirement, which mandates that security be embedded into digital systems from the start of procurement.
All organisations must demonstrate adherence to this approach to reduce future risks and costs.
This will likely impact how schools purchase and configure classroom technology, cloud services and administrative software. Schools should already look to the DfE Digital Standards which provide support and guidance about the procurement of digital services, hardware and software.
In the event of a cyber attack, schools are expected to have robust incident response and recovery plans in place. They should adopt a culture where staff feel safe to report vulnerabilities or mistakes without fear of retribution.
Schools will need to participate in radical transparency by sharing lessons learned from incidents to help protect other schools.
As already advised by the DfE Cyber Security Standards, school staff should undertake mandatory cyber security awareness training.
Review the full government document: Government Cyber Action Plan
 |
Schools, multi-academy trusts and colleges should look to the DfE Digital Standards for more guidance about cyber security and backing up data. |
If you’d like to learn more about the DfE Digital Standards—what needs to be done, who’s responsible, and the timelines—join one of our free webinars 👉 https://digitalstandardstracker.co.uk/
We offer a range of resources, support, guidance and tracking tools to help you monitor your progress and report effectively. Documenting and tracking compliance is essential - it can demonstrate your cyber resilience in the aftermath of a cyber attack!
Contact us today for some more information 📧