May 28, 2026
The Wake-Up Call
In the space of a single year, nationally significant cyber incidents targeting the UK public sector more than doubled – from 89 to 204. The attack on Synnovis halted blood testing across London hospitals, forced the cancellation of over 10,000 appointments and 1,700 elective procedures, and contributed to the death of a patient. The Legal Aid Agency breach compromised sensitive personal data. The British Library ransomware attack devastated one of the country’s most important cultural institutions. A non-malicious CrowdStrike software update took down thousands of services overnight.
These weren’t abstract risks, but failures with immediate consequences for citizens. The UK government’s own assessment is candid about what they revealed: a fragmented approach to cybersecurity that needed fundamental reform and immediate action.
What the UK Cyber Plan Actually Changes
The UK Government published the Government Cyber Action Plan, backed by £210 million of central investment. Developed by the Department for Science, Innovation and Technology (DSIT), it replaces a loosely federated, guidance-led model with something far more centralized and directive.
At the heart of it is a new Government Cyber Unit (GCU) responsible for setting standards, coordinating risk management, and enforcing measurable progress across departments. The State of Digital Government Review had already made the assessment plain: cyber risk to government is critically high, 28% of the digital estate runs on legacy technology, and the original 2030 resilience target is no longer achievable.
The plan rolls out in three phases:
- Phase 1 (by April 2027) builds foundations: establishing the GCU, implementing accountability frameworks, and publishing an Incident Response Plan.
- Phase 2 (2027–2029) scales the model with data-driven decision-making and central support services.
- Phase 3 (from April 2029) shifts to continuous improvement and proactive supply-chain assurance.
Departments and their suppliers will now need to demonstrate compliance with structured assurance frameworks – principally GovAssure and the NCSC Cyber Assessment Framework (CAF) – and adopt Secure by Design principles.
Where Identity Verification Fits In
The Ministerial Foreword sets the tone, listing identity verification alongside healthcare and benefits as part of the “critical infrastructure of modern British life.” But it’s what happens in the operational chapters that matters most for identity providers.
First, Identity and Access Control is a core outcome under the Cyber Assessment Framework – the standard every department will now be assessed against through GovAssure. Principle B2 requires departments to demonstrate that users accessing services are “appropriately verified, authenticated and authorised.” No mistake: this is a measurable assurance requirement with central oversight.
Second, the plan explicitly identifies legacy authentication as a systemic vulnerability. The legacy estate isn’t just about old servers – it includes the passwords, hardware tokens, and knowledge-based verification methods that still underpin much of the government’s identity infrastructure. The mandate to replace fragile systems applies directly here.
Third, the new supply chain accountability model means identity providers serving government will face growing scrutiny. Suppliers delivering services at scale may be designated as “strategic,” subject to formal partnerships with the GCU and direct assurance expectations.
The combined effect is significant: the assurance and procurement machinery now makes it harder to justify weak identity solutions and easier to make the case for modern, phishing-resistant authentication. For identity providers, that’s a more meaningful shift than any single quote in a foreword.
Resilience + Security: Keeping Up With Threats That Don’t Stand Still
The plan consistently frames its goal as “cyber security and resilience,” treating them as coequal. But the emphasis on resilience is notable, and represents what the plan itself calls “a cultural and operational shift in how the government views resilience.” In practice, this means the government is no longer asking just “can we stop the attack?” but also “can we keep services running and trusted when something goes wrong?”
This has specific implications for identity. Consider two scenarios:
- The first is service failure. Non-malicious incidents like the CrowdStrike outage are cited alongside ransomware and nation-state attacks because the end result for citizens is the same: services go down, trust erodes. Identity systems that can’t demonstrate distributed architecture, redundancy, and rapid recovery are now a single point of failure the plan explicitly targets.
- The second is identity compromise. Increasingly, attacks target human trust rather than infrastructure directly. For example, a finance officer may receive a convincing video call appearing to come from a senior official requesting emergency payment authorization. Knowledge-based checks, caller recognition, and traditional authentication may all appear valid. The failure here isn’t perimeter security — it’s the inability to verify that the person behind the interaction is genuinely who they claim to be. That’s a resilience gap, not just a security one.
For procurement teams, this reframes the evaluation criteria. The question is no longer just “is this secure?” but “what happens when something fails — and can we still trust who we’re dealing with?” Identity systems that can demonstrate active threat monitoring and rapid recovery will be better placed to meet the plan’s expectations than legacy tools the plan explicitly identifies as vulnerable.
What the UK Cyber Plan Doesn’t Do
It’s worth being clear-eyed about scope. This plan is by government, for government. It doesn’t set new requirements for the private sector or national critical infrastructure directly – that’s the job of the Cyber Security and Resilience Bill, introduced in Parliament the same day. The Bill extends resilience obligations to suppliers serving government in energy, water, healthcare, and data centres, but its full implications will only become clear as it progresses.
Several industry commentators have also questioned whether £210 million is sufficient given the scale of the challenge. The 2021 strategy allocated £2.6 billion, and issues remain.
In Practice: What Does The UK Cyber Plan Mean For You?
Despite those caveats, the direction is unmistakable — and not just for government departments. Any organization in the public sector supply chain will feel the effects. Three shifts stand out.
Centralized standards change the buying model. A Government Cyber Unit setting cross-government standards creates the conditions for shared services and “build once, use many” identity infrastructure. The days of fragmented, department-by-department procurement are numbered.
Assurance evidence becomes a procurement prerequisite. The shift toward GovAssure and CAF compliance means procurement teams will increasingly expect vendors to provide pre-mapped assurance documentation demonstrating alignment with internationally recognized certification standards. This is worth factoring into planning early, not at contract stage.
Legacy replacement timelines are tightening. With fragile authentication methods explicitly identified as systemic vulnerabilities, organizations still reliant on passwords, hardware tokens, or knowledge-based verification should be planning transition roadmaps now, not waiting for Phase 2 mandates to take effect. Legacy replacement is now unavoidable, not just advised. Departments replacing fragile authentication methods will increasingly seek partners who can accelerate secure transitions while reducing operational risk. Identity systems that can demonstrate phishing resistance, operational resilience, and active threat monitoring will be better aligned with these migration requirements.
Looking Ahead
The Government Cyber Action Plan does something previous strategies didn’t: it embeds identity verification into the government’s core assurance framework, ties cyber performance to resilience rather than just compliance, and creates a centralized enforcement mechanism with real accountability.
The plan reflects a broader shift in government thinking: cyber resilience is no longer measured solely by whether attackers are kept out, but by whether critical services remain trustworthy during disruption. In that environment, identity systems become operational infrastructure, not just authentication layers.
For anyone planning their next procurement cycle — whether inside government or in its supply chain — the question is no longer whether to modernize authentication, but how quickly.
Policy efforts will continue, not least with the progression of the Cyber Security and Resilience Bill and the establishment of the GCU itself. We’ll be tracking both closely.
Explore our latest Threat Intelligence 2026 Report for insight into the evolving threat landscape, or get in touch to discuss how your organization can align with the new assurance frameworks.
UK Cyber Plan FAQ
Q: What does the UK Cyber Action Plan mean for identity verification?
A: The plan makes Identity and Access Control a core assurance outcome under the Cyber Assessment Framework (CAF). Departments must now demonstrate that users are “appropriately verified, authenticated and authorised” through GovAssure assessments, and legacy authentication methods like passwords and hardware tokens are explicitly identified as systemic vulnerabilities requiring replacement.
Q: What is GovAssure and how does it affect government suppliers?
A: GovAssure is the UK government’s cyber assurance framework, used to assess departments against the NCSC Cyber Assessment Framework. Under the 2026 Cyber Action Plan, 90% of Lead Government Departments must assure their supply chains against these standards by Phase 2 (2027–2029). Suppliers delivering identity services at scale may be designated as “strategic,” subject to formal partnerships with the Government Cyber Unit.
