Launch of UK's National Cyber Action Plan delayed amid Labour leadership crisis
Britain's National Cyber Action Plan, the government's forthcoming strategy for defending the wider economy against state-backed and criminal hacking, has been delayed again following Prime Minister Keir Starmer's resignation, according to multiple sources with knowledge of the matter.
The plan had been due for publication on Monday, the sources said. It has been postponed amid the uncertainty over the governing Labour Party’s leadership contest, which opens July 9.
A government spokesperson told Recorded Future News it remained committed to publishing the National Cyber Action Plan.
“Protecting national security is our first duty, which is why we're taking action: strengthening our defenses through the Cyber Security and Resilience Bill, improving businesses' security with the national Cyber Resilience Pledge, and providing expert support to organizations across the country every day through the National Cyber Security Centre,” they said.
One part of the launch is still expected to proceed. On Tuesday, a number of FTSE 350 companies are set to sign the government's Cyber Resilience Pledge, a voluntary commitment to improve their digital defenses.
Initially intended as an update to Britain’s National Cyber Strategy 2022, the document was first promised by then-Chancellor of the Duchy of Lancaster Pat McFadden to be due before the end of 2025. By April 2026, the target had moved to “this summer” by the Security Minister Dan Jarvis, and the document had been rebranded from a “strategy” to an “action plan.”
McFadden made his 2025 announcement in Manchester, the city whose then-mayor, Andy Burnham, is now the frontrunner to succeed Starmer following the Makerfield by-election that preceded the prime minister's resignation. As of publication, no other candidates have put themselves forward for the leadership.
The National Cyber Action Plan is the latest enterprise in the British government’s cyber policy program to be delayed due to what some fear is political disinterest.
The Cyber Security and Resilience Bill, an update to the country's critical-infrastructure cyber laws, took more than four years to reach Parliament and is now not expected to be enforced until 2028 — a decade on from the NIS Regulations it was written to replace.
The core provisions of the CSRB had already been completed back in 2022 under Rishi Sunak, whose government incorrectly described the laws as “updated” before failing to include them in that year's King's Speech setting out the government’s parliamentary agenda and leaving the draft bill ultimately unintroduced to parliament.
When Starmer's government first moved to bring the bill forward in September 2025, it was then delayed again amid a cabinet reshuffle.
Separately, a set of ransomware proposals — mandatory reporting for all victims, a licensing regime for extortion payments and a ban on ransoms for critical infrastructure operators — was due to go out to consultation in mid-2024, before being scuppered when Sunak called a general election.
Priorities
The delay is likely to contribute to ongoing concerns that cybersecurity remains a low political priority within Westminster.
During the 2024 election campaign, a ransomware attack on the pathology provider Synnovis by the Russia-linked Qilin group forced London hospitals to declare a critical incident, cancelling operations and appointments. Despite its political relevance, neither main party addressed the attack in any detail during their campaigns.
“Fundamentally, until there is a major incident … [cybersecurity] is just not going to get the coverage or the political will it deserves,” Jamie MacColl, a research fellow at the Royal United Services Institute, said at the time.
Tim Stevens, who leads the cybersecurity research group at King's College London, said cyber had “always been a de-politicized” issue in Britain treated as “low politics.” He added: “Once you make it a political issue, if you don't fix it, it can come back and bite you on the ass.”
In September 2025, a cyberattack on Jaguar Land Rover — one of Britain's largest manufacturers, accounting for roughly 4% of the country's goods exports — halted all vehicle production for more than a month in what the Cyber Monitoring Centre called the most economically damaging cyber event ever to hit the UK.
The nonprofit estimated the shutdown cost the British economy £1.9 billion ($2.5 billion) and affected more than 5,000 organizations across JLR's supply chain; the company itself later reported it had been left £680 million ($896 million) out of pocket.
The disruption was severe enough that the government stepped in to underwrite a £1.5 billion ($2 billion) loan to help JLR support its suppliers — even as the Cyber Security and Resilience Bill it had drafted years earlier remained unintroduced, having been shelved that same month amid the cabinet reshuffle.
National Cyber Action Plan
The plan’s contents have not been officially disclosed. Recorded Future News understands it will include three pillars focusing on Threat, Growth and Resilience.
The clearest public indication of the government’s approach came in a lecture to the Royal United Services Institute (RUSI) in June by the NCSC’s chief executive Richard Horne, three weeks before the plan’s intended launch.
Horne called for a full court press across what he termed the “near, mid and far spaces” of cyberspace — a framing people familiar with the plan expect to shape its structure.
He defined the near space as the defense of individual organizations, the far space as offensive action against adversaries and the “mid space” as the shared “cloud, technology and telecommunications infrastructure,” most of which he said was “in private hands.”
In that space, he said, the government would partner with providers to “harden the mid space and disrupt attacker activity.”
Horne said the NCSC was working toward a National Cyber Defense Capability to “join up intelligence and actions in the far, mid and near space in real time” in what he called “an agentic AI world.” Between June 2024 and May 2026, he said, the NCSC handled more than 200 incidents affecting critical national infrastructure and its supply chain, 75% of them linked to state actors.
Another key aspect of the action plan is the Cyber Resilience Pledge which will see companies commit to making cybersecurity a board-level responsibility, joining the NCSC's Early Warning service — which sees British intelligence provide tip-offs to victims about imminent ransomware attacks — and requiring Cyber Essentials certification across their supply chains.
Government ministers have written to the chairs and chief executives of hundreds of firms, including all FTSE 350 companies, urging them to sign. The launch event on Tuesday is still expected to go ahead, although it is unclear how many of those companies will be in attendance.
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow at the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal on: AlexanderMartin.79



