The United Kingdom’s National Cyber Action Plan, a government strategy intended to coordinate defenses against state-backed and criminal hacking, has been delayed once more. Multiple sources with knowledge of the matter told Recorded Future News the plan had been scheduled for publication this week but was postponed following Prime Minister Keir Starmer’s resignation and the subsequent uncertainty surrounding Labour’s leadership contest, which opens July 9.
A government spokesperson affirmed a commitment to publishing the plan, pointing to parallel efforts including the Cyber Security and Resilience Bill and the National Cyber Resilience Pledge as evidence of continued action. One element of this week’s launch is still expected to move forward: a number of FTSE 350 companies are set to sign the voluntary Cyber Resilience Pledge on Tuesday, committing to improve their digital defenses.
A History of Delays
The document has a protracted history. Originally conceived as an update to Britain’s National Cyber Strategy 2022, it was first promised by then-Chancellor of the Duchy of Lancaster Pat McFadden before the end of 2025. By April 2026, Security Minister Dan Jarvis had moved the target to “this summer” and rebranded the document from a “strategy” to an “action plan.” The latest postponement follows a pattern that security professionals and researchers have observed across multiple British cyber policy initiatives:
- The Cyber Security and Resilience Bill, an update to critical-infrastructure cyber law, took more than four years to reach Parliament and is not expected to be enforced until 2028, roughly a decade after the NIS Regulations it is meant to replace.
- A package of ransomware proposals, including mandatory victim reporting and a licensing regime for extortion payments, was due for public consultation in mid-2024 but was abandoned when Sunak called a general election.
- The CSRB itself was shelved in September 2025 during a cabinet reshuffle, the same month a cyberattack on Jaguar Land Rover halted vehicle production for more than a month. The Cyber Monitoring Centre estimated the disruption cost the British economy £1.9 billion and affected more than 5,000 organizations across JLR’s supply chain.
Political Indifference and Real Costs
Researchers have long characterized cybersecurity as a low political priority in Westminster. Tim Stevens, who leads the cybersecurity research group at King’s College London, has described cyber as “always been a de-politicized” issue treated as “low politics” in Britain. Jamie MacColl, a research fellow at the Royal United Services Institute, noted that without a highly visible major incident, the issue struggles to attract meaningful political will.
The JLR attack was severe enough that the government stepped in to underwrite a £1.5 billion loan to help the manufacturer support its suppliers, even as the relevant legislation remained unintroduced. A ransomware attack on pathology provider Synnovis by the Russia-linked Qilin group in 2024 forced London hospitals to declare a critical incident, yet neither main party addressed it substantively during that year’s election campaign.
What the Plan Is Expected to Contain
The plan’s official contents have not been disclosed, but reporting indicates it will be organized around three pillars: Threat, Growth, and Resilience. The clearest public signal of its direction came in a June lecture at RUSI by NCSC chief executive Richard Horne, delivered three weeks before the intended launch. Horne called for coordinated action across what he termed the “near, mid and far spaces” of cyberspace, framing near space as organizational defense, far space as offensive action against adversaries, and mid space as the shared cloud, technology, and telecommunications infrastructure that is largely in private hands. People familiar with the plan expect this framing to shape its structure.
No revised publication date has been announced. Andy Burnham, the former Manchester Mayor whose city hosted the original strategy announcement, is currently the frontrunner to succeed Starmer as Labour leader, with no other candidates having publicly declared as of publication.
