Key Takeaways

• The UK's threat landscape has fundamentally changed. Nationally significant cyber incidents more than doubled in a single year. Attacks on London councils, the Foreign Office, and the Legal Aid Agency are no longer isolated headlines — they reflect a systemic vulnerability across the public sector.

• The government has moved from strategy to accountability. The 2026 Cyber Action Plan and the Cyber Security and Resilience Bill mark a shift from ambition to obligation. Incident reporting timelines are now mandatory. Over 1,000 suppliers fall into new regulatory scope. The 2030 security target is at risk — and the government has said so openly.

• 'Defend as One' is no longer just a framework. The Government Cyber Unit is live, funded at £210 million, and responsible for coordinating cyber risk across every government department. The vision of treating government as a single cyber enterprise is now backed by real structure and real consequences.

• Legacy infrastructure remains the critical weak point. Nearly a third of the government's technology estate cannot be adequately defended by modern security measures. Faster fix times and reduced vulnerability backlogs show progress — but the gap between threat and readiness is still significant.

• Collective defence only works if intelligence moves freely. Real-time sharing, automated response, and unified threat visibility are what close the gap between a strategy on paper and a coordinated defence in practice. That is what operationalising 'Defend as One' actually requires.

Introduction

The UK's public sector faces a growing tide of sophisticated cyber threats that target critical infrastructure, public services, and citizen data. From ransomware attacks on councils to phishing campaigns aimed at government agencies, the frequency and impact of cyber incidents are escalating. In just one year, nationally significant cybersecurity incidents more than doubled — rising from 89 to 204. Category 2 incidents, those causing serious disruption to government services or large populations, jumped 50% year-on-year.

In response, the UK Government has taken a major step through its Cyber Security Strategy 2022-2030, calling for a shift from fragmented defences to a cohesive, intelligence-driven national cyber posture. At the heart of this strategy is the 'Defend as One' approach — a call to government organisations and departments to become a unified cyber security force capable of defending collectively and responding proactively.

Urgent Challenges Facing the UK Public Sector

Despite significant investments in national cybersecurity, the UK public sector continues to face critical challenges in operationalising threat intelligence and achieving cohesive cyber defence. Key barriers include:

• Fragmented Intelligence Sharing across Government Organisations: Disjointed intelligence flows between organisations and departments create dangerous blind spots. Without a unified threat intelligence sharing framework, threats often go undetected until damage is done. The real-world cost of this fragmentation is visible. In late 2025, three Greater London councils — Kensington and Chelsea, Westminster, and Hammersmith and Fulham — suffered simultaneous cyberattacks that disrupted council tax services, housing repairs, benefits accounts, and parking systems. A Foreign Office breach attributed to a China-based threat actor emerged around the same time. The Legal Aid Agency suffered a major breach that compromised personal data and disrupted digital processing of legal aid applications.

• Limited Visibility and Resource Constraints: Government entities frequently operate with insufficient tools, personnel, and access to curated threat intelligence needed to detect and respond to threats proactively. This gap creates vulnerabilities that sophisticated threat actors are increasingly equipped to exploit. A National Audit Office review found that 58 of 72 critical government IT systems contained multiple fundamental security controls at low levels of maturity.

• Manual Workflows and Lack of Automation: Reliance on manual processes for threat detection, enrichment, and response slows down critical decision-making. The result is delayed responses, increased analyst fatigue, and missed opportunities to contain threats early in their lifecycle.

• Inconsistent Cyber Maturity and Technology Silos: With varying levels of cyber readiness and fragmented IT ecosystems, government organisations struggle to collaborate effectively. Nearly a third of the government technology estate is estimated to be legacy technology — highly vulnerable to attack and difficult to defend with modern security measures.

The UK Government aims to address these challenges by breaking down silos, unifying cyber operations, and embracing a 'Defend as One' approach with real-time threat intelligence sharing and automated response capabilities.

What is the ‘Defend as One’ Strategy?

The 'Defend as One' strategy serves as a central pillar of the UK Government Cyber Security Strategy 2022-2030. Its core objective is to treat the government as one single cyber enterprise rather than a collection of isolated organisations and departments. This unified stance ensures collective resilience, faster response, and a shared understanding of threats.

This strategy integrates into the broader National Cyber Strategy 2022-2030, which aims to build a cyber-resilient nation through collaboration, innovation, and smarter risk management across all sectors. It recognises the need for disparate government organisations to come together as one to "present a defensive force disproportionately more powerful than the sum of its parts."  

The strategy’s pillars are underpinned by five objectives. These set the dimensions of what needs to be considered with regard to cyber resilience, providing a consistent framework and common language that can be applied to the whole of government. 

1. Manage cyber security risk through governance, accountability, and controls.

2. Protect against cyber attack using proportionate, scalable security measures.

3. Detect cyber security events via continuous system and network monitoring.

4. Minimise the impact of cyber security incidents with swift response and containment.

5. Develop the right cyber security skills, knowledge and culture across all professional domains.

How the Strategy Will Change the UK Cyber Landscape

The implementation of ‘Defend as One’ will drive a paradigm shift in how cybersecurity is managed across the public sector. Key changes include:

• Improved Coordination: Real-time collaboration and information exchange between organisations, departments, and local government bodies will dramatically reduce intelligence gaps and enable more effective threat assessment and management.

• Faster Incident Response: Centralised threat visibility and streamlined workflows will enable rapid response to emerging threats, potentially reducing the impact and cost of cyber incidents.

• Elevated Cyber Maturity: Consistent implementation of standards and frameworks will raise the overall cyber posture of public entities regardless of their size or resources.

• Protection of National Services: Stronger, intelligence-driven defence will safeguard the UK's most critical public sector infrastructure and services relied upon by citizens.

To bring the ‘Defend as One’ vision to life, the UK Government is mandating several foundational requirements, such as:

• Adoption of the NCSC’s Cyber Assessment Framework (CAF) for a consistent approach to assess and improve cyber resilience.

• Central government departments must undergo regular audits and reviews to provide independent assurance of their cyber posture.

• Investment in scalable and interoperable cyber defence services to enable shared cyber capabilities across government entities.

• Creation of the Government Cyber Unit (GCU) — a central unit within DSIT, led by the Government CISO, responsible for driving cyber security and resilience transformation across government and the public sector. The GCU coordinates government-wide risk management, provides departments with targeted support, and orchestrates response to fast-moving incidents.

• Use of Active Cyber Defence (ACD) Tools as part of proactive defence measures to automatically block and neutralise threats.

To meet these new mandates, public sector organisations will require:

• Threat Intelligence Platforms (TIPs): To aggregate, analyse, and share threat intelligence in real time.

• Automation and Orchestration Tools: To drive faster incident resolution through automated playbooks.

• Vulnerability and Compliance Management Tools: To assess and report against CAF requirements effectively.

• Secure Collaboration Systems: Enabling cross-department and external partner threat information sharing.

The Landscape Has Shifted: New Legislation and Accountability

The policy environment has moved significantly. Two major developments are now shaping what 'Defend as One' means in practice.

The Government Cyber Action Plan

Published alongside the second reading of the Cyber Security and Resilience Bill, the Government Cyber Action Plan is a cross-government delivery framework that builds on the Government Cyber Security Strategy. It introduces clearer expectations for departments, sustained central oversight, and more than £200 million of investment to address long-standing weaknesses — including legacy technology, skills shortages, and uneven assurance practices.

The plan outlines a three-phase implementation strategy. Phase 1, targeting completion by April 2027, focuses on foundational infrastructure: establishing the Government Cyber Unit, implementing accountability frameworks, launching a cross-government Cyber Profession, and publishing a Government Cyber Incident Response Plan. Phase 2, running from 2027 to 2029, scales the model through data-driven decision-making and expanded response capabilities. Phase 3, from 2029 onwards, targets continuous improvement — ensuring departments proactively assure cyber risk across supply chains to support national security and growth.

Critically, the government acknowledged in publishing the plan that the 2030 target to secure all government organisations from known cyber vulnerabilities is no longer guaranteed. Accountability for risk has been "unclear at all levels of government." The Action Plan is a direct response to that failure.

The Cyber Security and Resilience (Network and Information Systems) Bill

Introduced to Parliament in November 2025, the Cyber Security and Resilience Bill updates the UK's cyber security legislation covering critical national infrastructure. It amends the Network and Information Systems Regulations 2018 and significantly expands who is in scope.

The Bill brings in new categories of regulated entities — including medium and large managed service providers, eligible data centres, large load controllers, and suppliers designated as critical to operators of essential services. It introduces two-stage incident reporting: an initial notification within 24 hours and a full report within 72 hours, with copies submitted to the NCSC. Around 1,000 service providers will fall within scope.

For government organisations and their suppliers, this raises the bar. Compliance, accountability, and speed of response are no longer aspirational — they are mandatory.

How Cyware Supports ‘Defend as One’ Cyber Security Strategy

The UK Government Cyber Security Strategy emphasises two strategic pillars: building greater cyber resilience across all government organisations and working together to 'Defend as One.' Achieving these goals requires integrated action across government, enhanced threat intelligence sharing, and adoption of modern technologies that enable swift, precise cyber defence.

As a global leader in operationalizing government cyber resilience, Cyware's platform is purpose-built to help operationalise this vision — delivering unified threat visibility, secure real-time collaboration, and automated response capabilities. By combining intelligence, automation, and collaboration, Cyware empowers government organisations to shift from fragmented, reactive cybersecurity to a proactive, collective defence model.

Unified Threat Intel Management 

Cyware’s Threat Intelligence Platform manages the entire threat intelligence lifecycle from ingestion and enrichment to operationalisation and dissemination. Supporting Cyber Threat Intelligence (CTI), Attack Surface Management, and Digital Risk Protection, it delivers a unified view of threats targeting government assets. Intelligence is aggregated from multiple internal and external sources and correlated with known adversary tactics, techniques, and procedures (TTPs), providing a rich, contextual understanding of the threat landscape. This comprehensive visibility breaks down organisational silos and enables government organisations to act on timely, actionable intelligence that improves threat prevention, detection, and response.

Real-Time Threat Sharing and Collaboration

Secure, real-time collaboration across government organisations, trusted industry peers, and information-sharing communities such as ISACs and the NCSC is critical to the 'Defend as One' strategy. Cyware Collaborate enables government organisations to share threat intelligence, indicators of compromise (IOCs), incident reports, and response strategies within structured communities of trust. With role-based access controls and governance policies, sensitive information is shared securely and only with authorised participants. This capability fosters a collective defence ecosystem where knowledge and response strategies are shared seamlessly to outpace threat actors.

Agentic AI and Security Automation

To enhance cyber resilience and respond to threats with agility, Cyware delivers intelligence-driven orchestration and automation powered by agentic AI. Using no-code or low-code playbooks, security teams can automate critical processes such as threat detection, enrichment, triage, and incident response. These workflows integrate with existing security tools — SIEMs, endpoint solutions, and other platforms — to enable real-time, coordinated actions across systems and teams. By eliminating manual bottlenecks and standardising response procedures, Cyware significantly reduces time to action and improves the accuracy and speed of incident handling, supporting the government's resilience and capability-building objectives.

Compliance-Ready Intelligence for the New Regulatory Era

The Cyber Security and Resilience Bill and the Government Cyber Action Plan introduce stricter incident reporting timelines and expanded accountability across the supply chain. Cyware supports government organisations in meeting these obligations — with automated enrichment and triage that reduces mean time to detect, structured sharing workflows that support evidence requirements, and audit-ready intelligence trails that meet reporting timelines mandated by the NCSC and regulators.

Cyware's integrated platform empowers government organisations to transform their cybersecurity posture in line with the UK's 'Defend as One' strategy — fostering collaboration, increasing resilience, and turning intelligence into decisive action.

In Essence

The 'Defend as One' strategy represents a major evolution in the UK Government's approach to cybersecurity. Its success relies on combining policy, technology, automation, and collaboration across all government organisations and departments.

The threat has not waited for policy to catch up. The UK government has already reduced its backlog of serious cyber vulnerabilities by 75% and cut average fix times by 84% — from nearly two months to just over a week — through new vulnerability monitoring services. But the work is far from done. Legacy infrastructure remains a significant liability. The public sector needs technology partners who can close that gap, not just in strategy, but in daily operations.

Working with a technology partner who has delivered this at scale to other nations will accelerate the benefits of stronger national resilience, reduced incident impact, and better protection of critical services. By adopting the right technology and collaborative methods, the UK public sector can turn this strategy into a secure reality for government organisations and citizens alike.

See how a UK government healthcare organisation strengthened its collective defence with Cyware.

​​To learn more about how Cyware can support your organisation's journey toward collaborative cyber defence, request a demo today.

People Also Ask (FAQs)

1. What is the ‘Defend as One’ strategy in UK cybersecurity?

The ‘Defend as One’ strategy is a central pillar of the UK Government Cyber Security Strategy 2022-2030. It shifts the public sector from fragmented, isolated defences to a unified "single enterprise" model. This ensures that all government organisations, from central departments to local councils, share threat intelligence and respond to attacks collectively.

2. Why are UK local councils frequently targeted by cyber attacks?

Local councils manage critical citizen data—such as council tax, benefits, and housing records—often using legacy technology that is difficult to secure. Recent attacks on Greater London councils (Kensington, Westminster, and Hammersmith) demonstrate how vulnerabilities in local infrastructure can disrupt essential services for entire populations.

3. How does the Cyber Security and Resilience Bill (2025) impact reporting?

The new Bill mandates stricter accountability for over 1,000 service providers and critical infrastructure operators. It requires a two-stage incident reporting process: an initial notification within 24 hours of detection and a full, detailed report within 72 hours, ensuring the NCSC has immediate visibility into national threats.

4. What are the key requirements for central government departments by 2027?

Under the Government Cyber Action Plan, Phase 1 (ending April 2027) focuses on establishing the Government Cyber Unit (GCU), implementing the NCSC’s Cyber Assessment Framework (CAF), and launching a cross-government Cyber Profession to address skill shortages.

5. How does Cyware help operationalise the 'Defend as One' approach?

Cyware provides the technology needed to break down silos. Its platform enables real-time threat intelligence sharing, automated incident response through agentic AI, and secure collaboration within "Communities of Trust." This allows organisations to turn raw threat data into decisive, collective action across the entire public sector.