The report, prepared by independent analysts from the University of Bristol and Imperial College London and drawing on consultations with nearly 100 cybersecurity experts, identifies nine key recommendations and 24 actionable suggestions. The decision to hand the work to Bristol and Imperial rather than keep it inside DSIT was likely intended to boost credibility, reducing the perception that it’s just Whitehall box-ticking.
The publication comes at a critical time for the UK’s cybersecurity industry, which has been getting increasingly valuable amid a rapidly expanding threat landscape.
In 2024, the UK’s cybersecurity industry generated about £13.2 billion in revenue and employed 67,300 staff across 2,165 companies, the report notes. More than half of these companies are micro-businesses, and together they sustained exports worth £7.2 billion in 2023, placing the UK third globally for cybersecurity services. The sector last year recorded a 12% rise in revenue, an 11% increase in jobs, and a 21% boost in gross value added year on year.
However, these gains are being made against a backdrop of growing threats. Nationally significant cyber incidents rose by 50% in 2024, while the number of incidents deemed “severe” tripled.
Nigel Steward, Director of the Centre for Sectoral Economic Performance at Imperial, said: “The cybersecurity sector in the UK has significant growth potential, and there are clear roles for both government and the private sector identified within the UK Cyber Growth Action Plan to contribute to tapping into that potential. Supporting the sector isn’t just an economic opportunity, it’s essential for our national security and the resilience of businesses.”
The report highlights the usual suspects when casting blame: it cites state-backed activity, organised crime, and the growing complexity of systems, particularly with the integration of artificial intelligence (AI), as significant risks to UK cybersecurity resilience.
“The sector faces mounting pressures from increasingly sophisticated state and criminal actors,” the report states. “The pace of change in digital technologies, including AI, is outstripping the attention paid to cybersecurity.”
In terms of defence, one of the central recommendations is a proposal to stimulate demand for higher standards across supply chains.
The government is considering, for example, mandating the use Cyber Essentials – a government-backed certification scheme – in procurement, particularly for contracts linked to critical infrastructure and public sector organisations. This would require defence contractors and their suppliers to demonstrate compliance with tougher assurance and risk reporting requirements. This is potentially a small step and not enough, however: even the Cyber Essentials site describes itself as a “minimum standard of cybersecurity” for organisations.
The report also recommends appointing a dedicated UK Cyber Growth Leader to coordinate policy across government and industry, a move expected to have implications for how the defence sector engages with Whitehall on procurement and exports.
The plan additionally calls for a bigger role for the National Cyber Security Centre (NCSC), casting it as both the government’s lead resilience body and a driver of industry growth. For the defence industry and its suppliers, this could see the NCSC take a more prominent role in accreditation, testing, and early evaluation of dual-use technologies.
Another recommendation is the creation of so-called safe havens. The idea is to create a multi-stakeholder environment for testing technologies and building prototypes that respond to emerging threats.
Safe havens would be open not only to security-cleared personnel; startups and SMEs would also be invited in, offering new opportunities for collaboration with defence innovation programmes.
The plan identifies technologies like AI and security-by-design as priorities, and it urges greater support for tools that reduce the burden of basic cyber hygiene. Defence organisations, which rely increasingly on dual-use technologies, are expected to align future R&D efforts with these priorities.
“To sustain growth and resilience, the UK needs a coherent national approach,” the report says. “That means aligning investment, regulation and innovation, while ensuring that defence and critical infrastructure supply chains meet higher standards. The evidence we gathered shows there is both a demand for clearer government leadership and an appetite from industry to play a more active role in shaping future standards.”
The Action Plan also reflects findings from the Strategic Defence Review 2025, a policy paper published in June to provide a blueprint for how defence spending and planning should be prioritised and executed going forward. The SDR warned, among other things, that cyber conflicts would intensify and that military activity would become increasingly hybrid in nature, bringing with it a higher degree of cybersecurity risk.
It also noted the convergence of cybersecurity and the electromagnetic spectrum, pointing to technologies such as drones operating across both radio frequencies and Wi-Fi. It recommends creating an integrated CyberEM Command to unify the UK’s cyber, electromagnetic, and information operations under a single structure.
The Review further emphasised the need to treat data as a strategic asset, supported by secure computing, protected infrastructure, and assured flows of information between the UK Intelligence Community and allies.
Mike Maddison, CEO at NCC Group, said the Cyber Growth Action Plan “is a bold step forward, recognising cyber as a strategic enabler of national resilience and economic growth… It sends a powerful signal that the UK is serious about scaling innovation, investing in skills and commercialising research.”
However, whether the plan leads to real change is another matter. The government has launched numerous cyber strategies over the years, but many have faded once the headlines died down. The big question now is whether this initiative will come with proper funding, clear rules, and results that people can actually measure.
What’s more, the report itself is advisory rather than binding. DSIT will now sift through the recommendations to decide which to adopt, and while some ideas could be turned into hard policy, such as requiring Cyber Essentials certification in defence procurement. Other recommendations may quietly be set aside. Typically, the government will issue a formal response within a few months, setting out which proposals it will back.
For the defence world, the Cyber Growth Action Plan outlines changes that could impact suppliers, research teams, and procurement. Tougher compliance, possible new legal duties, and a bigger role for the NCSC will all potentially – if they become policy – shape how the military brings in and uses cyber tech.
