Preparing for severe cyber threat: why leaders must act now – NCSC Guidance
NCSC guidance published January 2026 directed at operators of critical national infrastructure across energy, transport, health, communications and financial services sectors, advising on how to prepare for and respond to severe cyber threats in the context of the Cyber Security and Resilience Bill.
Preparing for severe cyber threatwhy leaders must act now | National Cyber Security Centre
icons/chevron/16px/black
Skip to main content
Blog Post
Download & print article PDF
Download & print article PDF
Preparing for severe cyber threatwhy leaders must act now
A call to action to collectively build UK resilience
Jonathon Ellison
Spawns via Getty Images
Every organisation delivering the UK’s critical services – whether in energy, transport, health, communications, financial services, or any other critical national infrastructure (CNI) sector – relies on uninterrupted digital operations. Disruption to those operations isn’t simply an IT issue; it’s a business continuity and national resilience issue.
What is severe cyber threat?
Recent high-profile cyber incidents demonstrate a clear and accelerating trendhighly capable threat actors are increasing both their intent and their ability to target organisations of national economic significance, to cause real-world operational disruption. At the same time, new technologies – like frontier AI – risk increasing the speed, scale and ease of attacks. This is what we mean by severe cyber threat.
Severe cyber threat can result in attacks which lead to:
extended operational downtime, with direct customer impact
significant financial loss
long-term reputational damage
increased risks to public safety and national security
A leadership responsibility
Given the escalating intent and capability of cyber threat actors, organisations must treat the prospect of severe cyber threat as a credible and pressing risk. Preparing for this is a leadership responsibility. Effective preparation not only protects your organisation’s value, reputation and continuity of operations, it also serves a wider purpose. The ability to continue delivering essential services under sustained cyber pressure is critical to the UK’s national resilience and security.
The time to act is now
The NCSC Annual Review 2025 highlights the widening gap between the rising pace of cyber threat and the UK’s collective resilience – and the NCSC’s message is unambiguous: the time to act is now.
When a severe cyber incident hits, it will be too late to start working out roles, responsibilities and decision-making thresholds, or building the necessary capabilities and processes, for the first time.
Getting your organisation ready and building the level of required resilience need time – as well as strategic investment – which is only possible with:
clear commitment from the organisation’s leaders
organisation-wide collaboration
engagement with suppliers and partners
advance planning and action
Prepare and plan your response
That’s why we are asking leaders to take action now on the NCSC’s recently published guidance
How to prepare and plan your organisation’s response to severe cyber threatA guide for CNI
,
to make sure you’re ready to withstand, and ultimately recover from, such attacks.
Key takeaways from the guidance
1
Resilience beats prevention
The reality is that cyber threats won't always be preventable, so in the event of severe cyber attacks – which for example shut down services or operations – organisations must be ready to continue operating through disruption and to undertake recovery activities, all whilst under immense pressure.
This means:
mapping and understanding your most critical systems
planning how you would continue operations even if IT or OT systems were degraded
rehearsing defensive actions such as network segmentation, isolation ('islanding'), and system rebuilds
ensuring leadership understands the trade-offs between security and operational continuity
Ultimately, resilience means being able to function despite setbacks, not just avoiding them.
2
Preparation must happen before the threat escalates
Many of the measures needed during a severe cyber threat – such as rapidly hardening defences or isolating networks – are complex and potentially costly. They may carry business impacts that make them disproportionate to implement today. But they cannot be improvised under pressure. Unless the necessary capabilities, controls, processes and decision-making arrangements have been built and rehearsed in advance, they will not be available to deploy at the point they become proportionate. Organisations must act now to put these measures in place.
Connection to the CAF
The NCSC’s
Cyber Assessment Framework (CAF)
helps organisations responsible for essential services achieve and demonstrate an appropriate level of cyber resilience. The new guidance builds on this by focusing specifically on how organisations should prepare for and respond to
severe cyber threat
.
This context is the key distinction. An organisation may meet the expectations of the CAF under normal operating conditions, but may not have fully considered how its risk profile and response actions would change in the context of severe cyber threat. Organisations will need to revisit the CAF principles through this lens, and adjust their response actions as necessary.
What to do next?
Reading the guidance is the first step. Turning it into operational readiness is the next.
Leaders should use this guidance to:
test whether current plans hold up under severe cyber threat conditions
identify decisions that would be hardest to make under pressure
ensure those decisions are owned, understood, and rehearsed
Then, embed the learning into your business continuity and resilience plans.
The organisations that fare best in severe cyber incidents are those that have put in place the steps needed to withstand and recover from disruption – protecting essential services, business continuity, and their bottom line.
Jonathon Ellison
Director of National Resilience, NCSC
Share and print this article
Download & print article PDF
Download & print article PDF
Share
Share
Close share options
Share on
Share on
Share on
X
Copy Link
Written by
Jonathon Ellison
Director of National Resilience, NCSC
Published
Publish date
20 April 2026
Written for
Written for
Cyber security professionals
Large organisations
Part of blog
NCSC publications
Was this article helpful?
Yes
the article was helpful
No
the article was not helpful
Close Feedback Form
Back to top
Share
Close share options
Share on
Share on
Share on
X
Copy Link
Also see
Blog Post
Publish date
24 Jul 2024
New legislation will help counter the cyber threat to our essential services
The announcement of the Cyber Security and Resilience Bill is a landmark moment in tackling the growing threat to the UK's critical systems.
News
Publish date
19 Apr 2023
NCSC warns of emerging threat to critical national infrastructure
Alert issued warns of the emerging threat from state-aligned groups and the different forms of activity.
Blog Post
Publish date
29 Mar 2022
Use of Russian technology products and services following the invasion of Ukraine
Cyber security – even in a time of global unrest – remains a balance of different risks. Ian Levy, the NCSC's Technical Director, explains why.