Threads / Preparing for severe cyber threat: why leaders must act now…
Guidance Published 28 Jan 2026 Department for Energy Security and Net Zero Department for Science, Innovation and Technology Information Commissioner's Office National Cyber Security Centre Ofgem Regulatory Policy Committee ↗ View on GOV.UK

Preparing for severe cyber threat: why leaders must act now – NCSC Guidance

NCSC guidance published January 2026 directed at operators of critical national infrastructure across energy, transport, health, communications and financial services sectors, advising on how to prepare for and respond to severe cyber threats in the context of the Cyber Security and Resilience Bill.

▤ Verbatim text from source document

Preparing for severe cyber threatwhy leaders must act now | National Cyber Security Centre

icons/chevron/16px/black

Skip to main content

Blog Post

Download & print article PDF

Download & print article PDF

Preparing for severe cyber threatwhy leaders must act now

A call to action to collectively build UK resilience

Jonathon Ellison

Spawns via Getty Images

Every organisation delivering the UK’s critical services – whether in energy, transport, health, communications, financial services, or any other critical national infrastructure (CNI) sector – relies on uninterrupted digital operations. Disruption to those operations isn’t simply an IT issue; it’s a business continuity and national resilience issue.

What is severe cyber threat?

Recent high-profile cyber incidents demonstrate a clear and accelerating trendhighly capable threat actors are increasing both their intent and their ability to target organisations of national economic significance, to cause real-world operational disruption. At the same time, new technologies – like frontier AI –  risk increasing the speed, scale and ease of attacks. This is what we mean by severe cyber threat.

Severe cyber threat can result in attacks which lead to:

extended operational downtime, with direct customer impact

significant financial loss

long-term reputational damage

increased risks to public safety and national security

A leadership responsibility

Given the escalating intent and capability of cyber threat actors, organisations must treat the prospect of severe cyber threat as a credible and pressing risk. Preparing for this is a leadership responsibility. Effective preparation not only protects your organisation’s value, reputation and continuity of operations, it also serves a wider purpose. The ability to continue delivering essential services under sustained cyber pressure is critical to the UK’s national resilience and security.

The time to act is now

The NCSC Annual Review 2025 highlights the widening gap between the rising pace of cyber threat and the UK’s collective resilience – and the NCSC’s message is unambiguous: the time to act is now.

When a severe cyber incident hits, it will be too late to start working out roles, responsibilities and decision-making thresholds, or building the necessary capabilities and processes, for the first time.

Getting your organisation ready and building the level of required resilience need time –  as well as strategic investment – which is only possible with:

clear commitment from the organisation’s leaders

organisation-wide collaboration

engagement with suppliers and partners

advance planning and action

Prepare and plan your response

That’s why we are asking leaders to take action now on the NCSC’s recently published guidance

How to prepare and plan your organisation’s response to severe cyber threatA guide for CNI

,

to make sure you’re ready to withstand, and ultimately recover from, such attacks.

Key takeaways from the guidance

1

Resilience beats prevention

The reality is that cyber threats won't always be preventable, so in the event of severe cyber attacks – which for example shut down services or operations – organisations must be ready to continue operating through disruption and to undertake recovery activities, all whilst under immense pressure.

This means:

mapping and understanding your most critical systems

planning how you would continue operations even if IT or OT systems were degraded

rehearsing defensive actions such as network segmentation, isolation ('islanding'), and system rebuilds

ensuring leadership understands the trade-offs between security and operational continuity

Ultimately, resilience means being able to function despite setbacks, not just avoiding them.

2

Preparation must happen before the threat escalates

Many of the measures needed during a severe cyber threat – such as rapidly hardening defences or isolating networks – are complex and potentially costly. They may carry business impacts that make them disproportionate to implement today. But they cannot be improvised under pressure. Unless the necessary capabilities, controls, processes and decision-making arrangements have been built and rehearsed in advance, they will not be available to deploy at the point they become proportionate. Organisations must act now to put these measures in place.

Connection to the CAF

The NCSC’s

Cyber Assessment Framework (CAF)

helps organisations responsible for essential services achieve and demonstrate an appropriate level of cyber resilience. The new guidance builds on this by focusing specifically on how organisations should prepare for and respond to

severe cyber threat

.

This context is the key distinction. An organisation may meet the expectations of the CAF under normal operating conditions, but may not have fully considered how its risk profile and response actions would change in the context of severe cyber threat. Organisations will need to revisit the CAF principles through this lens, and adjust their response actions as necessary.

What to do next?

Reading the guidance is the first step. Turning it into operational readiness is the next.

Leaders should use this guidance to:

test whether current plans hold up under severe cyber threat conditions

identify decisions that would be hardest to make under pressure

ensure those decisions are owned, understood, and rehearsed

Then, embed the learning into your business continuity and resilience plans.

The organisations that fare best in severe cyber incidents are those that have put in place the steps needed to withstand and recover from disruption – protecting essential services, business continuity, and their bottom line.

Jonathon Ellison

Director of National Resilience, NCSC

Share and print this article

Download & print article PDF

Download & print article PDF

Share

Share

Close share options

Share on

Facebook

Share on

LinkedIn

Share on

X

Copy Link

Written by

Jonathon Ellison

Director of National Resilience, NCSC

Published

Publish date

20 April 2026

Written for

Written for

Cyber security professionals

Large organisations

Part of blog

NCSC publications

Was this article helpful?

Yes

the article was helpful

No

the article was not helpful

Close Feedback Form

Back to top

Share

Close share options

Share on

Facebook

Share on

LinkedIn

Share on

X

Copy Link

Also see

Blog Post

Publish date

24 Jul 2024

New legislation will help counter the cyber threat to our essential services

The announcement of the Cyber Security and Resilience Bill is a landmark moment in tackling the growing threat to the UK's critical systems.

News

Publish date

19 Apr 2023

NCSC warns of emerging threat to critical national infrastructure

Alert issued warns of the emerging threat from state-aligned groups and the different forms of activity.

Blog Post

Publish date

29 Mar 2022

Use of Russian technology products and services following the invasion of Ukraine

Cyber security – even in a time of global unrest – remains a balance of different risks. Ian Levy, the NCSC's Technical Director, explains why.