← Insights

National Cyber Security Centre Annual Review 2025: ‘It’s time to act.’

The UK National Cyber Security Centre (NCSC) today released its 2025 Annual Review, opening with a punchy front-cover warning: “Open your eyes to the imminent risk to your economic security.” Although the report’s primary focus is on threats facing the UK, its insights and recommendations resonate far more broadly. In this paper, we will concentrate on the theme of operational resilience, but first, we set the scene with some background.

There is a change in tone from previous reports, shifting from measured and collaborative to urgent and directive. The 2024 report framed cyber risk as an evolving, shared national challenge requiring partnership and technical maturity. By contrast, the 2025 review declares “It’s time to act,” reframing cybersecurity as an immediate economic and governance issue rather than a technical one. This is to be expected given the high-profile incidents this year including The Co-op, JLR and Marks & Spencer.

The threat is no longer abstract but tangible, disrupting supply chains, business operations, and employees and consumers. This report has moved from creating strategic awareness to demanding executive accountability, urging business leaders to treat cyber resilience as critical to business survival and national prosperity.

The report is light on numbers, but they are compelling, nevertheless. Richard Horne, CEO, notes ‘nearly half of all incidents handled by the NCSC over the last 12 months were of national significance’ and ‘4% of these were categorised as ‘highly significant’ – attacks which we define as ‘having a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy.’ That is a circa 50% year on year increase.

Ransomware is highlighted as the largest, ongoing threat to Critical National Infrastructure, but the report also points out ‘we’ve detected a shift in hacktivist activity to include low skilled attacks against operational technology (OT) systems.’ This is a rare, authoritative statement on the volume of direct attacks on OT from an agency that has high visibility into threats to UK CNI.

The 2025 NCSC Annual Review reframes operational resilience through a sharper focus on chaos management and disciplined preparedness, moving beyond theory toward active governance and response through resilience engineering. The report defines operational resilience as disciplined control under pressure, built on segmentation, least privilege, immutability, and observability to maintain order. Key points include:

  • Resilience through control: ‘The NCSC has emergent anecdotal evidence that those organisations who intervene during a destructive event and self isolate, recover quicker with less impact.’ Effective recovery depends on physical and logical segmentation, least privilege access (PAWS), and immutability of backups - ensuring continuity even when systems fail.
  • Chaos as the new normal: The report acknowledges the unpredictability and intensity of live attacks, with first-hand testimony from the Co-op CEO illustrating that no plan fully survives real-world conditions. The report stresses that resilience is achieved through pre-planned isolation, controlled rebuilds, and observable dependencies, not improvisation during crisis.
  • Visibility and monitoring: Continuous observability and telemetry across hybrid infrastructures are framed as essential for detecting lateral movement and validating system health.
  • Governance and rehearsal: Board-level oversight, red-team exercises, and playbook discipline create predictability within uncertainty.
  • Engineering resilience at scale: Automated prevention, enforced configuration baselines, and tamper-resistant logs underpin the NCSC’s call for resilience by design.

The focus on resilience closes with an observation that there ‘is value in addressing Nassim Taleb’s concept of ‘Antifragility.’ This means moving beyond simply withstanding shocks, to growing stronger because of them.’

The report links operational resilience to technological adaptation. With an eye on the future, it advocates for greater focus on AI risk, a phased approach to post-quantum cryptography (PQC), and strong authentication as key enablers of future resilience.

  • AI resilience: The NCSC warns that threat actors are already using AI to enhance reconnaissance, exploit discovery, and data exfiltration. Its response centres on AI assurance, secure-by-design principles, and radical transparency to manage AI-driven risk within both enterprise systems and national infrastructure.
  • Post-quantum transition: The report reaffirms its three-phase migration guidance towards quantum-resistant encryption by 2035, urging early inventory, algorithm selection, and hybrid deployment, signalling PQC as a long-term resilience discipline, not a future problem.
  • Passkeys and authentication: Through campaigns promoting passkeys over passwords, the NCSC advocates for phishing-resistant, hardware-backed authentication as a baseline for both citizens and enterprises.
  • Crypt-Key and Initiate programmes: These initiatives mark investment in UK-sovereign cryptography research and practical cryptographic resilience testing, embedding PQC readiness into operational standards.

The 2025 NCSC Annual Review makes clear that boards and executives must take direct responsibility for cybersecurity. As connectivity, interdependence, and automation increases, cyber risk is no longer a technical issue but a core governance and business-continuity concern. Organisations that wish to realise the productivity and innovation gains of digital transformation must recognise that cybersecurity is an enabler, one that demands sustained investment in people, processes, and technology to build lasting operational resilience.

Chat to us

*All fields required