Decoding the world of cybersecurity

UK adds cyber risks to national register

The UK has added cyber attacks on data, water, and police infrastructure to the National Risk Register, alongside digital resilience failure after CrowdStrike.

UK adds cyber risks to national register
Summary
  • The Cabinet Office has added several cyber and digital resilience risks to the National Risk Register.
  • New risks include cyber attacks on data infrastructure, water infrastructure, and police systems.
  • “Digital resilience failure” has been added after lessons from the July 2024 CrowdStrike outage.

The Cabinet Office has added new cyber and digital resilience risks to the UK’s National Risk Register, including cyber attacks on data infrastructure, water infrastructure, and police systems.

The updated register, published alongside the Annual Resilience Statement, adds seven new risks in total. Cyber attacks on data infrastructure, water infrastructure, and police systems are among the additions, while “digital resilience failure” has been included after lessons from the July 2024 CrowdStrike outage. The government describes the register as the public-facing version of the National Security Risk Assessment, intended to support preparation for major risks rather than predict events.

The update places cyber risk inside a wider national preparedness agenda covering democratic interference, extreme weather, AI, emergency planning, and hybrid threats. Ministers also said the government will launch a public resilience campaign and hold a major home defence exercise in 2027 to test preparedness for hybrid attacks against the UK.

Cyber attacks on data infrastructure point to the UK economy’s dependence on datacentres, cloud platforms, connectivity providers, managed services, and software platforms that are often privately owned but publicly consequential. Disruption to those environments can affect public services, financial activity, healthcare, retail, transport, communications, and the ability of organisations to function during a crisis.

Water infrastructure and police systems bring the risk closer to essential public services. A cyber incident affecting water operations could create public safety, environmental, operational, and trust consequences. Disruption to police systems could affect investigations, emergency response, custody processes, evidence handling, and access to information. In both sectors, digital systems now sit close to service continuity.

The addition of digital resilience failure broadens the register beyond hostile activity. The CrowdStrike outage showed that a failed software update or trusted technology dependency can produce disruption at a scale normally associated with malicious incidents. Resilience planning therefore needs to cover cyber attack, supplier failure, cloud outage, misconfiguration, software defect, and recovery from trusted technology going wrong.

The register also sits alongside pending changes to UK cyber law. The Cyber Security and Resilience Bill is intended to update the UK’s NIS regime and bring more organisations, including some managed service providers and datacentres, into scope. Together, the register and legislative direction point to higher expectations around incident reporting, preparedness, supplier management, and recoverability for organisations operating or supporting important digital services.

Resilience exercises, continuity arrangements, crisis communications, cyber insurance assumptions, and supplier contracts all need to reflect systemic dependency. A single software update, provider outage, or infrastructure compromise can affect several sectors at once when services share technology, suppliers, identity systems, cloud platforms, or data environments.

The Cabinet Office’s National Risk Register update records a clear shift in UK planning. Cyber attacks and digital failures now sit alongside physical infrastructure disruption, hostile state activity, and civil contingency response in the national risk picture.

×