RUSI paper calls for a more interventionist UK cyber strategy

A new paper from the Royal United Services Institute (RUSI) argues that weak cyber security is undermining UK economic growth and national security, and that the UK’s current approach to cyber resilience is insufficient to address systemic risk. Based on research conducted between January and October 2025, including interviews with government, industry and academic stakeholders, the paper sets out priorities for the forthcoming National Cyber Action Plan, expected in spring 2026.

The paper highlights the scale of economic harm caused by cyber incidents. It cites estimates from the Department for Science, Innovation and Technology (DSIT) that malicious cyber activity costs UK businesses £14.7 billion each year, and highlights high‑profile incidents such as the 2025 cyber attack on Jaguar Land Rover, which reportedly resulted in losses of £1.9 billion and contributed to slower UK GDP growth.

RUSI argues that successive UK governments have relied too heavily on voluntary guidance, light‑touch regulation outside critical national infrastructure, and policies designed to minimise costs for business. It concludes that this approach has failed to reduce cyber risk at the pace or scale required, and that there is growing recognition within government that market forces alone will not deliver adequate cyber resilience.

The paper identifies six cross‑cutting priorities for the National Cyber Action Plan. These include reframing cyber strategy around economic security and urgency; developing a new threat‑response model that better balances state‑led cyber threats and cybercrime; and strengthening accountability and transparency across government and the private sector. It also calls for cyber risk to be treated as a core component of corporate governance, including clear board‑level responsibility.

A central theme is the role of market incentives. RUSI argues that technology vendors are not currently held accountable for insecure products, with liability routinely contracted away, leaving users and society to absorb the costs of cyber incidents. It recommends a formal consultation on software liability legislation in 2026, alongside the introduction of limited vendor liability in government technology contracts from 2027.

The paper also highlights weaknesses in enforcement, noting that between 2021 and 2024 there were 232 investigations under the Network and Information Systems Regulations but no formal sanctions. It recommends better resourcing of regulators and stronger accountability for delivery of cyber strategy. The paper concludes that the National Cyber Action Plan represents a critical opportunity to address longstanding structural weaknesses in the UK’s cyber resilience framework.

Our thoughts

RUSI’s paper brings together themes that have been debated for some time, and its tone reflects a clear shift in momentum towards a more interventionist approach to cyber resilience in the UK. The focus on economic harm, systemic risk and supply‑chain accountability mirrors what we are seeing across our client base: cyber is increasingly treated as a business‑critical governance issue rather than a purely technical one.

The recommendations on board‑level responsibility, improved enforcement and potential software liability would, if adopted, represent significant changes to the current regulatory landscape. Organisations may find it helpful to begin horizon‑scanning now - particularly in relation to governance structures, supplier contracts and incident preparedness - ahead of publication of the National Cyber Action Plan.

This article was written by Amy Khodabandehloo, Tom Whittaker and Alice Gillie.