The NCSC's 2025 Annual Review reveals a sharp escalation in nationally significant cyber incidents — up from 89 to 204. With attacks on Co-op, M&S, and JLR making headlines, we distil the key findings.
← Back to Insights
The National Cyber Security Centre's 2025 Annual Review is not comfortable reading. High-profile attacks on the Co-operative Group, Marks and Spencer, and Jaguar Land Rover dominated headlines. But the aggregate data reveals something more troubling: a threat landscape that is not just growing, it is accelerating in scale and severity.
For anyone leading security in critical national infrastructure, this review is a catalyst. Not for alarm, but for honest assessment of where your organisation stands against a shifting baseline.
During the 2024-25 review period, the NCSC triaged 1,727 incident reports from across the UK. Of these, 429 required direct NCSC support—a significant operational load on the national cyber defence capability. The classification breakdown is the telling part.
Of those 429 incidents, 204 were nationally significant—incidents that pose a genuine threat to essential services, the economy, or national security. That's nearly half. The previous year recorded 89 nationally significant incidents. This isn't a fluctuation. This is more than double.
Eighteen incidents were classified as highly significant—a 50% increase and the third consecutive year of escalation at this severity level. These numbers point to a structural shift in the threat landscape, not a temporary spike.
The NCSC identifies ransomware as the most acute and pervasive cyber threat to UK organisations. The Dragos 2026 OT Cybersecurity Year in Review supports this assessment: a 49% year-on-year surge in ransomware attacks targeting industrial organisations globally.
The Co-operative Group attack illustrated the real-world cost. Operations disrupted, data compromised, significant remediation effort required. For CNI organisations—energy, transport, water, communications—the stakes are orders of magnitude higher. Operational disruption doesn't just affect customer experience. It affects public safety and essential services.
The NCSC explicitly addresses AI's role in the threat landscape. Threat actors are using AI to enhance existing tactics—more sophisticated social engineering, automated reconnaissance, improved malware development—rather than develop entirely new attack methods.
This means your existing threat models need updating. The NCSC's Innovation Forum roundtable with CISOs from National Grid, OVO Energy, Santander, and others flagged deepfakes as an emerging concern. The recommendation: realistic deepfake simulations as part of security awareness training.
For CNI organisations, this is a capability gap that demands immediate attention.
Critical national infrastructure remains a primary target for both state-sponsored and criminal threat actors. The convergence of geopolitical tensions and the expanding digital attack surface across CNI sectors creates a persistent and elevated threat level.
GCHQ Director Anne Keast-Butler's message in the review is direct: organisations must prioritise cyber risk management and must not be easy targets. This applies equally to large utilities and transport operators as it does to smaller organisations within their supply chains.
The NCSC's defensive efforts are significant. Early Warning service now supports over 13,000 organisations. The Takedown Service removed 1.2 million phishing campaigns. But these are defensive tools, not substitutes. Individual organisations must build their own robust security capabilities.
For CISOs and security directors across CNI sectors, the NCSC Annual Review reinforces several hard priorities.
Incident response readiness must move beyond planning. Regular testing. Crisis scenario rehearsals. Response capabilities tuned for crisis posture, not steady-state operations. The NCSC's guidance is clear: plan for the worst, test your response, and evolve.
Board engagement on cyber risk is essential. The sustained escalation in nationally significant incidents means cyber security is no longer a technical concern. Boards must understand the risk and own it. This is not something you delegate to IT.
Talent investment remains fundamental. The sophistication and volume of threats described in this review demands skilled, experienced security professionals. Automated tools and AI augmentation are valuable, but they require human expertise to configure, monitor, and make strategic decisions. You cannot automate your way out of this challenge.
Supply chain security requires attention. Many of the incidents in the review exploited supply chain vulnerabilities. Your security posture must extend beyond your own perimeter to encompass your supplier ecosystem.
The NCSC Annual Review is not just a retrospective. It is a forward indicator. The trends it identifies point to a 2026 threat landscape that will be even more challenging, not less.
Organisations that treat this data as a catalyst for action—that examine their own incident response readiness, their talent strategy, their supply chain risk—will be better positioned to protect the infrastructure the nation depends on. Those that file it away will face 2026 with outdated threat models and insufficient capability.
For CNI organisations competing for security talent, this review is also a recruitment tool. Candidates who see that your board owns cyber risk, that you invest in incident response capability, and that you're building a team with real authority and real purpose, are more likely to take you seriously. A credible security strategy is itself a competitive advantage in hiring.
The demand for experienced CISOs in critical national infrastructure far outstrips supply. We examine what's driving the gap, how organisations can compete for scarce talent, and why traditional hiring approaches are failing.
AI spending on network automation will reach $20 billion by 2028. For CNI operators, deploying AI effectively requires professionals who understand both the technology and the operational context of critical infrastructure.
Trusted by security leaders at
"I can't recommend Gyles and the team at Foundations enough. We struggled to find a suitable candidate for 5 months, Foundations found 3 perfect candidates in 24 hours."
Manager of EMEA & APAC Network Engineering, Equinix
