The UK's National Cyber Security Centre (NCSC) recorded 204 nationally significant cyber incidents in the 12 months to September 2025, more than double the previous year and the highest on record. Of 429 total incidents requiring NCSC intervention, 18 were classified as highly significant — a nearly 50% year-on-year increase. APT groups are behind a large share of activity, targeting critical infrastructure including the expanding decentralized energy sector. The UK government is responding by urging FTSE 350 boards to treat cyber resilience as a strategic priority, reforming NIS regulations via the Cyber Security and Resilience Bill, and introducing baseline cyber hygiene requirements for energy sector licensees. Gaps remain, particularly around operational technology (OT) environments not fully covered by existing frameworks like Cyber Essentials.
Table of contents
The Acceleration of UK National Cyber ThreatsWhen Cybersecurity Becomes a Boardroom IssueEnergy Transformation and the Expanding Attack SurfaceThe Cascading Risk of Infrastructure DisruptionRethinking Regulation for Modern ThreatsBaseline Security: Necessary but Not SufficientConclusionSort: