Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
29MAY

UK cyber sector clears 14.7bn pounds

4 min read
14:17UTC

DSIT put the UK cyber sector at 14.7 billion pounds and announced 90 million pounds aimed at SMEs and NHS suppliers, the exact chain that recent breaches exposed.

TechnologyDeveloping
Key takeaway

A 14.7 billion pound sector still leaves NHS and SME suppliers as the chain that 90 million pounds now chases.

The Department for Science, Innovation and Technology (DSIT) reported in its May newsletter that the UK cyber security sector now turns over £14.7 billion, up 11 per cent year on year, across 2,603 companies (up 20 per cent) employing 69,600 people, with 2,300 net new jobs 1. DSIT runs the government's cyber policy and digital infrastructure. Alongside the figures it announced £90 million in new funding aimed at small and medium-sized enterprises and NHS suppliers.

That money chases the exposure recent breaches have exposed. NHS suppliers are where the Stryker device wipe and the £963,900 South Staffs Water fine bit hardest, upstream of the hospitals and the taps. DSIT also set out a voluntary Cyber Resilience Pledge: signatories commit to a board-level cyber lead, enrolment in the NCSC's free Early Warning service, and Cyber Essentials across their supply chains, with a formal launch in summer 2026 and signatories published on GOV.UK.

The Cyber Security and Resilience Bill sets the regulatory backdrop, and it is not fresh news. DSIT frames it as having cleared its Commons committee and due back for Report stage before the Lords . The open question is whether a voluntary pledge moves boards that statute has not yet reached, or whether it stays a press release. A pledge with no enforcement teeth tends to attract the firms that already comply, and to leave the under-resourced SME suppliers, the ones the £90 million is meant for, exactly where they were.

Deep Analysis

In plain English

Every year the UK government publishes figures on how large Britain's cybersecurity industry is. In May 2026, it reported the sector brought in £14.7 billion in revenue, employed nearly 70,000 people, and added 2,300 new jobs, roughly the same size as the UK's aerospace maintenance sector. At the same time, the government launched a voluntary programme called the Cyber Resilience Pledge. Companies that sign up agree to three things: appoint a board-level executive responsible for cybersecurity, register for a free government alert service run by the National Cyber Security Centre (NCSC), and obtain a basic security certification called Cyber Essentials across their supply chains. The £90 million announced alongside the Pledge is specifically aimed at smaller businesses that supply the NHS, because a cyberattack on a small supplier can disrupt hospital operations even if the hospital itself has strong defences. The Pledge is voluntary for now, but a new law currently going through Parliament would make similar requirements legally binding once it passes.

Deep Analysis
Root Causes

UK cyber regulation operates in a dual-track gap: large enterprises above roughly 250 employees face ICO enforcement, NCSC guidance, and growing Cyber Essentials procurement pressure, while the SME supply chain, which includes most NHS tier-2 and tier-3 suppliers, sits below the practical enforcement threshold of every existing instrument.

The £90m funding allocation targets this gap directly, but the funding mechanism, grants and subsidies rather than subsidised certification, does not address the capacity problem: SMEs lack the internal technical personnel to implement Cyber Essentials controls, not the certification fee.

The Cyber Resilience Pledge's formal launch is timed to precede Royal Assent of the Cyber Security and Resilience Bill (CS&R Bill). DSIT is using the voluntary instrument to build a cohort of compliant suppliers before the statutory 24-hour incident-reporting obligation arrives, so that the compliance infrastructure exists before the reporting obligation creates the demand for it.

The sequencing is deliberate, but it also means the Pledge's first cohort is drawn from organisations that already have board-level cyber awareness and can respond to a voluntary signal.

What could happen next?
  • Consequence

    The adverse-selection dynamic means the Pledge's first-cohort compliance data will overstate supply-chain coverage; DSIT's summer 2026 launch signatory list will not represent the uncertified SME tail that the £90m funding is designed to reach.

    Short term · Assessed
  • Precedent

    If DSIT follows the Cyber Essentials procurement-mandate model, board-level cyber lead designation will become a condition of NHS and central-government supplier approval within 18 to 24 months of the Pledge's formal launch.

    Medium term · Assessed
  • Risk

    The UK-EU regulatory divergence widens: NIS2 imposes statutory fines on essential entities across 18 sectors, while the UK Pledge remains voluntary pre-CS&R Bill. UK-headquartered suppliers operating across both markets must now track two separate compliance timelines and board-governance models.

    Medium term · Assessed
First Reported In

Update #5 · GitHub's own code cloned via VS Code add-on

GOV.UK (Department for Science, Innovation and Technology)· 29 May 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.