The article examines the NCSC Annual Review 2025 as both a testament to accomplishment and a warning. It praises the NCSC’s technical competence but questions its identity: regulator, delivery agency, or state-backed market player? It highlights contradictions — DSIT hailing it as “the jewel in the crown” while eroding its remit, diluting CyberFirst into TechFirst, ending its startup work, and overstating the benefits of Cyber Essentials. The piece concludes that the NCSC is overextended and under-defined, needing clarity of purpose more than new initiatives — less performance, more direction.

Executive Summary (TL;DR)

The NCSC Annual Review 2025 is both a testament and a test — a study in technical competence and institutional drift. It presents a capable organisation operating at the edge of its remit: effective in practice, uncertain in purpose. Progress is clear across threat response, AI assurance, and public engagement, yet the central question remains unresolved: what exactly is the NCSC for?

It remains suspended between roles — regulator, delivery agency, and market actor — while DSIT praises it as “the jewel in the crown” even as it strips away its remit. CyberFirst has been absorbed into TechFirst, diluting a once-vocational pipeline into generic STEM evangelism. The startup programme has been shuttered. Cyber Essentials is measured by volume, not value. The Review speaks of regional engagement, yet the centre still holds all the gravity.

What emerges is an organisation defined by capability, constrained by constitution. The NCSC delivers world-class technical work, but without strategic coherence or policy authority. Its challenge is not one of performance, but of purpose. The UK’s cyber apparatus no longer needs more initiatives — it needs a definition. Until that arrives, Britain’s cyber resilience will remain impressive in parts, but incomplete as a whole.

Contents

Introduction: Reviewing the Review

The NCSC Annual Review 2025 is not a document to be skimmed; it is a mirror held up to the state’s nervous system. It charts the United Kingdom’s digital resilience at a time when the political bandwidth for cyber security has rarely been narrower, and yet the technical dependency has never been greater.

This year’s review arrives with the veneer of composure but the undertone of exhaustion. It is the eighth in the series, and the first to confront the uncomfortable truth that the UK’s cyber posture has plateaued. The tone is factual, polished, professional, but curiously self-limiting. For all its talk of “world-leading capability”, it is haunted by an unspoken question: are we still building, or merely maintaining?

The Review’s structure, while familiar, reveals much about the system that produced it. It offers the usual blend of operational highlights, public service announcements and ministerial applause. Yet beneath the official grammar of reassurance lies an uneasy admission that the threat has outpaced the machinery of government, and that the country’s cyber resilience—its capacity not only to resist but to recover—remains underdeveloped and unevenly distributed.

For all its institutional ambiguity, the NCSC remains technically formidable. Its engineers, analysts and responders are among the best in government, and the Review quietly demonstrates as much. The steady containment of major incidents, the maturity of its partnerships, and the professionalism of its outputs are all beyond dispute. The problem is not competence but coherence: a body capable of almost anything, still unsure what it is supposed to be.

Summary and Deep Dive: The Shape of the Year

The Review organises itself around six themes: the threat landscape; defence and national security; resilience of critical infrastructure; the rise of AI and emerging technologies; public and business protection; and education and skills. Each is summarised with statistics and success stories, but the true meaning lies between the lines.

Threat Landscape

The year 2025 saw a sharp escalation in both scale and sophistication of hostile activity. The Review reports a 45 percent rise in significant incidents, a figure that may understate the reality, given persistent under-reporting in the private sector. Russia remains the habitual antagonist, Iran the opportunist, and China the silent structural competitor. The emergence of AI-enabled social engineering and automated reconnaissance tooling marks a shift from artisanal attack craft to industrial-scale offence.

Hybridisation is now normalised: the distinction between state, proxy and criminal actor is largely performative. The NCSC’s case studies—on ransomware supply chains and malicious information operations—illustrate a theatre in which attribution has become almost irrelevant. The strategic picture is not of war but of permanent friction.

Defence and National Security

The NCSC continues to anchor itself within the GCHQ–MOD complex, now fully integrated with the National Protective Security Authority (NPSA). The formation of the Joint State Threats Assessment Cell reflects a mature understanding of cyber as intelligence practice rather than IT hygiene. Yet even here, the Review betrays a bureaucratic comfort zone. The institutional charts show coordination, but not control. The command architecture of the national cyber effort remains fragmented, and the feedback loops between NCSC, law enforcement and regulators are still dependent on goodwill rather than design.

Critical Infrastructure Resilience

Seventeen major incidents were reportedly prevented or mitigated, spanning energy, healthcare and local government. The Review notes improved detection and response times—down by around a third—but fails to supply absolute numbers, baselines or mean-time-to-recover metrics. Progress is evident, but unmeasured.

The emphasis on “resilience” is welcome but uneven. While the energy sector receives detailed coverage (including the Ofgem partnership on grid cyber readiness), local government’s fragility is acknowledged only obliquely. Councils remain the soft underbelly of national digital infrastructure, under-funded, under-skilled and increasingly targeted.

AI and Emerging Technologies

The headline achievement is the AI Assurance Framework, developed with DSIT and academic partners. It is a serious piece of work in intent if not yet in effect. Its focus on transparency, model integrity and supply-chain assurance is appropriate, but its scope is advisory rather than mandatory. The Review speaks earnestly of “verifiable AI”, but verification requires an authority and a process. Neither yet exists.

The NCSC’s pilots on AI-driven threat detection, and its warnings on synthetic identity fraud, are commendable, but they skirt the larger policy vacuum: who regulates the regulators of machine intelligence? The UK remains rhetorically confident but institutionally uncertain.

Public and Business Protection

On the citizen front, the Review claims that 82 000 small businesses engaged with Cyber Essentials Plus and Cyber Aware, and that Early Warning 2.0 now automates incident notifications through an online portal and API integration. It is progress, but progress at a population scale that remains derisory. The UK hosts nearly six million SMEs; even if all 82 000 were genuinely engaged, that represents less than 1.5 percent of the total base.

The report’s tone is of earnest encouragement, but the underlying model—voluntary uptake, self-assessment, soft compliance—is visibly running out of road. Cyber resilience cannot be crowd-sourced.

Skills and Capability

Here the NCSC is at its most optimistic. The CyberFirst programme now spans 140 schools, 19 universities and over 4 000 placements, with a welcome increase in gender balance (37 percent female participation in the CyberFirst Girls competition). The intention is noble; the scale remains marginal. The UK cyber workforce now exceeds 150 000, yet the annual inflow from such programmes remains a fraction of attrition.

More promising are the references to Cyber Resilience Test Facilities (CRTFs), developed with Plexal, BT and regional clusters. These could evolve into the missing middle of the national ecosystem: operational sandboxes where industry, academia and government co-produce resilience practice. The Review treats them as an experiment; they should already be policy.

Detailed Critique

A Document of Achievement, not of Strategy

The NCSC’s Review is an impressive ledger of activity, but it lacks narrative coherence. It enumerates what has been done without articulating what must be done next. The tone is managerial rather than strategic, risk-averse rather than reforming. It is the publication of an agency that has succeeded in mastering the operational brief but not yet the systemic one.

Metrics without Measurement

Percentages proliferate; baselines are absent. “Improved by 30 percent” is meaningless without an initial denominator. There are no consistent national metrics for cyber readiness, no time-series data for incident response or workforce capacity, and no regional disaggregation. The absence of measurement corrodes accountability.

The Illusion of Integration

The Review’s diagrams of partnership—NCSC, NPSA, MOD, DSIT, Ofgem, NHS England—create an image of coherence that the lived experience does not support. Coordination is not the same as integration. Each department still guards its own data, budget and narrative. Without a shared governance framework or common operational doctrine, the UK’s cyber system remains an archipelago of initiatives.

AI and the Return of the Advisory State

The AI Assurance Framework is symptomatic of a broader national tendency: to publish principles where we require regulation. The UK is now awash with voluntary frameworks that no-one is compelled to follow. The Review’s discussion of AI risk is intellectually sound but operationally timid. If the country’s strategy is to “lead by example”, it must first lead by evidence.

The Missing Middle: Local Government and the Supply Chain

It is extraordinary that the Review continues to understate the systemic vulnerability of local authorities, managed service providers and secondary suppliers. These are the connective tissue of the public realm, and yet they remain the least defended. Ransomware, data exfiltration and service outages in this layer have social as well as economic consequences. The NCSC’s silence here is not neutral; it is political.

Communications and Public Trust

The Review’s language remains that of the technocratic establishment. It reassures, but it does not engage. The public conversation about cyber remains abstracted, dominated by slogans (“resilience”, “trust”, “world-leading”) rather than specifics. The NCSC has yet to find a narrative voice that connects national security with civic life.

Recommendations for Improvement

1. From Activity to Strategy
   Future reviews should articulate priorities, trade-offs and trajectories, not simply outcomes. The NCSC must shift from cataloguing its work to defining the nation’s direction.
2. Quantitative Baselines and Open Metrics
   Establish a public Cyber Readiness Index, updated quarterly, covering detection times, recovery intervals, workforce ratios and SME compliance. Data transparency would enable trust.
3. Institutional Integration and Governance Reform
   Create a National Cyber Coordination Council with a statutory mandate to align NCSC, NPSA, DSIT and sectoral regulators under a unified resilience doctrine.
4. Mandatory AI Assurance and Test Facilities
   Transform the AI Assurance Framework from guidance to governance. Fund a network of accredited CRTFs as the testing infrastructure for both AI and cyber resilience technologies.
5. Mandatory Reporting and Public-Sector Resilience Standards
   Require local authorities and critical suppliers to meet minimum cyber maturity standards as a condition of public funding or procurement.
6. Rebuild the Skills Pipeline with Real Work
   Expand CyberFirst into apprenticeship-linked employment guarantees, with regional parity and employer participation, and publish annual retention and conversion rates.
7. Public Communication and Citizen Literacy
   Launch a national cyber literacy initiative anchored in plain language, practical action and transparency of government data handling. Trust is a function of comprehension.
8. Continuity and Handover Mechanisms
   Each initiative launched should include an exit or transfer plan to ensure continuity beyond leadership cycles or political reshuffles.

Structural Contradictions and Institutional Realities

The Review’s virtues are many, but beneath its composure lie contradictions that no amount of design language can disguise. What follows are the seven structural tensions that define the NCSC’s position in 2025 — questions of identity, remit and reach that remain unresolved, and which the Review itself inadvertently exposes.

What Is the NCSC, Really? And What Does It Want To Be When It Grows Up?

The Review is painfully unclear on this. It oscillates between describing the NCSC as a “technical authority” and as a “delivery agency”, but never resolves that contradiction. On page 33 it explicitly says that future offerings will focus on “things that the NCSC is uniquely positioned to do… developing services that cannot currently be met by the commercial market”.

That sentence is crucial because it positions the NCSC as both regulator and producer. The problem is that nobody, least of all DSIT or industry, seems to know whether that is intentional. Is it an operational arm of GCHQ? A regulator in waiting? A quasi-market player building tools? Its remit has become elastic to the point of abstraction.

The Blurred Line Between Regulator and Market Competitor

The Review confirms that the NCSC develops and operates free toolsets such as the Cyber Action Toolkit, Early Warning, and Active Cyber Defence services. These are high-functioning, data-driven, automated services that effectively compete with a large swathe of the SME-facing security-tech sector.

They are well-intentioned and technically impressive, but they crowd the commercial field. The language is revealing: “services that cannot currently be met by the commercial market” is a subjective claim that allows the state to displace private innovation whenever it chooses. If the NCSC continues to build its own SaaS-style tooling, the UK risks developing a public-sector monopoly in entry-level resilience.

The DSIT Cyber Growth Action Plan’s Convenient Doublethink

The Cyber Growth Action Plan 2025 (DSIT) names the NCSC “the jewel in the crown” of the UK’s cyber capability, even as its own policy instruments carve away parts of that remit. Growth, innovation, workforce, and ecosystem all now sit under DSIT, not GCHQ.

The Review itself does not acknowledge that erosion. It presents an image of steady inter-agency cooperation while the institutional reality is one of jurisdictional amputation. It is extraordinary to see the NCSC simultaneously lauded and hollowed out: the crown jewel everyone wants to display but no one wants to feed.

CyberFirst “Phoenixes” to TechFirst: Expansion or Dilution?

The Review confirms the transition. CyberFirst has “moved to TechFirst”, with a £187 million DSIT investment announced at London Tech Week 2025, embedding “AI, computer science, cyber security and technology throughout education”.

This is positioned as “building on the proven success of CyberFirst”, but it is a textbook case of programme inflation. What began as a targeted cyber-talent pipeline has become a generic STEM initiative. The claim that the CyberFirst model can sustain AI, quantum and “emerging tech” is questionable. The very thing that made CyberFirst distinctive, its specificity and culture of vocation, risks being absorbed by DSIT’s appetite for broad-brush digital evangelism.

The omission of neurodiversity compounds the error. The UK’s cyber capability has always drawn strength from atypical cognition — people who see patterns others miss, people who ‘think’ differently. Yet neither the Review nor DSIT’s expanded TechFirst narrative acknowledges this. Treating difference as accommodation rather than an advantage is a category mistake. If CyberFirst once channelled that distinctiveness, TechFirst risks sanding it flat.

The Quiet Death of NCSC for Startups

The Review confirms it plainly: the NCSC for Startups programme “has officially concluded”, leaving behind a “legacy of innovation” but no successor scheme.

It supported more than seventy startups, helped raise £550 million in investment, and created around 1,700 jobs before quietly closing. The report spins this as “mission accomplished”, but the underlying story is one of strategic withdrawal. In an ecosystem already struggling for government-backed credibility, this closure is a regression. For innovators seeking validation or co-development with the state, the ladder has been pulled up.

Cyber Essentials: Numbers and Meaning

At face value, the numbers are grim. After seventeen years of operation, fewer than forty thousand organisations hold active Cyber Essentials certification. For a scheme that styles itself as the foundation of national resilience, that is not success; it is inertia with a logo. The Review’s cheerful year-on-year percentage uplift cannot disguise the fact that adoption has flatlined and awareness is shallow. If Cyber Essentials is the on-ramp to responsible security practice, then most of British industry has yet to find the junction.

The Review’s account of Cyber Essentials remains strangely self-limiting. It quotes roughly 39,790 basic and 12,850 Plus certifications — a notional total of 52,000. But counting certificates misses the real measure of value. The meaningful question is who those organisations are. Are they cyber firms? Are they adjacent suppliers? Are they in the defence or security supply chain?

If so, the apparent smallness of the number is misleading. In practice, the security services and the MoD require CE for their small suppliers, and larger contractors working to DEF STAN 05-138 or ISO 27001 frequently cascade the requirement down their own supply chains. The result is a concentric pattern of compliance: relatively few certificates, but disproportionately concentrated in the companies that matter — those handling sensitive data, providing national capability, or supporting critical systems.

This, ironically, is a far healthier sign of maturity than mass participation would be. Cyber Essentials is functioning as a selective quality gate rather than a universal hygiene test. Its problem is not reach but definition. What it should now do is articulate that — move from vanity metrics to meaningful topology, mapping compliance across the ecosystem so we can see where assurance is structural rather than decorative.

(And yes, there are still technical absurdities — our own scanners routinely flag configuration failures that ought to invalidate certificates — but those are operational issues, not conceptual ones.)

The Regional Question: London, Cheltenham, Manchester, Milton Keynes

The Review finally nods to the geography of the cyber state. It cites CYBERUK 2025 in Manchester as a symbol of the North West’s digital ascent. It references Milton Keynes in relation to self-driving vehicle testing and CAV cybersecurity. It highlights Cheltenham implicitly through GCHQ’s role but avoids naming it directly.

It also describes collaboration in Scotland, Wales, and Northern Ireland through tailored frameworks and local Security Operations Centres. So, the NCSC is beginning to sound like a national body, yet it still operates primarily from the Home Counties. The Review’s regional content reads like an appendix rather than an organising principle. London remains dominant, Manchester the showpiece, Cheltenham the fortress. The missing element is federalisation: a genuine regional presence with budget, authority and mandate.

In Summary: What This All Adds Up To

The Review is rich but confused. It portrays a world in which the NCSC acts simultaneously as regulator, developer, educator, and market competitor, while being increasingly subordinated to DSIT in matters of policy and talent. It builds world-class tools, then denies the market space to replicate them. It closes innovation programmes, then claims their legacy. It celebrates regional engagement, yet administers Britain’s cyber posture as a Home Counties franchise.

The NCSC of 2025 looks less like a crown jewel and more like a misunderstood organ: vital, overworked, and under-defined.

Combined Recommendations (Synthesis of Achievements and Gaps)

The preceding sections outline the contradictions and the missed opportunities; what follows is not a reprise but a route. These recommendations combine the operational fixes and institutional reforms that would turn the NCSC’s competence into coherence. They are not new tasks but refinements of purpose — a way of converting capability into continuity.

Area	2025 Achievement	Next-Stage Imperative
Threat Management	45 percent rise in incidents managed; reduced detection and response times; improved collaboration with law enforcement.	Shift from reactive containment to predictive resilience through AI-driven threat modelling and cross-sector threat intelligence sharing. Establish common metrics for “significant incident” classification to allow longitudinal tracking.
National Coordination and Governance	Deeper NCSC–MOD–NPSA integration and formation of the Joint State Threats Assessment Cell.	Create a statutory National Cyber Coordination Council to align policy, intelligence, and operations. Clarify the NCSC’s constitutional identity: technical authority, regulator, or delivery agency. Authority without definition is fragility.
Critical Infrastructure Resilience	Seventeen major incidents prevented; Ofgem partnership on grid readiness.	Move to standardised resilience testing and independent audit across all CNI sectors. Embed Cyber Resilience Test Facilities (CRTFs) as a permanent national capability rather than an experiment.
AI and Emerging Technologies	Launch of the AI Assurance Framework in partnership with DSIT and academia.	Transform guidance into governance: mandate assurance for AI systems used in national security, public services, and regulated sectors. Create an AI Assurance Regulator with teeth, not templates.
Public and SME Protection	Early Warning 2.0 and Cyber Aware outreach to 82 000 businesses.	Reframe Cyber Essentials from volume to topology. Map adoption across critical supply chains to show structural assurance rather than raw counts. Mandate participation for suppliers to government and regulated sectors.
Cyber Essentials Programme Integrity	39 790 basic and 12 850 Plus certifications, up 17 percent year-on-year.	Recast CE as a selective quality gate focused on strategic industries. Publish transparent adoption maps by sector and region. Introduce continuous monitoring and enforcement of certification validity.
Innovation and Startups	Concluded NCSC for Startups after supporting 70 firms, £550 m raised, 1 700 jobs created.	Replace with an Innovation Directorate offering continuous co-development channels for British cyber SMEs. The state must mentor markets, not exit them.
Skills and Capability Development	CyberFirst expanded to 140 schools and 19 universities.	Prevent dilution under TechFirst by maintaining a distinct cyber stream with vocational focus. Link funding to apprenticeship conversion rates and regional parity.
Neurodiversity and Workforce Composition	Brief mention of inclusion via CyberFirst participation, but no recognition of neurodiversity as a strategic strength.	Treat neurodiversity as a capability, not an accommodation. Build targeted recruitment and support pathways for neurodivergent talent across NCSC, government, and suppliers.
Regional Ecosystem Development	CYBERUK 2025 in Manchester; limited reference to Milton Keynes, Scotland, and Wales.	Federalise the NCSC presence: devolved regional hubs with budgetary autonomy and local mandates. Measure regional resilience alongside national indicators.
Communications and Public Trust	Improved public-facing tone; growing media engagement.	Adopt a civic communication model: explain national cyber policy in human terms. Make transparency a pillar of resilience rather than a public-relations device.
Institutional Continuity	Multi-agency cooperation visible, though informal.	Establish long-term strategic dashboards and formal handover protocols to prevent initiative collapse during political turnover. Continuity is strategy’s proof of life.

The next step is constitutional rather than technical: a decision about what kind of state the NCSC serves, and how openly it chooses to serve it.

Conclusion: A Maturing Institution at Risk of Plateau

The NCSC Annual Review 2025 is a record of achievement by a mature, competent and globally respected organisation. It deserves recognition for operational excellence and integrity of purpose. Yet excellence is not the same as sufficiency.

The Review reflects an agency straining against the limits of its mandate, performing heroics within a system that mistakes coordination for control and publication for progress. The UK’s cyber architecture remains heavily centralised, overly procedural and insufficiently adaptive.

If 2024 was the year of consolidation, then 2025 should have been the year of renewal. Instead, we are left with an impression of capable stasis. The NCSC has built the machinery of resilience, but the state has yet to supply it with direction.

The challenge ahead is not technological but constitutional: to embed cyber security not as an adjunct of national defence but as the grammar of modern governance. Until that happens, the Annual Review will continue to describe a system that is perpetually “improving”, yet never complete.