This article, written in reaction to the DSIT Cyber Policy 2025, reviews and critiques the government’s new approach. It recognises what the policy gets right — framing resilience as growth, creating safe havens, and calling for a one-team response — but also highlights what is missing: metrics, continuity, practitioner voice, and regional balance. Without these, the new policy risks becoming rhetoric rather than a platform for real progress. Unless the UK moves decisively from aspiration to delivery, the 2025 Cyber Policy will join its predecessors as another missed opportunity.

Contents

Introduction

The 2025 Cyber Policy Paper sets out a bold vision for the UK cyber economy, positioning growth, resilience, and value for money as interdependent objectives. It echoes themes from prior strategies yet underplays the historical volatility of government programmes, the institutional frictions between NCSC and DSIT, and the limited adoption of flagship schemes such as Cyber Essentials and Cyber Runway. This article offers a detailed critique, tracing the policy paper’s recommendations against the last fifteen years of cyber policy development, assessing contradictions in its framing, and proposing evidence-based reforms to stabilise the sector.

1. Synopsis of the Policy Paper

The policy paper advances:

• Safe environments: the establishment of Cyber Growth Centres to facilitate exercises, co-creation, and testing with real data.
• Collective identity: a call for the UK cyber community to act as “one team.”
• Value for money redefined: embedding resilience, sovereignty, and growth alongside cost efficiency.

It is heavily footnoted, drawing on DSIT, NCSC, ISC², WEF, and industry reports.

2. Strengths

1. Holistic ambition: Growth and resilience are linked, recognising that industrial capacity underpins national security.
2. AI realism: The acknowledgement of AI-enabled crime and AI-enabled defence is timely.
3. Social capital: The recognition that networks, clusters, and trust relationships drive innovation reflects sociotechnical awareness.
4. Regional gestures: The proposal of “growth centres” references models such as Hub8 (Cheltenham) and DiSH (Manchester), if only implicitly.

3. Blind Spots

3.1 Historical Precedents Ignored

The paper presents its recommendations as novel, but their lineage is clear:

• Safe environments: NCSC for Startups (2017–2023), run with Plexal, offered a similar co-creation model but was wound down after six years. No explanation is offered for why it ended or why its lessons are not built upon.
• Collective identity: UKC3 (2021–) was founded to unify clusters. Yet UKC3 has remained underfunded and reliant on Innovate UK short-term grants. The policy paper does not reference it directly.
• Value for money: The 2011 National Cyber Security Strategy already articulated resilience and sovereignty as part of procurement value. The 2025 paper repeats rather than advances this framing.

3.2 Evidence Avoidance

• Cyber Essentials: Launched in 2014, celebrated at its tenth anniversary in 2024, yet by mid-2025 had issued ~45,000 certifications across 6–8 million UK organisations (IASME, 2025). The adoption gap is stark. The paper highlights CE but sidesteps its limited penetration.
• Cyber Runway: Begun in 2021 as the UK’s “largest accelerator,” operated by Plexal. DSIT’s own 2023 evaluation noted limited scaling impact, heavy London/South East bias, and lack of follow-on investment routes. Procurement for Runway in 2025 has not been renewed — unacknowledged in the paper.
• CyberASAP: Still running in 2025, but its modest budget (~£4m across cohorts) constrains impact. It is referenced but not critiqued.
• Cyber Resilience Centres: Set up from 2019 onwards by the Police Digital Service, rolled out nationally by 2021, and engaging thousands of SMEs. They are barely mentioned in the policy paper despite being the closest analogue to the “safe environments” concept.

3.3 Institutional Tensions

The paper skirts the long-standing division of labour problem:

• NCSC (GCHQ): national resilience, CAF, CyberFirst, CE oversight.
• DCMS/BEIS → DSIT: innovation funding, accelerators, clusters.
  The result has been “programme ping-pong”: e.g., CyberFirst (NCSC) → TechFirst (DSIT); NCSC for Startups (NCSC) vs Cyber Runway (DSIT). The paper does not address how duplication and competition will be resolved.

This tension is not new: DCMS and BEIS tussled over similar ground in the 2010s, and DSIT’s creation in 2023 has not resolved the split.

The paper specifically calls out the value of the NCSC and the need to utilise it, whilst avoiding the reality that most of its funding and programmes have transitioned to DSIT.

3.4 Regional vs Central

The policy document invokes “growth centres” but underplays the existing regional infrastructure:

• CRCs in all police regions.
• Clusters such as Midlands Cyber, WM Cyber Hub, and ScotlandIS.
• UKC3 coordination.
  The omission suggests a Bristol/London lens, particularly given the paper’s provenance (University of Bristol input).

4. Contradictions

1. Continuity vs churn: Stability is urged, yet CE stagnates, Runway lapses, and Startups closed.
2. Evidence vs rhetoric: Dashboards for adoption or impact are absent; claims rest on aspiration.
3. Inclusivity vs exclusivity: TechFirst promises inclusivity, but CRCs and grassroots clusters — the most inclusive structures — are marginalised.
4. Sovereignty vs acquisition: The paper acknowledges foreign buyouts of UK cyber firms but offers no sovereign finance strategy (e.g., NSI Act levers, NSSIF expansion).

5. Recommendations

• Institutionalise accelerators: Align CyberASAP → Runway → Startups as a pipeline with rolling multi-year funding.
• Publish evidence dashboards: CE uptake, CRC engagement, accelerator outputs, regional spread.
• Formalise DSIT–NCSC coordination: A joint council to prevent duplication and clarify mandates.
• Fund regional coherence: Merge CRCs and clusters into stable hybrid hubs with DSIT backing and NCSC technical alignment.
• Reform procurement: Embed resilience weighting (e.g., CAF/CE compliance) into CCS frameworks.
• Skills inclusivity: Ensure TechFirst integrates behavioural science, social science, and equitable regional access.

Conclusion

The 2025 Cyber Policy Paper articulates ambition but insufficient reflexivity. It repeats themes from a decade of strategies while eliding the empirical weaknesses of their delivery. Without acknowledging churn (Tiger, Startups, Runway), under-adoption (Cyber Essentials), and structural overlap (DSIT vs NCSC), the paper risks perpetuating the very instability it decries.

A future-proof cyber strategy requires three things absent here: continuity of programmes, transparency of evidence, and clarity of institutional roles. Without these, the UK will continue to produce policy papers rich in aspiration but poor in implementation. Unless the UK moves decisively from aspiration to delivery, the 2025 Cyber Policy will join its predecessors as another missed opportunity.

References (select)

• DSIT (2025), Cyber Security Sectoral Analysis.
• DSIT (2023), Evaluation of the Cyber Runway Programme.
• IASME Consortium (2025), Cyber Essentials 10-Year Review.
• NCSC (2025), CyberFirst overview.
• NCSC (2024), 10 Years of Cyber Essentials.
• CCS (2024), SME Action Plan.
• Plexal (2025), Cyber Runway reports.
• Police Digital Service (2021), Cyber Resilience Centres Model.
• UKC3 (2025), Annual Report.
• Cabinet Office (2011), UK Cyber Security Strategy.