UK Cyber Policy Ecosystem Mapped: Structure and Evidence

Leave a Reply

This article maps the core policy architecture and supporting evidence underpinning the UK cyber security ecosystem. By separating system-defining strategies, legislation, and sectoral analyses from the research and technical studies that inform them, it provides a clearer view of how cyber policy, economics, and regional development interact across government and industry.

Contents

Table of Contents

1. Introduction

Over the past two years, the UK cyber security landscape has become increasingly structured, with a growing body of legislation, strategy, and sectoral analysis shaping how the ecosystem functions. Alongside this, a parallel layer of research, technical studies, and programme evaluations has emerged to inform and refine that system.

The challenge is not a lack of material, but rather an overabundance of documents of varying significance. Without structure, it becomes difficult to distinguish between what defines the system and what merely describes it. This article addresses that problem by separating core policy and structural documents from the supporting evidence base.

My broader analyses sit within the “Cyber Sectoral Analysis” series. Because I operate within the West Midlands cyber ecosystem, this work draws on West Midlands Combined Authority (WMCA) economic policy to frame national developments, particularly in relation to the West Midlands Cyber Hub.

2. Core Policy & Structure

The following table captures the documents that define the UK cyber ecosystem at a system level. These are the strategies, bills, policy statements, and sectoral analyses that shape incentives, allocate responsibility, and determine how the cyber sector evolves nationally and regionally. Together, these documents form the operating model of the UK cyber ecosystem.

DateBill / ReportLink to bill / reportArticle on horkan.comLink to article on horkan.com
2011 11 25UK Cyber Security Strategyhttps://www.gov.uk/government/publications/cyber-security-strategy
2022 01 25Government Cyber Security Strategy: 2022 to 2030https://www.gov.uk/government/publications/government-cyber-security-strategy-2022-to-2030
2024 01 05WMCA Digital Roadmap Evidence Base Reporthttps://www.wmca.org.uk/documents/culture-digital/the-west-midlands-combined-authority-digital-roadmap-evidence-base-report/Cyber, Growth, and Regional Futureshttps://horkan.com/2025/10/06/cyber-growth-and-regional-futures-a-comparative-synthesis-of-six-2025-reports-from-fragmentation-to-framework
2024 02 14West Midlands Digital Roadmap 2024–2027https://www.wmca.org.uk/media/0sdfg2qn/west-midlands-digital-roadmap-2024-2027-final.pdfCyber, Growth, and Regional Futureshttps://horkan.com/2025/10/06/cyber-growth-and-regional-futures-a-comparative-synthesis-of-six-2025-reports-from-fragmentation-to-framework
2024 04 24Cyber Security Breaches Survey 2024https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024
2024 09 30Cyber Security and Resilience Bill (collection)https://www.gov.uk/government/collections/cyber-security-and-resilience-bill
2024 10 14NCSC Annual Review 2024https://www.ncsc.gov.uk/collection/ncsc-annual-review-2024
2025 03 10Cyber Security Sectoral Analysis 2025https://www.gov.uk/government/publications/cyber-security-sectoral-analysis-2025Cyber, Growth, and Regional Futureshttps://horkan.com/2025/10/06/cyber-growth-and-regional-futures-a-comparative-synthesis-of-six-2025-reports-from-fragmentation-to-framework
2025 04 01New cyber laws to safeguard UK economy and secure long-term growthhttps://www.gov.uk/government/news/new-cyber-laws-to-safeguard-uk-economy-secure-long-term-growth
2025 04 09Cyber Security and Resilience Bill – Policy Statementhttps://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement
2025 06 19Cyber Security Breaches Survey 2025https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025
2025 06 25UK Cyber Growth Action Plan 2025https://www.gov.uk/government/publications/cyber-growth-action-plan-2025Reviewing the 2025 UK Cyber Growth Action Planhttps://horkan.com/2025/09/25/reviewing-the-2025-uk-cyber-growth-action-plan-promise-blind-spots-and-the-challenge-of-continuity
2025 09 19Cyber Security Skills in the UK Labour Market 2025https://www.gov.uk/government/publications/cyber-security-skills-in-the-uk-labour-market-2025/cyber-security-skills-in-the-uk-labour-market-2025Cyber Security Skills in the UK Labour Market 2025: A Critical Analysishttps://horkan.com/2025/10/03/cyber-security-skills-in-the-uk-labour-market-2025-a-critical-analysis
2025 10 14NCSC Annual Review 2025https://www.ncsc.gov.uk/collection/ncsc-annual-review-2025The NCSC Annual Review 2025: Between Capability and Stasishttps://horkan.com/2025/10/22/the-ncsc-annual-review-2025-between-capability-and-stasis
2025 11 12Cyber Security and Resilience (Network and Information Systems) Billhttps://www.gov.uk/government/collections/cyber-security-and-resilience-bill
2025 11 12Research on managed service providers 2025https://www.gov.uk/government/publications/research-on-managed-service-providers-2025
2025 11 12Independent research on the economic impact of cyber attacks on the UKhttps://www.gov.uk/government/publications/independent-research-on-the-economic-impact-of-cyber-attacks-on-the-uk
2025 12 16Evaluation of the UKC3 programme 2024-2025https://www.gov.uk/government/publications/evaluation-of-the-ukc3-programme-2024-2025
2026 01 06Government Cyber Action Planhttps://www.gov.uk/government/publications/government-cyber-action-plan/government-cyber-action-plan
Table 1 – Core Policy & Structure – “What defines the UK cyber system at a structural level?”

3. Evidence & Supporting Layer

In contrast, the next table presents the supporting evidence layer. These documents do not define the system directly but provide the research, technical insight, and analytical depth that inform policy decisions, implementation approaches, and future direction.

DateReport / AnalysisLink
2025 03 20NCSC Post-Quantum Cryptography Migration Roadmaphttps://www.ncsc.gov.uk/news/pqc-migration-roadmap-unveiled
2025 11 11NCSC Cyber Action Toolkithttps://cybertoolkit.service.ncsc.gov.uk/about
2025 11 27Perspectives on the plan for PQC transitionhttps://www.gov.uk/government/publications/perspectives-on-the-plan-for-pqc-transition
2025 12 16Mapping IoT security publications on Enterprise IoT securityhttps://www.gov.uk/government/publications/mapping-iot-security-publications-on-enterprise-iot-security
2025 12 16Research on Enterprise IoT definitionshttps://www.gov.uk/government/publications/research-on-enterprise-iot-definitions
2025 12 23Cyber security vulnerabilities of operational technologieshttps://www.gov.uk/government/publications/cyber-security-vulnerabilities-of-operational-technologies
Table 2 – Evidence & Supporting Layer – “What informs the system?”

4. Conclusion

Taken together, these two layers provide a more coherent understanding of the UK cyber landscape. The core policy table shows how the system is structured and governed, while the evidence layer reveals how it is analysed, challenged, and refined.

This separation is not just organisational: it is analytical. It allows policymakers, practitioners, and researchers to navigate complexity more effectively, identify gaps in both policy and evidence, and better understand where future work is needed. As the cyber ecosystem continues to evolve, the ability to distinguish structure from evidence will be critical, not just for clarity, but for effective policy, investment, and intervention.