UK Government Updates National Risk Register with Catastrophic Cyber-Attack Warnings
The UK Government adds catastrophic cyber warnings to its National Risk Register — UK-operating defenders align posture this week.
A national risk assessment now models cyber-attacks on water, data, and policing systems — and, at the extreme, a mass digital outage — as risks with catastrophic potential.
LONDON — The UK Government has updated its National Risk Register with a set of new cyber-attack scenarios, several of which it assesses could, at their most severe, produce catastrophic national impact. The latest edition, published on July 14, 2026 and reported by Infosecurity Magazine, adds scenarios covering attacks on data infrastructure, water infrastructure, and policing systems, alongside a mass IT outage on the scale of the 2024 CrowdStrike-related disruption — placing cyber squarely among the tier of civil risks the government plans against.
The register draws on the government's classified National Security Risk Assessment and weighs malicious threats such as terrorism and cyber-attacks alongside non-malicious risks like severe weather. In the 2026 edition of the National Risk Register, cyber-attacks are no longer treated as a peripheral concern but modelled as scenarios with defined likelihood bands and impact ratings — one of which, a mass digital outage, is rated as ranging from moderate to catastrophic. For security leaders at UK-operating organizations, the document functions less as breaking news than as a statement of where the state now places cyber risk in its planning hierarchy.
What the UK Government Updated
According to Infosecurity Magazine's reporting, the 2026 register adds new scenarios anticipating cyber-attacks on data infrastructure, water infrastructure, and policing systems, as well as a mass, CrowdStrike-style IT outage. A separate new section addresses interference in democratic processes, spanning threats to election infrastructure, degradation of the online information environment, and the harassment of candidates or voters.
The data-infrastructure scenario contemplates a disruptive attack on one or more UK colocation datacenters, with disaster recovery running from several days to weeks and full restoration of information potentially taking years. The register assigns it a likelihood of 5-25% — labelled 'highly unlikely' — and a 'moderate' impact rating, with cited figures of up to 200 fatalities, up to 400 casualties, and costs reaching hundreds of millions of pounds.
The water-infrastructure scenario envisions a water company losing visibility and control of its operational technology (OT) systems, with major disruption to water and wastewater services for a large population taking months to recover and carrying both physical and mental-health consequences. The policing scenario describes compromised investigations, risks to staff safety, and reduced access to operationally critical intelligence, with the most severe effects lasting days and knock-on disruption lasting months. Both carry the same likelihood and impact bands as the data-centre case.
The starkest framing is reserved for a mass digital outage, which the register models as capable of shutting down communications, emergency services, transport, border control, financial systems, and broadcasting at once, alongside widespread failure of smart devices. Its assessed impact spans from moderate to catastrophic, with likelihood placed anywhere from 1% to more than 25%.
Continuation Context: The NCSC Warning, the UK Cyber Shield, and Five Eyes
The register update is best read as the latest beat in a sustained run of UK signalling. It follows the NCSC's assessment that hostile states are behind roughly three-quarters of the most serious threats to UK critical national infrastructure, and the government's launch of the 'Cyber Shield' agentic-AI defence plan and an industry Cyber Resilience Pledge. Together these frame a consistent message: that Britain's essential services face a threat environment its own agencies describe in increasingly serious terms.
That message has deeper roots in the NCSC leadership's identification of Iran, Russia, and China as the primary drivers of UK cyber threats, and it runs parallel to allied coordination captured in the Five Eyes statement on frontier-AI cybersecurity. Chief Secretary to the Prime Minister Darren Jones told parliament the register updates were warranted by the proliferation of AI and the growing dependence of critical infrastructure on IT and OT systems — an explicit link between the pace of AI-enabled cyber-attacks and the state's risk planning. Whether the register formally aligns with NATO threat-assessment frameworks was not stated.
Defender Takeaways for UK-Operating Organizations
For organizations operating in the UK, the register is a planning signal rather than a compliance mandate — but a consequential one. The scenarios the government chose to add map closely to sectors that boards and regulators will now expect to see reflected in resilience planning: data-centre and colocation dependencies, operational technology in essential services, and the concentration risk exposed by a single mass IT outage.
The most actionable read is to treat the named scenarios as a prompt to stress-test continuity assumptions. Operators of essential services should confirm they can maintain visibility and control of OT environments, validate disaster-recovery timelines against the register's 'days to weeks' and 'months' estimates, and revisit concentration risk in third-party IT and cloud providers. Mature vulnerability management and tested incident response programmes remain the foundation, and the government's forthcoming 'landmark national resilience campaign' — aimed initially at households — signals that resilience expectations are set to broaden across society.
None of this imposes a new obligation today. But the register establishes a reference point that customers, insurers, and regulators can cite, and organizations that align their planning to it now will be better positioned as voluntary framing hardens, over time, into expectation.
Open Questions
Several details remain unstated. The register names sector scenarios and assigns them likelihood and impact bands, but the reporting reviewed here does not attribute the modelled cyber-attacks to specific threat actors — and no such attribution should be inferred. Nor did the government state whether the assessment aligns with NATO threat-assessment frameworks, leaving that connection an open question despite the parallel with allied coordination.
Industry-association responses to the update had not been detailed at the time of reporting, and the shape of the promised national resilience campaign — its scope, timing, and whether it will extend beyond households to businesses and critical-infrastructure operators — remains to be defined. The register also stops short of prescribing controls; it is a risk-assessment instrument, not a regulatory one, so the practical obligations that may eventually follow from this framing are not yet on the table.
The CyberSignal Analysis
The reported facts above are the UK Government's, drawn from the National Risk Register and its reporting; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts.
Signal 01 — Cyber Has Been Promoted to a Whole-of-Society Risk
The most durable takeaway is categorical, not technical. By modelling cyber-attacks on water, data, and policing systems next to pandemics and severe weather — and by reserving the word catastrophic for a mass digital outage — the government has formally placed cyber among the civil risks the state plans against at national scale. Our reading is that this reframing matters more than any single scenario's numbers: it signals that cyber resilience is now treated as public-safety infrastructure, not an IT concern.
For defenders, the implication is that resilience conversations will increasingly be driven from the top — by boards, regulators, and government campaigns — rather than only from within security teams. Expect the register's sector choices to shape where scrutiny lands first.
Signal 02 — The Named Sectors Are a Roadmap for Where Scrutiny Lands
The government did not add scenarios at random. Data centres, OT in essential services, and single-point IT concentration are precisely the dependencies that a modern economy cannot easily route around, and their selection tells defenders where official attention — and, in time, likely regulatory pressure — will concentrate. Our assessment is that operators in these sectors should read the register as an early indicator of the resilience questions they will be asked to answer.
The caution is not to over-read the specific fatality and cost figures, which are planning estimates for worst-case scenarios rather than forecasts. Their value is directional: they establish that the state now considers these impacts plausible enough to model, which is itself the signal worth acting on.
Signal 03 — Framing Now, Delivery Still Ahead
The register is a statement of where risk sits, not a plan for reducing it. The promised national resilience campaign is, for now, an announcement aimed at households; the harder questions — how essential-service operators will be supported or required to close the gaps the register identifies — remain unanswered. Our view is that the distance between this framing and any funded, enforceable delivery is the thing to track.
The forward-looking watch items are concrete: the scope and timing of the resilience campaign, whether the register's scenarios inform sector-specific regulation, and any formal tie to allied or NATO threat assessments. Until those materialize, the disciplined read is to note the elevated framing, align planning to the named sectors, and avoid treating a risk-assessment document as if it were a mandate.