Daniel Shiu, chief cryptographer at Arqit says the figures highlight how technological progress and security risk are now advancing hand in hand.
“We are in a period of rapid technological progress that is also creating substantial security upheaval,” he said.
“Attacks are growing in frequency and severity, and the unfortunate reality is that this trend will continue in the years ahead. Organisations need to understand that resilience depends on more than reacting quickly to incidents. It starts with knowing where the weaknesses lie within their own systems.”
Shiu argues that the foundations of digital resilience lie not only in threat response but in the integrity of the systems themselves.
“Identifying weaknesses in how data is protected and managed is just as important as defending against external threats,” he added. “Building that awareness into the foundation of digital infrastructure is what will ultimately define resilience in the years ahead.”
The NCSC handled 204 nationally significant cyber incidents in the 12 months to August 2025, up sharply from 89 the previous year. Within that, 18 cases were deemed “highly significant”, meaning they posed risks to critical national services, government or major economic activity.
Analysts indicate that the surge reflects a perfect storm of rising digital dependence, escalating geopolitical tension and the expanding attack surface created by AI and cloud-based technologies.
The UK’s public sector, supply chains and major corporates have all been affected, with incidents disrupting manufacturing, retail and logistics.
The scale of the threat has prompted renewed calls for leadership-level engagement on cybersecurity. The NCSC is urging boards and C-suite executives to treat cyber resilience as a strategic imperative rather than an IT problem.
This message is particularly pertinent as the UK government prepares new legislation to strengthen reporting duties and resilience obligations across critical sectors.
The UK’s escalating cyber threat is therefore more than a warning sign and becomes more of a test of national and corporate resilience. As Shiu puts it, the question is no longer whether organisations can repel every attack, but whether their systems are strong enough to withstand them when they inevitably come.
RELATED STORIES
Arqit: Building quantum-safe networks for the telecom era
Datacloud USA keynote Quantum is coming: Why data centres can’t afford to ignore it
Capacity Europe 2026
The 24th anniversary edition of Capacity Europe 2025 will bring together 3,500+ decision-makers from the global connectivity and digital infrastructure community.
