The NCSC’s 2025 Annual Review found a 50% increase in highly significant cyber incidents. Their new message, 'It’s time to act', asks organizations to stay prepared. 
On October 14, the UK’s National Cyber Security Centre (NCSC) published their ninth edition of their Annual Review, covering the department’s key developments and milestones between September 1, 2024 and August 31, 2025. The review is meant to “describe the year with insights and facts from colleagues inside and out of the organisation”, while still setting the stage for future challenges.
The review covers a long list of the NCSC’s actions over the past year in a detailed timeline, including the expansion of a free PDNS cyber resilience program to include UK schools in October 2024, the counter ransomware consultation launched in January (which led to a ban on ransomware payments), and their response to the major incidents against Marks & Spencer, Co-op Group, and Harrods. The timeline also reviews news, campaigns, speeches, alerts and attributions over the 12 month period. This is followed by the first of three chapters - ‘countering the cyber threat’ - whose findings have dominated the headlines.
In the reporting period, the NCSC Incident Management Team (NCSC IM) received 1,727 tips from partners on victims of cyber incidents, which they aggregated into 429 incidents. Nearly half of these incidents (204) were nationally significant meaning they could be categorized as a ‘significant incident’, a ‘highly significant incident’, or a ‘national cyber emergency’. This was a considerable increase from the prior year’s count of just 89. Out of the 429 incidents, 18 (or 4%) were considered ‘highly significant’, resulting in “a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy.” This number was a 50% increase from last year, and is part of a larger trend of more critical cyber attacks in the past three years.
Ransomware continued to make up a portion of the cyber incidents over the past year. While ransomware attacks on key areas of critical infrastructure, like healthcare, were likely the main drivers behind the earlier consultation to counter ransomware, these groups were not as heavily affected, according to the review. The industries that reported the most ransomware were academia, finance, engineering, retail and manufacturing. Still, the review makes note that “no sector (and no organisation) is exempt from this threat.” This warning is the same sentiment that underscores the announcement of the payment ban in July, where Security Minister Dan Jarvis condemned the malware as “a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on.”
The review attributes the rise in severe incidents to several factors, including vulnerabilities in legacy systems being exploited by cyber actors. Vulnerabilities in Microsoft SharePoint Server products, Ivanti Connect Secure, Policy Secure & ZTA Gateways, and Fortinet FortiManager were connected to 29 incidents the NCSC had to address. On top of these vulnerabilities, state actors are using cyber capabilities to start conflict. Like the US, the UK faces attacks from China (like Flax Typhoon and Salt Typhoon), Russia, Iran and North Korea.
Perhaps the fastest growing threat comes from Artificial intelligence (AI), which has made it much easier for threat actors on all technical levels to levy attacks. The UK has been monitoring AI development for a while, with a formal cyber threat assessment being released during the last reporting period (January 2024). While that first examination made some predictions about AI use that have come true - like using large language models (LLMs) to improve their phishing and social engineering attempts - AI has advanced so quickly that the latest tactics have only been identified in the last year and a half: “security researchers have identified new techniques that exploit AI, including fully automated spear-phishing campaigns, hijacking cloud-based LLMs, automating post-breach attack stages and data exfiltration.”
In the face of these threats, the review emphasizes the need for collaboration, specifically saying that “sharing communities need to be deeper, faster and more actionable, sharing data and insight at speed, driving quicker evidence-based decision making.” In fact, information sharing was key to the development of the review, as the tips came from partner organizations as well as people who experienced the attacks firsthand. The “NCSC IM treats all reports in confidence”, even though the reporting of a breach is not mandatory, likely limiting the accuracy of the NCSC’s count. Regardless, the guarantee that information shared with the NCSC remains confidential is a good example of support for cyber intelligence sharing (something that may no longer exist in the US with the end of CISA 2015).
The next chapters, ‘resilience at scale’, and ‘keeping pace with evolving technology’, also provide more guidelines for preventing cyber incidents and limiting their impact. NCSC recommends that organizations build “a positive cyber security culture” and have extensive preparation for an attack, for one key reason: “The question is no longer if your organization will face a cyber incident, but when. The time to act is now.”
The report highlighted a series of tools the NCSC created, like the Cyber Governance Training programme, a new Cyber Action Toolkit, and Cyber Essential to help organizations deal with cybersecurity proactively instead of retroactively. Preparation, CEO of the NCSC, Richard Horne says, is a critical necessity in the 2025 Annual Review: “Nobody wants to believe their business could grind to a halt following a cyber attack. But any leader who fails to prepare for that scenario is jeopardising their business’s future… some organisations – ones with well-thought-through plans for continuity and recovery already in place – respond well to disruptive cyber attacks. This is what all organisations should aspire to, because almost every business depends on technology to function.”