On 17 June 2026, the National Cyber Security Centre (NCSC) announced that it had managed more than 200 cyber incidents affecting the United Kingdom’s critical national infrastructure (CNI) and its supporting ecosystem in the year to May. Roughly three‑quarters of those incidents were believed to be the work of hostile state actors.

Richard Horne, chief executive of the NCSC, delivered the figures at a lecture for the Royal United Services Institute. He said the agency had been handling an average of four nationally significant incidents a week, most of which could be traced back to governments rather than criminal hackers. Horne warned that the intelligence gathered today could be used for kinetic targeting in future conflicts, and that adversaries were “prepositioning” themselves across British critical infrastructure.

The NCSC’s assessment points to a shift in the threat landscape. Earlier this year the agency reported that it had dealt with 200 state‑sponsored attacks in the first five months of 2026, a rise from the 100 incidents recorded in the same period the previous year. The majority of those attacks were attributed to Russia, China and Iran, according to the NCSC’s public statements.

Horne highlighted the Volt Typhoon campaign as a clear example of how state‑linked actors can establish footholds within the technology that underpins critical infrastructure. Volt Typhoon, a Chinese advanced persistent threat group, has been linked to espionage and sabotage operations against U.S. infrastructure. The NCSC’s reference to the campaign signals that the UK is monitoring similar tactics aimed at its own systems.

The speech also marked a change in the NCSC’s language. For a decade the agency’s guidance, such as the Cyber Assessment Framework, framed cyber security in terms of risk management. Horne said the organisation now views cyberspace as a “contest” that must be fought, echoing NATO’s 2022 strategic concept that the domain is “contested at all times.” He argued that benchmarking defence against industry rivals is insufficient; instead, capability should be measured against the opponent’s strength.

Artificial intelligence was identified as a future amplification of the threat. A recent NCSC assessment judged it “highly likely” that by 2028 AI tools would be used to exploit known weaknesses in ageing technology across critical infrastructure. The agency has warned that AI could accelerate the speed and scale of attacks.

The NCSC’s findings come as the UK government moves to complete the Cyber Security and Resilience Bill, which will update the existing Network and Information Security Regulations. The bill is intended to compel improvements at operators of essential services and to strengthen the nation’s cyber defences. The government also plans to publish a new National Cyber Action Plan in early July.

Horne concluded that the UK is already “fighting” cyber conflicts today, and that the country must adopt a proactive stance. He urged that the public and private sectors treat the contest as a shared responsibility, noting that the only benchmark that matters is how capability compares to that of the adversary.

The NCSC’s disclosure underscores the growing importance of cyber resilience for the UK’s critical infrastructure. As the threat environment evolves, the government’s legislative and strategic responses will shape the nation’s ability to detect, deter and respond to state‑sponsored attacks.

The current situation remains under active investigation by the NCSC. The agency has not released detailed information on individual incidents, citing concerns that public disclosure could aid adversaries. The Cyber Security and Resilience Bill is expected to be enacted in the coming months, and the National Cyber Action Plan will provide further guidance on how the UK will strengthen its cyber defences.