DOI: https://doi.org/10.58248/RR99 

What is cyber resilience? 

In the 2026 Government Cyber Action Plan, the UK Government defined cyber resilience as “the ability of an organisation to maintain the delivery of its functions and services and ensure the protection of its data, despite cyber security events”. A “cyber security event” includes cyberattacks, use of ransomware, and data breaches. Cyber resilience is a broader concept than cyber security, which is “the practice of protecting IT systems and the data they hold from unauthorised access, interference, and use” (PDF). 

The Cyber Security and Resilience (Network and Information Systems) Bill, introduced to the House of Commons in 2024, aims to increase UK preparedness for cyber security events to more effectively protect the services the public rely on. The bill will reform and build on the existing Security of Network and Information Systems Regulations 2018. In May 2026, the Cyber Security and Resilience Bill was at report stage in the House of Commons. The bill was carried over from the 2024–26 session to the 2026–27 session.  

The National Cyber Security Centre (NCSC) leads the UK’s defence against cyber threats, including those from state actors, financially motivated criminals, politically driven ‘hacktivists’, or insiders working within an organisation. 

Why is cyber resilience important to the UK? 

Cyber resilience is important to the UK because it helps to protect critical services.  

In its Annual Review 2025, the NCSC reported that 204 of 429 identified cyber incidents were characterised as “nationally significant”. Nationally significant incidents cover incidents in the upper three categories of the NCSC severity model, which include “national cyber emergency”, “highly significant incident” and “significant incident”. 

A possible target for these attacks is critical national infrastructure (CNI). The UK Government has designated 13 sectors in which CNI operate, including transport, water, energy and defence. 

The government defines CNI as assets that, if lost or compromised, would result in:  

For more details, see POST’s research on Cyber resilience of UK digital infrastructure. 

How can artificial intelligence be used for cyber resilience? 

AI may be able to improve cyber resilience by: 

  • identifying unusual activity in a computer network and addressing threats in real time 
  • detecting evolving fraud patterns and flag AI-generated phishing emails 
  • performing ‘predictive maintenance’, including anticipating system failures and detecting software vulnerabilities 
  • summarising incidents and recommend responses to security operations centres 
  • analysing third-party risks to vendor and supply chains using public data 

AI systems may be able to improve cyber resilience in these ways because they can use ‘machine learning’ to become very good at specific tasks with limited human oversight. Machine learning (ML) is where “computer systems find patterns in data without having to be explicitly programmed by a human”. ML can ‘train’ AI agents on a dataset. These ‘agents’ are given a goal, authority, and autonomy to act without human operators 

Although AI has the potential to improve cyber resilience, advances in AI can also pose new cyber risks. The World Economic Forum described AI as a “double-edged sword” due to these defensive and offensive capabilities. 

How can ‘edge AI’ be used for cyber resilience? 

An ‘edge device’ is a piece of hardware such as a smartphone or laptop that transmits data between a local computer network and the cloud. ‘The cloud’ refers to servers that store information and are accessible via the internet. ‘The cloud’ can also refer to the software and databases that run on the servers.  

‘Edge AI’ refers to AI models that run on edge devices (see figure 1 below).  

Because edge AI makes decisions locally, it removes the need to send the data to a remote server to be processed. A remote server is a computer that is often far away from the data source. Remote servers are generally found in data centres 

A diagram of a possible edge AI structure. It shows edge computers closer to their use cases than the cloud.  The use cases are represented by diagrams of cars for smart transport, hospitals for health, and factories for manufacturing uses.
Figure 1: a representative diagram of the Edge AI structure by the National Edge AI Hub

Edge AI can enhance privacy by keeping data on a device that operates offline, removing the need to transmit large quantities of data and the reliance on central servers. It is useful for protecting CNI because it can allow facilities to act locally when networks are compromisedEdge AI can also be used to simulate cyber incidents to train AI and increase preparedness. 

Data centres are:  

Edge AI runs on less energy than servers, and could reduce strain on data centres by localising tasks. For example, Edge AI is used in the energy industry to optimise energy production, distribution and consumption. It is integrated into local networks to provide real-time insights faster than the cloud. 

However, Edge AI has limitations compared with AI that runs on the cloud. It relies on the specifications of the hardware that it runs on, and is typically less well equipped to handle larger workloads with greater complexity 

Challenges to improving cyber resilience in the UK 

There are several challenges to improving cyber resilience in the UK, including legacy infrastructure, the threat from ‘frontier AI’, questions about AI sovereignty, and a lack of AI skills.  

Legacy infrastructure  

‘Legacy technology’ refers to IT infrastructure, systems and hardware that are outdated, difficult to update, and at high risk from attack. In 2024, 28% of the UK public sector’s IT estate was reported as “risky legacy” systems 

The government plans to reduce dependency on legacy technology and has said that it has defined priority actions for 2026. The National Audit Office has said that efforts to replace legacy infrastructure in the public sector are impeded by challenges including cultural barriers, skills gaps, high costs and fragmented responsibilities. The 2025 ‘State of digital government review’ found that funding decisions typically prioritised programmes with short-term, predictable returns, often at the expense of longer-term resilience and security. 

Modernisation may enable AI to be more widely integrated into IT infrastructure, which could improve cyber resilience. However, experts advise proceeding with caution as AI cannot modernise legacy software by itself, and errors could have “severe, real-world impact[s]”.  

Frontier AI 

In 2025, the NCSC said “AI will almost certainly continue to make elements of cyber intrusion operations more effective and efficient”. It said this could leading to “an increase in frequency and intensity of cyber threats”.  

A challenge for the UK is keeping pace with the cyber threats from AI as it develops. AI systems can “exacerbate known security risks and make them more difficult to manage”. For example, in April 2026, the UK Government’s AI Security Institute evaluated the preview of Anthropic’s Claude Mythos model to be “capable of autonomously attacking small, weakly defended and vulnerable enterprise systems”. The assessment prompted an open letter to business leaders on AI cyber threats from Department for Science, Innovation and Technology (DSIT) and the Cabinet Office. 

Sovereignty 

The World Economic Forum defines digital, cyber, technological and data sovereignty as “the ability to have control over your own digital destiny – the data, hardware and software that you rely on and create.” Sovereignty is closely linked to cyber resilience, as control over AI and further digital services is considered essential for security. 

AI sovereignty aims to “preserve the ability to make strategic choices about how AI is developed and deployed within national borders”. In the UK, debates around digital sovereignty arise from the “potential national security risks of Chinese technologies, and the market power of major US tech companies”. 

UK Sovereign AI, announced in the government’s AI Opportunities Action Plan 2025, was established to collaborate with the private and academic sectors to support the growth of new and existing AI companies. The government has provided UK Sovereign AI with £500 million to invest in UK AI projects, with early-stage investments of up to £20 million. 

Concerns have also grown over the UK’s dependence on US technology giants, which account for about two thirds of the European cloud market. This includes an investigation into Microsoft by the Competition and Markets Authority as hundreds of thousands of UK businesses and public sector organisations use its business software every day. 

The UK hosts over 520 data centres, and this continues to grow. Data connected to CNI is stored in UK data centres, and UK control of this data without it being stored overseas is defined by the Data Protection Act 2018. Some commentators say focusing on a ‘sovereign cloud’ in which “data is stored and managed entirely within the UK, under UK law” may help. 

AI skills 

Understanding AI concepts and algorithms is a “critical” skills gap in the UK workforce. Skills England identified that the level of AI skills, technical capabilities and literacy varies depending on sector, with various AI skill gaps across sectors 

AI skills in the workforce are important for the UK’s future use of AI for cyber resilience. In 2024, the Alan Turing Institute published the AI Skills for Business Competency Framework, which said most UK citizens need to develop basic data skills and an understanding of the opportunities and risks associated with AI technologies.  

What is the government’s approach to AI regulation? 

In February 2024, the UK Government introduced a “pro-innovation approach” to AI regulation. It said it aimed to encourage the “immense benefits” of AI technologies through a “strong pro-safety approach”.  

The government accepted all 50 recommendations from the 2025 AI Opportunities Action Plan, including mitigating “the sustainability and security risks of AI infrastructure”.  

The government’s AI Safety Institute aims to evaluate AI models to ensure “foundational safety and societal resilience research”. 

The voluntary Code of practice for the cyber security of AI, published by DSIT, has 13 principles, which include encouraging stakeholders to “raise awareness of AI security threats and risks” and to design AI systems “for security as well as functionality and performance”.  

Acknowledgements 

Joe Murphy is a Parliamentary Office of Science and Technology (POST) fellow, Varuna De Silva is the Parliamentary Thematic Research Lead for AI and Digital, and Sarah Bunn is Head of the Science, Digital and Technology Hub in the UK Parliament.  

Questions about this briefing should be referred to Simon Brawley, who acted as POST lead for this work.  

POST would like to thank the following people for kindly giving up their time during the preparation of this article:  

  • Professor Rajiv Ranjan, National Edge AI Hub, Newcastle University  
  • Professor Savvas Papagiannidis, Newcastle University  
  • Dr Jennifer Williams, University of Southampton  
  • Professor Carsten Maple, University of Warwick 
  • Professor Shishir Nagaraja, Newcastle University School of Computing 
  • Professor Dhavalkumar Thakker, University of Hull 
  • Professor Leslie-Anne Duvic-Paoli, Kings College London 
  • Professor Ruth Lamont, University of Manchester 
  • Gaurav Kaushik, National EdgeAI Hub