Summary
- The UK’s 2026 National Risk Register adds risks covering democratic interference, digital resilience failure, and cyber attacks on critical systems.
- Data infrastructure, water infrastructure, and police systems are now explicitly included in national risk planning.
- The update reflects a broader shift in resilience policy, where technology failures are treated as public safety, economic, and governance risks.
The Cabinet Office has put digital resilience failure, democratic interference, and several new cyber risks into the UK’s official national risk planning, giving technology disruption a more formal place in the machinery used to prepare for major emergencies.
The 2026 National Risk Register adds seven risks, including cyber attacks on data infrastructure, water infrastructure, and police systems. It also introduces digital resilience failure, drawing on lessons from the July 2024 global IT outage that disrupted airlines, banks, healthcare providers, broadcasters, and businesses after a faulty CrowdStrike software update affected millions of Windows machines.
Democratic interference has also been added to the register, covering threats such as election interference, disinformation campaigns, and foreign influence operations. Although the document is designed for resilience planning rather than political commentary, the inclusion shows how cyber operations, information manipulation, and infrastructure disruption now sit inside the same national security conversation.
The UK has long treated cyber attacks as serious threats, but the new register gives more definition to the systems at risk. Data infrastructure is no longer an abstract dependency behind digital services. Cloud platforms, networks, datacentres, identity systems, public databases, logistics software, and outsourced service providers now sit behind much of the economy and the state.
Water and police systems make the same point in operational terms. If a cyber attack prevents water infrastructure from being monitored, managed, or repaired, disruption can move quickly from IT failure to public health and service continuity. If police systems are compromised, the consequences can reach emergency response, investigations, evidence handling, safeguarding, and public confidence.
Digital resilience failure is a different kind of risk because it does not require a hostile actor. Software defects, supplier outages, cloud failures, misconfigured updates, authentication problems, and concentration in widely used technology providers can all create disruption without a deliberate attack. Many organisations still separate cybersecurity from operational resilience, even though the public impact of a major outage can look similar.
The register adds weight to an argument that has been building across regulation, insurance, and procurement. Resilience cannot be treated as a narrow technology control owned by IT departments. Boards, finance teams, procurement officers, risk committees, and service owners need to understand which systems are critical, who operates them, how updates are governed, and how work continues when digital services fail.
The same pressure is visible in financial services, where regulators have tightened operational resilience rules and are taking a closer interest in critical third party technology providers. It is also visible in the public sector, where digital service reform has often depended on cloud migration, shared platforms, outsourced delivery, and data integration. Those choices can improve capability, but they also create new points of dependency.
Supplier concentration is likely to become a harder policy question as the register is absorbed by local resilience forums, infrastructure operators, emergency planners, and regulated industries. A single software provider, cloud platform, identity service, or managed service provider can sit behind thousands of organisations. When those suppliers fail, individual continuity plans may offer only partial protection because disruption spreads through the same shared technology layer.
The register does not prescribe the technical fixes, but it changes the policy frame around digital systems. They are not only tools that make public services and businesses more efficient; they are part of the operating environment that determines whether essential services continue during stress. Procurement, regulation, incident exercises, and funding decisions will now have to catch up with that classification.










