Summary
- DSIT has published research on cyber risks emerging from English local councils’ digital projects.
- The study links cyber weakness to sensitive data, digital infrastructure, and service continuity.
- Local-government resilience is becoming a delivery problem as councils digitise under financial and supplier pressure.
The Department for Science, Innovation and Technology has published research into the cyber risks emerging from English local councils’ digital projects, underlining how local-government modernisation can expand exposure to attacks, outages, and data compromise.
The study, titled The changing cyber threat profile and potential impact on local councils, examines risks affecting digital infrastructure and services. It draws on desktop research and direct engagement with councils, and forms part of the government’s wider work to understand cyber threats and improve resilience across the economy.
Local councils are not peripheral digital organisations. They run services touching housing, social care, planning, benefits, waste, local taxation, licensing, education support, and community safety. They hold sensitive personal data, operate legacy systems, depend on suppliers, and are often expected to digitise services while managing constrained budgets.
That combination makes cyber resilience part of public-service delivery. Weaknesses in council systems can expose personal data, interrupt services, delay payments, disrupt care pathways, and create recovery costs that local authorities can ill afford. The harm is not confined to IT teams; it reaches residents who depend on local services and staff who have to operate around broken systems.
Councils are using more digital platforms to manage casework, automate workflows, improve online access, and integrate data across departments. Those projects can improve efficiency, but they also add dependencies. Cloud services, managed service providers, identity systems, APIs, shared platforms, remote access tools, and data-sharing arrangements all create points of exposure if they are not governed properly.
Local government has a particular cyber challenge because its operating model is fragmented. A large county council, a small district council, and a unitary authority may face similar threats but have very different budgets, skills, supplier relationships, and technical debt. National guidance can help, although implementation capacity varies sharply.
Supplier risk is one of the central issues. Councils rely on technology vendors for line-of-business applications, hosting, payments, contact centres, case management, and citizen-facing portals. A weakness in one supplier can affect many councils, while contractual visibility into security controls is not always strong. Procurement teams may also struggle to assess cyber risk when cost pressure dominates buying decisions.
The research should be read alongside the government’s Cyber Action Plan and the pressure to raise standards across public services and digital supply chains. Central government can set direction, but local authorities need practical support: funding, shared services, incident response capability, asset visibility, supplier assurance, and access to skilled security staff.
AI will add another layer. Councils are likely to experiment with AI tools for customer contact, summarisation, benefits administration, social-care triage, planning documents, and internal productivity. Those tools may improve throughput, but they also introduce risks around data leakage, prompt injection, model governance, and supplier dependency. Cyber resilience cannot be bolted on after digital transformation has already spread across the service.
Public-sector cyber risk is often discussed through large national incidents, yet much of the exposure sits in everyday services, legacy applications, outsourced systems, and local data flows. A council’s ability to withstand attack is now part of its ability to deliver housing support, social care, payments, and democratic services.
Local government needs more than awareness campaigns. Cyber risk has to become a managed operational discipline, with clear ownership, realistic funding, better supplier controls, and plans that assume incidents will happen. Digital public services cannot be resilient if the institutions running them are treated as low-margin endpoints in a national infrastructure chain.










