DSIT takes responsibility for government cyber resilience

In a written statement to Parliament yesterday, Prime Minister Keir Starmer announced that responsibility for government and public sector cyber security will move from the Cabinet Office to the Department for Science, Innovation and Technology (DSIT). 

The machinery of government change, which became effective immediately, is intended to “strengthen technology resilience and policymaking across the public sector, by better integrating cyber security responsibilities and expertise into the Government Digital Service”.

The move is part of the government’s strategy of establishing the digital centre of government within DSIT (see Digital centre of government starts to take shape). In January 2025 that digital centre, now called the Government Digital Service, was created by bringing together teams from the earlier Government Digital Service (GDS), Central Digital and Data Office (CDDO), Incubator for Artificial Intelligence (i.AI), Geospatial Commission, and parts of the Responsible Tech Adoption Unit (see A Blueprint for a Modern Digital Government). 

Until yesterday, responsibility for the oversight, coordination and delivery of cyber security within government remained with the Cabinet Office. This includes the Government Security Group (GSG), which leads the government’s security function and is responsible for the implementation of the Government Cyber Security Strategy: 2022–2030.     

The change follows a damning series of reports highlighting the precarious state of cyber resilience in the public sector. In May 2025, the Public Accounts Committee (PAC) warned that the UK's cyber resilience has been outpaced by hostile states and criminals (see UK government cyber resilience lagging behind). This followed the National Audit Office report in January 2025, which pressed for urgent action to build capabilities and defences against a rapidly increasing and evolving cyber threat (see NAO: Government must act now to build cyber resilience). 

Placing responsibility for cyber under DSIT makes sense. It should create a more cohesive approach to technology resilience, improving departmental coordination and helping drive policy implementation. However, the move is not a panacea for the significant gap that exists between cyber threat and the government’s ability to respond to that threat. Fundamental challenges such as the cyber skills shortage, inadequate funding models, poor governance, the lack of cyber expertise at executive levels across departments, and the scale of the government’s reliance on outdated technology remain. Addressing these persistent issues will require far greater prioritisation, urgency and investment if the government is to avoid a catastrophic cyber attack. 

Posted by: Dale Peters at 10:10

Tags: policy   government   digital   cyber   gds   resilience