UK adds AI cyber and election risks to national register

TL;DR:

  • The government has added seven new risks to the National Risk Register, including cyber attacks on data, water and police infrastructure, and interference in the UK’s democratic process.
  • A new “digital resilience failure” risk draws on lessons from the 2024 CrowdStrike outage; the threat of disruption to Russian gas supplies has been removed.
  • The update accompanies the first Annual Statement on National Resilience to Parliament.

AI has moved onto the UK’s formal register of things that could go badly wrong. The government has added seven risks to the National Risk Register — the public-facing version of the National Security Risk Assessment — including cyber attacks on data, water and police infrastructure, and interference in the democratic process. It is a bureaucratic step with real signalling weight: AI threat has graduated from ministerial speeches to the document that shapes how Whitehall plans.

What changed, and what left

The update was published alongside the first Annual Statement on National Resilience to Parliament, delivered by chief secretary to the Prime Minister Darren Jones. The democratic-interference entry follows measures tightening checks on company and overseas donations. A new “digital resilience failure” risk draws on the 2024 CrowdStrike outage. One risk was removed: disruption to Russian gas supplies, reflecting reduced UK reliance.

“It is right that we consistently evaluate the risks we could face and plan for what may come,” Jones told Parliament, adding that “AI offers new ways for criminals to carry out cyber-attacks against us, as well as offering huge opportunities for our economy and security.”

The numbers behind the entry are not speculative. The National Cyber Security Centre reported 204 significant cyber incidents to September 2025, more than double 2024’s 89, with attacks on Marks & Spencer, the Co-op and Jaguar Land Rover showing how quickly an incident becomes a business-interruption loss. The register lands alongside January’s Government Cyber Action Plan, backed by more than £210 million, and the Cyber Security and Resilience Bill extending obligations to critical suppliers.

For insurers it formalises a picture already shaping underwriting. Munich Re values the UK cyber insurance market at $1.75 billion in 2025, forecasting $2 billion in 2026, while the PRA prepares a consultation on captive insurance for bespoke cyber cover and operational resilience rules take effect from March 2027.

The register also gives official form to a warning UK institutions keep repeating from different directions — the Bank of England naming AI a financial stability risk, the ECB ordering banks to plan for AI cyberattacks. What was a supervisory concern is now a national planning assumption.

Looking forward

Mayors will take on a formalised emergency response role under a consultation on the Civil Contingencies Act 2004, and Jones confirmed the Home Defence Programme will run Operation ALBISTON SHADOW in 2027 — the largest home defence exercise in decades, testing preparedness for hybrid attacks. For UK businesses, the register is a reasonable proxy for where regulatory attention travels next.