The state threats outlined in the 2025 National Risk Register focus on risks posed by hostile states and their potential impact on critical national infrastructure (CNI), financial systems, and communications networks. Key findings include:
- Cyber Attacks on Financial Systems: State and non-state actors could target financial market infrastructures (FMIs) and retail banks, leading to system failures, data breaches, and prolonged outages. Such incidents risk eroding public confidence in financial systems, disrupting transactions, and causing economic instability. Recovery from these attacks could take weeks to months, depending on the severity.
- Disruption of Critical Infrastructure: Malicious attacks on telecommunications, such as transatlantic cables or space-based systems, could severely impact data communication, government operations, and emergency services. These risks, while low in likelihood, have significant consequences, including economic losses and interruptions to essential services like energy and transport.
- Economic and Strategic Risks: The report emphasizes the potential consequences of geopolitical conflicts and economic vulnerabilities. Examples include the UK’s integration with European energy markets, where supply disruptions or price volatility could result from global or regional tensions, including threats to global oil trade routes.
In response, robust incident management frameworks and recovery plans, such as the UK’s Authorities’ Response Framework (ARF), are critical to mitigate the effects of these threats. The focus remains on resilience-building and safeguarding national security.
“The National Risk Register is the external [published] version of the [internal, classified] National Security Risk Assessment which is the government’s assessment of the most serious risks facing the UK.”
In 180 pages, the NRR describes of significant risks, threats and hazards categorized as: terrorism; cyber; state; geographic and diplomatic; accidents and systems failures; natural and environmental [plus] human, animal and plant health; societal; or conflict and instability. Each risk is described as a ‘reasonable worst case scenario’, most with plots of estimated probabilities over 2 years (if malicious) or 5 years (benign) against domestic impacts, along with the necessary response and recovery activities.
The introduction by Pat McFadden, chairman of the UK Cabinet resilience committee, refers to recent and current incidents, not just in the UK (e.g. Crowdstrike and US wildfires), emphasising resilience at a national level. [NIS 2, in contrast, concerns resilience both nationally and internationally across Europe, acknowledging the regional and in fact global nature of shared infrastructure, supply chains and threats.]
Pat concludes the intro with a call to action: “I encourage all risk and resilience professionals to consider the risks in this publication, and join our collective endeavor to make the UK more prosperous and resilient.” Hopefully we are doing more than ‘consider’, for example comparing and contrasting our corporate risk registers, priorities and actions against the NRR, and adopting a similarly dynamic risk management approach with frequent updates rather than the usual once-a-year.
To review the complete UK risk register 2025 report: National Risk Register 2025 edition