Anne Keast-Butler picked Bletchley Park to deliver a speech that did three things at once. She named Russia and China by name, she said the UK had a "narrowing window" to stay ahead of hostile powers in technology, and she announced that GCHQ has produced a blueprint for a national cyber defence built on agentic AI, with a five-year horizon to make it real. The set piece will be remembered for the venue and the China line. The bit worth reading carefully is the blueprint, because the route to it runs through the supply chain into critical national infrastructure, and a lot of that supply chain is small UK businesses.
What she actually said
The threats Keast-Butler named were not abstract. Russia, she said, is "relentlessly targeting critical infrastructure, democratic processes, supply chains and public trust", with examples including attacks on Polish energy infrastructure. China was described as "a science and tech superpower with sophisticated capabilities across their intelligence, cyber and military agencies". The phrase she repeated was that "the ground beneath our feet is shifting" because of AI. Her ask of the country was that cyber security become "10 times more urgent".
The constructive half of the speech was the national cyber shield. GCHQ has, in her words, "developed the blueprint for a new national cyber defence capability that will hardwire cutting-edge agentic AI into machine-speed cyber defence". The five-year target is to have it operational. Critical national infrastructure is the named scope: energy, water, healthcare, transport, financial services. The plan calls for collaboration with AI companies, UK tech firms, and universities, coordinated through the Cabinet Office and the National Cyber Force.
Strip the announcement language away and the strategy is recognisable. The UK is going to spend public money on AI-driven defence capability, and it is going to use the procurement process for critical infrastructure as the lever to drag the supply chain up to a higher standard. That is the lever any government has. The Cyber Security and Resilience Bill, which we covered when it landed, is the legislative half of the same lever.
What it signals for SMEs
If you sell into the energy, water, healthcare, transport, or financial-services sectors, even at one or two removes, your customers' procurement teams are about to feel pressure they will pass on to you. None of this happens overnight. But the direction of travel is now public, the timeline is five years, and procurement cycles are long. The next contract renewal is the moment the requirements get added.
Three things are likely to shift over the next twelve to eighteen months.
A higher floor for supplier security. What used to be "Cyber Essentials and a half-decent backup story" is becoming "Cyber Essentials Plus, a vulnerability process you can describe in numbers, and a clear answer on what AI you use and how". Our filing on what Cyber Essentials actually involves covers the basics. The Plus version with a third-party assessor is where most SME suppliers will land.
A shorter notification clock. Operational-resilience rules already require some firms to notify the regulator quickly. The Cyber Security and Resilience Bill, which we covered separately, brings the same pattern to a wider set of providers and their suppliers. Expect to see contractual notification windows of 24 or 72 hours appear in contracts that previously did not name a window at all.
A genuine question about the supply chain of your supply chain. The Russia and China sections of the speech were not idle. The diligence question "where does your software come from and who maintains it" is going to start having a real answer expected. SBOM, the software bill of materials, is the technical answer. The business answer is a clearer list of who you depend on and what your fall-back is if one of them disappears.
The bit not to get wrong
There is a natural temptation to read a five-year plan and assume the deadline is in five years. It is not. Five years is when the system is meant to be operational. The procurement requirements, the certification expectations, and the diligence questions land much earlier, because they are the route to the operational system. The UK Government has done this before with cloud and with the Crown Commercial Service frameworks. The shape is familiar.
The corresponding temptation for an SME is to assume the new requirements are someone else's problem. The Russian-targeted-Polish-energy line in the speech was deliberate. Critical infrastructure supply chains include accountants who hold a CNI client's records, a payroll provider who pays its staff, the legal firm that drafts its contracts, and the SaaS vendor who runs its internal helpdesk. The blast radius of any of those being compromised reaches the customer the regulator cares about. That is why the questions will reach you.
What to actually do this quarter
If your customer list includes a name in energy, water, healthcare, transport, financial services, defence, or the public sector itself, three pieces of preparation are worth doing now.
Find out what tier of supplier you are. Some CNI operators have tiers, with different security expectations at each. Asking your client account contact "what tier are we" produces an honest answer most of the time. The answer tells you which standard you will be measured against next year.
Write the short version of your security story. A two-page document covering: your Cyber Essentials status, your backup and recovery posture, your incident-response runbook, the data you hold for the customer, and the suppliers you depend on to deliver the service. This is the document that goes back when procurement asks. Having it ready beats writing it under time pressure.
Decide where you stand on AI use, on paper. Whether you do or do not use generative AI inside the work you do for the client, the answer needs to be written down and the same on every page. The filing on what an AI policy should say covers what a useful one looks like.
The five-year shield is good headline material. The actual mechanism is procurement, and procurement starts now. Treat the speech as a notice period.
How Steelwise can help
Writing the supplier security pack, working out what Cyber Essentials Plus would take, and decoding what individual CNI-customer questionnaires are asking for is something we do with clients. Get in touch.
Further reading
- NCSC: Cyber Assessment Framework for CNI suppliers
- Cabinet Office: Critical National Infrastructure overview