Prime minister announces that, following the creation of the government’s new digital centre in DSIT, security policy and oversight will also move from the Cabinet Office to the tech department

Responsibility for leading government’s work related to cybersecurity across Whitehall and the broader public sector has been moved from the Cabinet Office to the Department for Science, Innovation and Technology.

This machinery of government change was announced yesterday in a written parliamentary statement from prime minister Keir Starmer. In its new departmental home, public sector cyber will sit within the Government Digital Service.

The relocation of responsibilities mirrors the move recently made by GDS itself – which, until early 2025, resided in the Cabinet Office. Since being migrated into DSIT, the digital unit’s headcount and remit has been expanded, having been reintegrated with the Central Digital and Data Office – which was spun out into a separate entity in 2021 to take the lead on cross-government digital strategy. The new-look GDS also now incorporates the Incubator for Artificial Intelligence and the Geospatial Commission.

Its further expansion to include cross-government security duties will provide benefits across the public sector, according to the PM.

“This change will strengthen technology resilience and policymaking across the public sector, by better integrating cybersecurity responsibilities and expertise into the Government Digital Service,” he said. “This change is effective immediately.”

Related content

• GDS opens GOV.UK Wallet for public bodies
• GDS invites 5,000 users to test GOV.UK App
• GDS and digital ID watchdog meet with vendors to explore ‘how GOV.UK Wallet can work with private sector solutions’

Underpinning cross-Whitehall work on cyber is the long-term Government Cyber Security Strategy, published in 2022, which set out a target for the public sector’s “critical functions to be significantly hardened to cyberattack by 2025”, and for all public bodies to become “resilient to known vulnerabilities and attack methods no later than 2030”.

A recent report from the National Audit Office wanted that, after limited progress in tackling issues including the ongoing prevalence of legacy systems across departments, government will miss the strategy’s near-term targets, while its longer-term objectives now appear ambitious.

GDS’s assumption of responsibility for overseeing this work comes after a period of scrutiny on the security of some of the highest-profile products being developed by te digital unit, including GOV.UK One Login – the new government-wide system hoped to provide a single sign-in system to be used across departments and services and by tens of millions of citizens.

Following parliamentary questions over reports that senior officials had previously warned that the platform was “carrying a high level of risk”, a minister claimed that such a characterisation was “outdated”.

However, government’s own records confirm that One Login has, in recent weeks, lost its certification against the formal digital identity standards framework operated by DSIT. PublicTechnology understands that the government contends that the removal of the badge was because a supplier had allowed its certification to lapse and “is not due to any change in product or approach in One Login and [the project is] working to commence recertification”. 

GDS recently signed a two-year £9.5m deal with Accenture for the provision of “cybersecurity services” related to the unit’s work on One Login.