NHS England has elevated the threat of a large-scale cyber attack above a future pandemic on its formal organisational risk register, a shift that reflects both the scale of the digital infrastructure now underpinning clinical services and the health service's continued exposure to hostile actors operating across its supply chain.

The reclassification does not discount the danger of a pandemic. Officials note that a pandemic carries a greater risk to the country as a whole, but existing national preparedness frameworks and established medical protocols substantially reduce the specific organisational risk it presents. Cyber threats, by contrast, remain elevated by the variability of security maturity across NHS bodies, a heavy dependence on third-party technology suppliers, and an external threat environment that shows no sign of stabilising. A target risk score has been set for 2030, though officials have acknowledged this will remain above their preferred risk appetite given conditions outside the health service's direct control.

The practical consequences of these vulnerabilities are being tested in real time. A national crisis exercise scheduled for July will simulate a sustained cyber attack across a sample of healthcare organisations, with the specific aim of evaluating whether critical clinical services can be maintained during prolonged network disruption and whether a coherent national response can be coordinated in such circumstances.

Underpinning many of these concerns is a recognised shortage of digital and data professionals across the health service. NHS England has formally identified recruitment and retention of niche technical staff as an acute operational risk. Without those specialists in post, both day-to-day system continuity and longer-term digital transformation programmes are exposed. New risk categories have also been introduced to capture potential service disruption arising from structural and digital transitions already under way across the network.

The emergence of medical artificial intelligence has added a further layer of regulatory complexity. New compliance requirements for AI-enabled medical devices have introduced what officials describe as the risk of an innovation freeze: if health organisations cannot meet the requirements quickly enough, deployment of AI-assisted diagnostic and treatment tools could stall. To reduce that risk, approved funding arrangements and tighter information governance policies have been applied, a combination that has lowered the recorded data breach risk score. The challenge of regulatory compliance, however, has not been resolved.

On procurement, NHS England is moving away from broad technology deployment in favour of a more targeted model. Four clinical areas have been selected for testing integrated procurement frameworks: AI-assisted dermatology triage, digital therapeutics for insomnia, robotic surgical systems, and wearable technology for cardiac rehabilitation. The intention is to generate evaluable evidence from specific settings before any wider rollout.

At the European level, standards bodies have introduced foundational security requirements for artificial intelligence systems. The ETSI EN 304 223 standard addresses a range of AI-specific vulnerabilities, including data poisoning and prompt injection, and applies across the full system lifecycle from design to decommissioning. Its adoption within NHS-adjacent technology procurement remains at an early stage.

Regionally, Integrated Care Boards are revising their cyber improvement programmes with a focus on consistency. Current efforts centre on developing system-wide incident response plans, template security policies, and standardised governance frameworks. The aim is to reduce the variability in how cyber incidents are reported and handled across local health systems, a problem that has complicated national oversight.

The formal elevation of cyber risk on the national register is less a new assessment than a public acknowledgement of what has long been apparent to those operating within NHS digital infrastructure. The question now is whether the governance and investment commitments already in motion are sufficient, and rapid enough, to meet a threat that is not waiting for the health service to be ready.

‍