Research Shows Cyber Confidence in the NHS Remains Low as Regulation Increases

As part of the 2026 Rackspace Healthcare study, we partnered with Coleman Parkes Research to survey 75 NHS IT and digital leaders across the UK, examining how organisations are advancing cloud, AI and cybersecurity capabilities.

In previous blog posts, we explored how cloud adoption across the NHS is progressing alongside integration challenges, and how AI is moving into operational use, shaped by security, governance and organisational readiness. Those findings point to a broader pattern.

Digital transformation is advancing, but it is doing so within environments where control, integration and oversight are still developing. The findings on cyber resilience bring that into sharper focus. Organisations are increasing investment and preparing for new regulatory requirements.

However, confidence in their ability to withstand and recover from cyber incidents remains low. That gap between rising expectations and limited confidence in resilience is where the next phase of transformation will be defined.

Cyber resilience across the NHS remains uneven

According to our research, only 12% of organisations describe themselves as cyber-resilient, with a fully integrated and regularly tested resilience strategy in place. At the same time, 44% report low confidence in their ability to protect patient data and critical systems from cyberattacks.

We see this reflected in how organisations describe their current security and recovery capabilities. Many have established security measures and recovery processes, but these are not always fully integrated or consistently tested across environments. As a result, resilience is still being built rather than fully embedded and ready to support critical systems under disruption.

This creates a clear operational gap. Organisations are continuing to advance cloud adoption and AI initiatives while strengthening the resilience needed to support those systems under disruption.

Regulatory pressure is accelerating the need for resilience

Regulatory pressure is increasing across the NHS as expectations around data protection, operational continuity and accountability continue to rise. This is bringing greater focus to how organisations prepare for and manage cyber risk.

According to our research, 56% of organisations are actively preparing for the UK Cyber Resilience Bill, while only 16% believe they are fully compliant, highlighting a clear gap between preparation and readiness. Organisations recognise the need to strengthen resilience, but many are still working to align their systems, processes and governance frameworks to meet the new requirements.

That readiness gap has practical consequences. As organisations work towards new requirements, resilience is coming under closer scrutiny across security, recovery and continuity of service. NHS organisations need to demonstrate that controls are in place, recovery processes are tested and critical services can continue operating when systems are disrupted.

Investment is increasing but capability is still developing

Organisations across the NHS are responding with increased investment in cybersecurity and resilience. According to our research, 72% expect to increase cybersecurity spending over the next 12 to 24 months, while 81% plan to increase investment specifically in cyber resilience initiatives.

This reflects a clear shift in priorities. Resilience is moving higher on the agenda, with organisations directing investment towards areas such as staff training, threat detection and access controls.

At the same time, investment alone does not immediately translate into capability. Many organisations are still building the processes, skills and operational discipline needed to turn that investment into consistently applied resilience across systems and environments.

Cyber resilience is now shaping broader digital decisions

Cyber resilience is increasingly influencing how organisations make decisions about cloud, data and AI. It is becoming a determining factor in where workloads are placed, how systems are integrated and how new technologies are introduced into existing environments.

We see this reflected in the data. Sixty-one percent of organisations report moving workloads between cloud providers due to data security concerns, while 41% have shifted workloads from public cloud back to on-premises environments for security and compliance reasons. In addition, 44% cite security risks as a barrier to AI adoption.

Taken together, these findings show how cyber maturity is shaping broader digital strategy. Decisions about where workloads run, how systems are integrated and how AI is deployed are all being influenced by the need to maintain control over data and reduce risk.

For NHS organisations, this brings resilience into the centre of digital planning. It is a factor that directly influences how and where transformation can progress.

Compliance and resilience are not the same

Meeting regulatory requirements is an important step, but it does not fully capture what resilience requires in practice.

Compliance focuses on whether specific controls, processes and policies are in place. Resilience is demonstrated through how those controls perform under pressure, how effectively organisations can recover from disruption and how consistently critical services can be maintained.

This distinction becomes more visible as organisations respond to new requirements. Preparing for regulation often involves establishing the right structures and documentation. Building resilience requires those structures to be tested, integrated and applied across real-world scenarios.

For NHS organisations, this comes down to operational capability. Resilience depends on how well systems, teams and processes work together during disruption, not just on whether the right controls have been defined.

Resilience is rooted in discipline and governance

Cyber resilience is the result of how effectively security, recovery and governance practices are integrated and maintained across systems and environments.

Across the NHS, organisations are investing in areas such as staff training, threat detection, access controls and recovery capabilities. The effectiveness of that investment depends on how well these capabilities are integrated into day-to-day operations and applied consistently across systems and teams.

For NHS organisations, this comes down to operational discipline. Resilience is strengthened through regular testing, clear accountability and coordination across teams responsible for security, infrastructure and clinical systems.

Over time, this creates a more consistent and reliable approach to managing risk. It allows organisations to respond to disruption with greater control and maintain continuity across critical services.

Cyber resilience will define how far transformation can scale

Cyber resilience is becoming a defining factor in how far digital transformation can progress across the NHS. As organisations continue to advance cloud adoption and expand the use of AI, resilience will determine how confidently those capabilities can be deployed and operated at scale. Where resilience is well established, organisations are better positioned to extend transformation across systems and services. Where it is still developing, progress is likely to remain more measured.

This points to a shift in how resilience is viewed. Resilience is evolving from a discrete area of focus within security to becoming a core component of how organisations plan, deliver and sustain digital services.

Across the NHS, digital transformation is advancing. The next phase will be shaped by how well organisations can strengthen resilience alongside cloud and AI adoption, ensuring that systems remain secure, available and responsive under pressure.

For a deeper view of the UK findings, including cloud maturity and AI adoption, explore the full NHS-focused Rackspace Healthcare survey report.