NCSC warns data centres face surge in cyber attacks

On October 14, 2025 the National Cyber Security Centre (NCSC) dropped a stark warning: data‑centre operators are now sitting in the cross‑hairs of a wave of more sophisticated, AI‑fuelled cyber attacks. The alert comes with the publication of the agency’s 2025 Annual Review, a document that’s already being dissected by CEOs, CIOs and security teams across the United Kingdom.

Why data centres are now deemed critical

Since January 1, 2024 the UK government has classified data centres as Critical National Infrastructure (CNI). That shift means the facilities that store the bulk of the country’s digital services – from banking back‑ends to health‑care portals – are subject to the same stringent oversight as power stations and water supplies. The NCSC’s review shows that, in the twelve‑month period from September 1 2024 to August 31 2025, the agency’s Incident Management Team logged 1,727 tips, which were distilled into 429 distinct incidents. Nearly half (204) rose to the level of "nationally significant", a dramatic jump from the 89 cases recorded a year earlier.

The numbers behind the surge

• 429 total incidents reported, a 22% rise year‑on‑year.
• 204 incidents classified as nationally significant – up 130%.
• 18 incidents labelled "highly significant", meaning a serious impact on central government or the UK economy – a 50% increase.
• 29 severe cases traced back to a small set of unpatched Common Vulnerabilities and Exposures (CVEs).

Among the highly significant incidents were attacks on retail giants such as Marks & Spencer, the Co‑op Group and luxury department store Harrods. In each case, the perpetrators leveraged a blend of ransomware and data‑exfiltration techniques that forced the companies to temporarily shut down core services.

AI and the new attack playbook

Perhaps the most unsettling finding is the growing role of artificial intelligence. The NCSC reports that threat actors are now using large language models (LLMs) to automate spear‑phishing, accelerate reconnaissance and even generate zero‑day exploits on the fly. "We expect AI‑assisted operations to be a critical resilience challenge through to at least 2027," the centre warned, noting that the speed and scale of AI‑generated attacks could outpace traditional patch‑management cycles.

Regulatory response and guidance

In response, the NCSC has rolled out a tougher compliance framework. The agency’s "It's time to act" campaign singles out a handful of CVEs – most notably CVE‑2025‑61882 affecting Oracle E‑Business Suite – and urges immediate remediation. Operators are also being nudged to adopt the free PDNS cyber‑resilience programme which, after a 2024 expansion to UK schools, now includes a dedicated module for data‑centre OT (operational technology) security.

Earlier in the year, a joint fact sheet issued by U.S. agencies – chiefly the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency – highlighted heightened activity from Iranian threat groups. The NCSC incorporated those insights into its own threat assessment, underscoring the trans‑atlantic nature of the danger.

Industry reactions and next steps

Legal analysts at DLA Piper echoed the NCSC’s urgency in an October 2025 briefing, stating that "the core business‑resilience message" demands "immediate action" from data‑centre owners. Many operators are now scrambling to inventory legacy systems, accelerate patch cycles and invest in AI‑powered detection tools.

Looking ahead, the NCSC plans to publish a follow‑up report in early 2026 that will track the adoption of its recommendations. For now, the message is clear: if a data centre’s patches are still stuck in a spreadsheet, the risk isn’t just theoretical – it’s a material business‑continuity exposure.

Key facts at a glance

• Annual Review release date: 14 October 2025
• Review period: 1 Sept 2024 – 31 Aug 2025
• Data centres classified as CNI since: 1 Jan 2024
• AI‑driven attacks expected to grow through: 2027
• Top CVE to patch now: CVE‑2025‑61882 (Oracle)