The government has published its Budget Information Security Review on Monday 9 February 2026. The document responds to incidents in the run-up to the 2025 Budget Statement, drawing together the National Cyber Security Centre’s investigation into the publication of the Office for Budget Responsibility’s Economic and fiscal outlook and the Cabinet Office’s inquiry into a 13 November Financial Times article on income tax. The government has accepted all recommendations in full. Principal changes will be introduced ahead of Budget 2026.
Mandatory protections will be embedded in departmental IT to curb the sharing of Budget material within and across organisations. Systems will block the sending of attachments, limit access to named distribution lists, and restrict print and download functions for those viewing sensitive files, with user activity monitored and recorded for audit.
These controls will be linked to a new sensitivity label, 'BUDGET - MARKET SENSITIVE', applied to the most sensitive Budget and forecast information handled by HM Treasury and the OBR. The label will bind documents to named lists and the associated technical restrictions.
Access to highly sensitive material will be reduced. The number of officials who can routinely view such information, including those on named lists, will be cut to limit exposure and improve traceability across handling chains.
On publication practice, the March 2026 Economic and fiscal outlook will be released on the OBR’s behalf by HM Treasury via GOV.UK, which is HM Treasury’s standard platform. This precedes a planned permanent move for the OBR to use GOV.UK for market‑sensitive publications.
HM Treasury and the OBR will work in partnership with the Bank of England to establish a protocol for any future security breach. The objective is to set out a clear, co‑ordinated response where market-sensitive information is implicated.
The Macpherson Principles will continue to govern pre‑briefing. While most Budget material is not market sensitive, the economic and fiscal projections, the overarching fiscal judgement, and individual tax rates, reliefs and allowances must not be pre‑briefed in public or with the media.
Operationally, cross‑government circulation of Budget files will use named‑list distribution with activity monitoring. Attachments will be blocked and printing and downloads restricted, requiring teams to work within the new viewing-only model when preparing measures and clearances.
For external audiences, placing the March 2026 EFO on GOV.UK consolidates release on a single government platform. Alongside a Bank of England protocol, this sets a clearer framework for handling market‑sensitive material and managing any future incidents.
The Review confirms that all recommendations will be implemented in full. The full text of the Budget Information Security Review has been published on GOV.UK.