Policy paper

Incident reporting

Published 12 November 2025

What are we going to do?

More forms of harmful cyber breaches will need to be reported by operators of essential services (OESs) and relevant managed and digital service providers (RMSPs and RDSPs) to regulators, such as successful ransomware and pre-positioning attacks that are likely to have significant impacts in the UK, even if they have not had an impact yet.

A light touch, initial notification will be required within 24 hours and a full report within 72 hours, while the National Cyber Security Centre (NCSC) will be informed of incidents at the same time as regulators. This will enable regulators and the NCSC to better support affected organisations with rapid responses, identify systemic vulnerabilities, and implement targeted interventions to strengthen the resilience of the relevant sector.

Finally, new requirements for data centres and digital and managed service providers to inform customers of cyber breaches that have likely affected them will increase transparency and enable those customers to take their own actions to mitigate potential harms.

Why are we going to do it?

Under the current regime:

1. Cyber attacks like ransomware, pre-positioning and spyware do not have to be reported if they do not immediately disrupt the provision of essential or digital services – even if they have the potential to cause major disruption or compromise later. Examples of that kind of attack could include instances where a hostile actor has successfully hacked into a network, and is in a position to block the legitimate owner’s access to that network in a way that could create significant disruption for the provision of an essential service. Currently, this would only be reportable at the point that disruption had occurred, rather than the point at which the attacker had successfully attacked and gained access to the network. This means that regulators and the government are unsighted on a range of incidents, and unable to develop a full picture of the risks that threaten the UK.
   

2. Notification is only required to the regulator within 72 hours after the organisation has become aware of the breach and the regulator only then notifies the NCSC – delaying the ability to support in the response to the incident.
   

3. There is no requirement on any regulated entities to inform their customers when they are likely to have been affected by an incident. This could leave customers unaware if their system integrity or confidentiality has been compromised, and therefore unable to take any mitigatory action.
   

The Cyber Security and Resilience (Network and Information Systems) Bill will provide regulators and the government’s cyber experts with the critical information to allow them to support regulated entities that are victims to cyber attacks, and to help other regulated entities boost their defences against attacks in the future.

How are we going to do it?

Streamlined reporting

The Bill updates the timelines and process for reporting incidents to the relevant authorities.

The Bill introduces a two-stage reporting structure. Regulated entities will first need to send a light-touch notification to their regulator, sighting the NCSC, within 24 hours of becoming aware that an incident is taking place. A fuller report, containing additional information, will be required after 72 hours.

The 24 hour initial notification is intended to alert the regulator and NCSC to the fact that an incident is happening, so that they are able to offer support to the entity at an early point. The Bill only requires this initial notification to include the entity’s name, the service to which the incident relates, and brief details of the incident.

The 72 hour full notification will be required to contain more detailed information, but only insofar as the information is known to the entity. This information includes:

• the name of the organisation and the service to which the incident relates; the time the incident occurred and whether it is ongoing;
• information about the nature of the incident;
• whether the incident was caused by a separate incident affecting another regulated entity;
• information about the impact or likely impact of the incident; and
• any other information that the organisation considers might be helpful for the regulator to know in order to fulfil its functions.

Reporting requirements for relevant digital and managed service providers, and operators of essential services other than data centres

The Bill will make changes to the types of incident that need to be reported. RDSPs, RMSPs and OESs other than data centre services, will be required to report incidents that fulfil three criteria:

1. The incident has adversely affected, or is adversely affecting, the operation or security of network or information systems relied on to provide the essential service;
   
2. The impact of the incident has been, is, or is likely to be significant;
   
3. The impact of the incident relates to the whole or part of the UK.

The Bill also lists a number of factors that should be considered when deciding whether or not an incident has had, or is likely to have, a significant impact in the UK. These include factors such as:

• the extent of any disruption or potential disruption;
• the number of users affected or likely to be affected;
• the duration of the incident;
• the area that has been or could be affected; and
• whether the confidentiality, authenticity, integrity or availability of data relating to users has been, or is likely to be, compromised.

For digital and managed service providers only, the factors will also include whether there has been, or is likely to be, any impact on the network and information systems of the services’ users; and any impact that the incident has had, is having, or is likely to have on the economy or day-to-day functioning of society.

Once an RDSP or RMSP has provided a full notification to the Information Commission, they will be required to take steps to identify whether any of their customers are likely to have been adversely affected by the incident. They will then need to notify those customers, providing details of the incident and the reasons for which they consider the customer is likely to have been affected. This is to allow the customer to take their own measures to mitigate any adverse impacts on them.

Reporting requirements for operators of data centres

The Bill will introduce incident reporting requirements for data centre operators. Data centre operators will be required to report incidents where one of the following criteria is met:

1. The incident has had, could have had, is having or is likely to have a significant impact on the operation or security of the network or information systems relied on to provide the data centre service in the UK;
   
2. The incident has had, could have had, is having or is likely to have a significant impact on the continuity of the data centre service in the UK;
   
3. The incident has had, could have had, is having or is likely to have any other impact in all or part of the UK which is significant.

The government will use secondary legislation to set out factors that should be considered by data centre operators when assessing whether an incident has had, could have had, is having, or is likely to have a significant impact.

Once an operator of a data centre has provided a full notification to Ofcom, they will be required to take steps to identify whether any of their customers are likely to have been adversely affected by the incident. They will then need to notify those customers, providing details of the incident and the reasons for which they consider the customer is likely to have been affected. This is to allow the customer to take their own measures to mitigate any adverse impacts on them.

Functions of regulators

The Bill establishes powers and functions for regulators, and for the NCSC, in relation to incident reports that they receive. Regulators and the NCSC are given powers to share information to support the reporting entity in their response to the incident. They may also share information with the public or with specific other organisations – subject to strict tests to protect the confidentiality and commercial interests of entities – where this is necessary to prevent similar incidents occurring elsewhere. The degree to which the support for incident response is provided by the NCSC or the regulator is likely to vary according to the circumstances of the incident.

Regulators are also required to report annually to the NCSC, summarising the number and nature of incidents that have been reported to them in that year.

Hypothetical case study

If a major cyber attack on an NHS trust causes significant disruption to operation of the health service, the trust will need to notify the Department of Health and Social Care (DHSC) and the NCSC within 24 hours.

This will enable those organisations to support the trust in its response, and share details of the attack with other trusts who might also be vulnerable to that kind of attack. After 72 hours, the trust will need to share a full report about the attack, as is the case under the existing regulations.

Implementation

The incident reporting measures will be brough into force through secondary legislation following Royal Assent.

The government intends to introduce thresholds through secondary legislation before this measure is brought into in force.

This will clarify the points at which we would consider the impact of an incident to be ‘significant’, and therefore reportable to regulators. These thresholds will be set following consultation, and will provide valuable clarity for industry, addressing a key concern with the current regime raised in the post-implementation review. 

The government will work closely with regulators and industry to ensure that these new measures are implemented in a proportionate manner, that reduces the compliance burden on organisations as far as possible. As part of this, we are considering the domestic and international regulatory landscape, and how efficiencies can be found for businesses that operate across sectors or jurisdiction.