Reporting Cyber Incidents

The UK landscape for cyber incident reporting is complex, demanding vigilance from organisations of all sizes. This article looks into the key regulations and timeframes you need to be aware of to ensure a swift and compliant response to cyber threats.

The UK Regulatory Landscape

Two primary regulations govern cyber incident reporting in
the UK.

The General Data Protection Regulation (UK GDPR) and the
Network and Information Systems (NIS) Regulations 2018 report.

The GDPR regulation instructs that the Information
Commissioner’s Office (ICO) should be informed of personal data breaches
without delay, and preferably within 72 hours of becoming aware of an incident. To add a bit more clarity, it focuses on the 72 hours from becoming aware of a personal data breach, not necessarily the cyberattack itself.

There are two reasons for this:

  1. A cyberattack might not always lead to data theft
  2. It might take time to assess the extent of the attack and determine if data was compromised.

The NIS Regulation focuses on incidents impacting essential services like energy, transport, water, waste, healthcare, and digital infrastructure.  Relevant operators of essential services (OESs) must report significant incidents to the ICO within 72 hours. Digital Service Providers (DSPs) under the NIS Regulations follow the same 72-hour timeframe.

Whilst both regulations form the core basis for reporting, there may be sector-specific regulations for your industry. It’s important to consult the ICO’s guidance for tailored advice.

Reporting – Who, When & How?

The ICO acts as the central authority for both the GDPR and NIS regulations. Their online reporting tool allows you to report personal data breaches and incidents.

The National Cyber Security Centre (NCSC), while not mandatory, reporting significant cyber incidents to the NCSC is recommended. They have a useful tool for reporting cyber incidents, the tool will identify the relevant bodies you need to report too, and you may be able to get assistance if required.

Both regulations emphasize reporting “without undue delay”, and preferably within 72 hours. Justifications might be needed for delays exceeding this timeframe, the ICO can issue fines of up to 17.4m or 4% of your annual worldwide turnover, whichever is higher.

While specific formats for reporting might not be mandated, providing comprehensive details about the incident, its potential impact, and the mitigation measures taken is important.

Prompt reporting allows authorities to initiate investigations quickly to minimise damage and identify potential threats. In some cases, issue public warnings to mitigate broader impacts if necessary.


Navigating the UK’s cyber incident reporting landscape requires understanding relevant regulations and adhering to their timeframes. By being proactive and prepared, you can minimise potential damage, comply with regulations, and maintain trust with stakeholders.

#Cybersecurity #CyberIncidentReporting #UKGDPR #NISRegulations #ICO #NCSC

Send Us A Message

More Posts

Firewall in OVH

Firewall for Dedicated Servers in OVH Cloud Overview of default firewall setup in OVH This is a guide on how to setup a Linux based