Cyber Incident Reporting Requirements

Cyber incident reporting services are priced by engagement type. Incident reporting procedure development (policies, notification templates, escalation matrix, regulator contact sheet) is £5,000-£8,000 as a one-time project. An incident reporting readiness programme including tabletop exercise simulating a notifiable incident, gap analysis against your current GDPR process, and staff training costs £10,000-£15,000. An incident reporting retainer providing 24/7 regulatory notification support and on-call advisory is £15,000-£25,000 per year. Annual retainer support costs less than 0.15% of the maximum penalty exposure, and is priced as an operational cost, not a capital project. Emergency incident reporting support during an active breach is £2,500 per day, covering regulatory submission drafting and regulator communication management. Fixed pricing is provided after assessing your regulatory requirements and current incident response capabilities.

Internal teams face significant challenges meeting the Bill's reporting requirements: (1) The 24-hour notification window for major incidents starts at discovery, leaving minimal time for internal coordination, legal review, and regulatory submission. (2) Regulatory notifications require specific formats and content that differ by sector regulator (NCSC, ICO, FCA, etc.). (3) Incorrect or incomplete initial notifications can trigger enforcement action. (4) Multi-regulator incidents (a data breach affecting critical infrastructure) require coordinated submissions to multiple authorities simultaneously. (5) Out-of-hours incidents need immediate reporting capability most internal teams cannot provide at 2 AM on a Sunday. (6) Post-incident reports require forensic detail and root cause analysis that may exceed internal capabilities. We provide expert support ensuring compliant notifications while your team focuses on containment and recovery.

The Bill requires reporting of: ransomware attacks, data breaches affecting personal or sensitive data, cyber attacks causing significant service disruption exceeding four hours for critical services, supply chain compromises affecting essential services, and security incidents affecting critical national infrastructure. The reporting threshold is not limited to data breaches. Operational incidents causing material service disruption trigger the obligation regardless of whether personal data is involved. Organisations frequently underestimate their scope because they conflate the Resilience Bill reporting obligation with their existing GDPR breach notification process.

The Bill uses a tiered structure based on incident severity. For major incidents (events causing or capable of causing significant service disruption, substantial data loss, or threats to critical infrastructure), initial notification to the NCSC is required within 24 hours of discovery. For significant incidents (events that materially degrade services but do not meet the major incident threshold), initial notification must be submitted within 72 hours. The 24-hour and 72-hour clocks start from the point of discovery, not from confirmed attribution or full assessment. You are not required to have a complete picture before filing: submit an initial notification with available information and follow up with interim updates as the investigation progresses. A final incident report covering root cause analysis, full impact assessment, affected data and individuals, and remediation actions must be submitted within 30 days of the initial notification. Under GDPR Article 33, data breaches involving personal data carry a separate 72-hour ICO notification obligation, which runs concurrently with any NCSC notification.

Regulator notification depends on your sector and the nature of the incident. All in-scope organisations must notify the NCSC for qualifying incidents (24 hours for major, 72 hours for significant). If personal data is involved, the ICO must be notified separately within 72 hours under GDPR Article 33. Financial services firms notify the FCA under existing operational resilience obligations. Telecoms operators notify Ofcom. Energy and water operators notify Ofgem and Ofwat via sector-specific portals. NHS and healthcare organisations notify NHS England via the DSPT incident reporting mechanism. Where a cybercrime offence is involved, Action Fraud and the NCA should also be notified. Submitting to one regulator does not satisfy the obligation to another. We map your specific regulatory notification obligations in a single engagement call.

To report a cyber incident to the NCSC, use the NCSC's online reporting service at report.ncsc.gov.uk. For significant incidents requiring immediate response, contact the NCSC 24/7 incident management team. Your initial report should include: the date and time of discovery, the systems or services affected, the suspected attack type (ransomware, phishing, unauthorised access), and whether personal data may be involved. You do not need a complete picture to file an initial notification. Submit what you know within the required window and provide updates as the investigation develops. If your organisation operates critical national infrastructure, contact your sector regulator concurrently. If you need assistance drafting and submitting the initial notification during an active incident, our team is available 24/7.

GDPR breach reporting (under Article 33) applies when personal data is involved and there is a risk to individuals' rights and freedoms. The Resilience Bill's incident reporting obligation applies to a broader category of cyber incidents, including ransomware, significant service disruptions, and supply chain compromises, regardless of whether personal data is involved. The two obligations are separate and run concurrently: you may need to notify the ICO under GDPR at the same time as notifying the NCSC under the Resilience Bill. The submission portals, information requirements, and regulatory contacts differ between the two frameworks. Organisations that rely solely on their existing GDPR process will miss the NCSC notification requirement. Our GDPR data protection services can be integrated with Resilience Bill compliance to build a unified notification procedure covering both obligations.

Incident reports must include: incident timeline (discovery, containment, eradication), systems and services affected, data compromised and the number of individuals impacted, suspected attack type and initial vector assessment, root cause analysis (in the final report), immediate response actions taken, and long-term remediation measures to prevent recurrence. Initial notifications do not require complete information: submit what you know and supplement with interim updates. The final report due within 30 days must be comprehensive. Submitting an incomplete or vague final report attracts regulatory scrutiny even where the initial notification was timely.

Yes, if the incident involves a data breach affecting personal data (GDPR) or significantly impacts service delivery. Under GDPR, affected individuals must be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms. The Resilience Bill may impose additional customer notification obligations for service disruptions affecting essential services, separate from the personal data element. Customer notification should occur after regulatory notification but without unreasonable delay. We help draft customer communications that balance transparency requirements with legal obligations and reputational considerations.

Failure to notify within required windows carries financial penalties up to £10 million or 2% of global annual turnover, whichever is higher. Additional consequences include mandatory improvement notices, increased regulatory scrutiny of future incidents, and in severe cases, criminal liability for directors under the Bill's provisions where knowingly false or misleading information is provided to a regulator. Proactive notification is a mitigating factor in enforcement decisions. Organisations that notify promptly, respond transparently, and demonstrate remediation consistently receive more favourable regulatory treatment than those that miss windows or self-report late.

If you believe a notifiable incident occurred and was not reported to the required regulators within the mandatory window, you face potential enforcement exposure. The appropriate steps are: (1) Do not destroy or alter any evidence or records related to the incident. (2) Take legal advice before making any contact with regulators. (3) Assess whether voluntary late disclosure is advisable: regulators typically treat proactive engagement more favourably than non-disclosure followed by investigation. (4) Document your decision-making process at the time: who made the notification decision, on what basis, and with what information available. If you received legal advice not to report, document that advice. We provide regulatory exposure assessments for organisations in this position, including advice on voluntary disclosure strategy and regulator engagement. Contact our regulatory response team.

Yes. We provide 24/7 emergency incident response including regulatory notification support. Our team coordinates with your incident response team, forensics providers, and legal counsel to ensure timely and accurate regulatory submissions. Emergency incident reporting support is available at £2,500 per day. If you are in an active incident right now, contact us immediately: the 24-hour notification window does not pause while you arrange support.