Common Questions

What is Active Directory tiering and why does the ICO care about it?: AD tiering isolates privileged admin accounts by function: Tier 0 (domain controllers), Tier 1 (servers), Tier 2 (endpoints). The UK ICO fined Capita £14m and Advanced Computer Software £3.07m after absent AD tiering contributed to breaches, citing NCSC guidance as the GDPR Article 32 standard.Source: ICO / NCSC
Does not having Active Directory tiering breach GDPR?: Under the UK ICO's Capita and Advanced Computer Software enforcement template, absent AD tiering is a GDPR Article 32 violation when it contributed to a breach that a reasonable security programme would have prevented. NCSC guidance on AD tiering is the ICO's stated technical standard.Source: ICO monetary penalty notices
How is Active Directory tiering related to the Stryker cyber attack?: Stryker's Handala attack exploited the same principle as absent AD tiering: a single compromised administrator credential had unlimited blast radius across all managed devices because privilege boundaries were not enforced. In Stryker's case the control plane was Microsoft Intune MDM rather than Active Directory, but the architectural failure mode is identical.Source: NCSC / Lowdown

Background

Active Directory (AD) tiering is a security architecture model that isolates administrative accounts by function and privilege level: Tier 0 covers domain controllers and identity infrastructure; Tier 1 covers servers and applications; Tier 2 covers endpoints and standard workstations. Absent AD tiering was cited alongside absent PAM controls as a GDPR Article 32 failure by the ICO in both the Capita (£14m) and Advanced Computer Software (£3.07m) monetary penalty notices.

In both ICO enforcement cases, the lack of AD tiering allowed attackers to escalate privileges from a compromised lower-tier account to domain-controller-equivalent access, producing the impact that triggered the GDPR breach notification. NCSC guidance on AD tiering is the reference document the ICO applied as its Article 32 baseline in both decisions.

For enterprise security architects and compliance teams, the ICO decisions mean that NCSC's AD tiering model is now a compliance obligation for UK-regulated organisations, not merely a security recommendation. The Stryker MDM wipe provides the complementary operational illustration: while Stryker's specific failure was at the MDM control-plane level, the underlying principle is identical — privilege levels within administrative tooling must be isolated and bounded to limit blast radius.

The UK Cyber Security and Resilience Bill — currently at Report Stage — will expand the mandatory incident-reporting regime to a wider set of operators. The ICO's Capita-Advanced enforcement template for AD tiering will apply to the expanded class of regulated operators, including data-centre operators, once the Bill receives Royal Assent. The Trellix 21-day disclosure delay disclosed in May 2026 (Trellix disclosed a source-code breach 21 days after the intrusion, against the Bill's proposed 24-hour initial-notification period) reinforces the policy momentum behind mandatory timelines. AD tiering is the specific architectural control the ICO will likely apply as its Article 32 baseline under the expanded regime.

How the World Sees Them

ICO

AD tiering is an Article 32 GDPR baseline in ICO enforcement; organisations without it face documented precedent for monetary penalties if a breach occurs.

NCSC

The NCSC treats AD tiering as foundational cyber hygiene; the ICO's use of NCSC guidance as an Article 32 standard elevates it from advisory to compliance requirement.

Enterprise architects

Retrofitting AD tiering into a large enterprise environment is a significant architectural project; the ICO precedents make the business case for that investment on compliance grounds.