What fines has the ICO issued for cybersecurity failures?: The ICO fined Capita £14 million in October 2025 and Advanced Computer Software £3.07 million in March 2025 for cybersecurity failures that enabled data breaches, citing absent PAM controls and inadequate Active Directory tiering as GDPR Article 32 violations.Source: ICO monetary penalty notices
Does the ICO use NCSC guidance to decide if a company was negligent?: Yes. The ICO's Capita and Advanced Computer Software monetary penalty notices explicitly treat NCSC cyber hygiene guidance — including PAM and AD tiering recommendations — as the Article 32 GDPR technical standard for adequate security measures.Source: ICO
How long do UK companies have to report a cyber breach to the ICO?: Under current UK GDPR, the ICO must be notified within 72 hours of becoming aware of a qualifying personal-data breach. The Cyber Security and Resilience Bill proposes a stricter 24-hour initial-notification period for in-scope critical infrastructure and data-centre operators.Source: UK GDPR / Cyber Security and Resilience Bill
What is the ICO's role in the Cyber Security and Resilience Bill?: The Bill will expand the ICO's co-regulatory role alongside Ofcom and DSIT for data-centre operators and critical national infrastructure providers, placing its enforcement template — including NCSC guidance as the Article 32 standard — on a wider statutory footing.Source: UK Parliament / DSIT

Background

The Information Commissioner's Office (ICO) is the UK's independent data-protection regulator, responsible for enforcing the UK GDPR and the Data Protection Act 2018. Its monetary penalty notices carry legal weight as precedent. The ICO fined Capita £14 million in October 2025 for its 2023 data breach and Advanced Computer Software £3.07 million in March 2025 for its 2022 breach. Both notices cited absent Privileged Access Management (PAM) controls and inadequate Active Directory tiering as GDPR Article 32 violations, treating NCSC cyber hygiene guidance as the enforceable technical standard.

The ICO has signalled that it will continue to use NCSC guidance as the reference technical standard for Article 32 compliance. For UK organisations, the Capita-Advanced precedents have immediate practical implications: any organisation that lacks PAM controls and an AD tiering model for administrative accounts faces documented enforcement risk if a breach occurs that a reasonable security programme would have prevented.

The Trellix 21-day disclosure delay — Trellix disclosed a source-code repository breach in May 2026 some 21 days after the intrusion occurred — illustrates the gap that the UK Cyber Security and Resilience Bill is designed to close. The Bill proposes a 24-hour initial-notification period for in-scope incidents; the Trellix timeline falls 20 days outside that window. The ICO's co-regulatory role will expand under the Bill alongside Ofcom and DSIT for data-centre operators and critical national infrastructure providers. The ICO's existing enforcement template — using NCSC guidance as the GDPR Article 32 baseline — will apply to the expanded class of regulated operators once the Bill receives Royal Assent. The 24-hour notification standard is likely to become the ICO's primary enforcement lever for disclosure-delay cases.

How the World Sees Them

Legal sector

The Capita and Advanced monetary penalty notices are precedent cases that data-protection solicitors are using to advise clients on minimum-security standard obligations under UK GDPR Article 32.

UK enterprise CISOs

NCSC PAM and AD tiering guidance is now the ICO's GDPR technical baseline; organisations without these controls face documented enforcement risk, not just security risk.

EU data-protection authorities

The ICO's NCSC-as-baseline approach is a UK post-Brexit divergence from EU practice but may influence EDPB guidance as a practical template.