Skip to content
You can now search across every topic, entity and event.What's new
NCSC
OrganisationGB

NCSC

UK national cyber agency within GCHQ; advisories, attribution, and the GDPR Article 32 standard.

Last refreshed: 24 June 2026 · Appears in 1 active topic

Key Question

Will the Cyber Security and Resilience Bill give NCSC guidance the force of statute on 10 June?

Timeline for NCSC

#109 Jul

Published a joint advisory naming FSB Centre 16

Cybersecurity: Threats and Defences: NCSC names FSB Centre 16 over routers
#91 Jul

Flagged the FortiBleed credential set as privately held

Cybersecurity: Threats and Defences: Lynx crew cashes in FortiBleed haul
#822 Jun

Co-issued the Five Eyes AI cyber-risk statement on 22 June 2026

Cybersecurity: Threats and Defences: Five Eyes warn AI threat is months away
#818 Jun

Issued joint alert on 18 June and recommended factory reset of affected Fortinet devices

Cybersecurity: Threats and Defences: 86,644 Fortinet logins become a hit list
#817 Jun

Managed 200+ UK CNI cyber incidents in the year to May 2026

Cybersecurity: Threats and Defences: NCSC counts 200+ UK infrastructure hits
View full timeline →
Common Questions
What has NCSC warned about in 2026?
In March-May 2026, NCSC issued advisories on CitrixBleed 3 (25 March), state-linked QR-code attacks on Signal and WhatsApp (31 March, co-issued with Dutch AIVD), and APT28's SOHO router DNS hijacking campaign targeting Microsoft 365 (7 April, co-issued with FBI).Source: NCSC
Does NCSC guidance have legal force in the UK?
NCSC guidance is not legislation, but the UK ICO has established in the Capita and Advanced Computer Software monetary penalty notices that NCSC guidance constitutes the GDPR Article 32 technical standard. Organisations that fail to follow published NCSC guidance in a covered category face documented enforcement risk after a breach.Source: ICO
What is the NCSC's role in the Cyber Security and Resilience Bill?
The UK Cyber Security and Resilience Bill, scheduled for Commons Report Stage and Third Reading on 10 June 2026, will expand NCSC's co-regulatory role alongside Ofcom and DSIT, placing NCSC technical guidance on a statutory footing for data-centre operators and critical national infrastructure providers. It carries a two-tier penalty regime up to 4 per cent of global turnover.Source: UK Parliament / DSIT

Background

The National Cyber Security Centre (NCSC) is the UK's national cybersecurity authority, operating as part of GCHQ. It provides threat advisories, Incident Response support, and guidance to UK industry and government on cybersecurity standards. NCSC's advisory outputs are informed by GCHQ's signals intelligence collection, giving them a higher attribution-confidence basis than purely commercial threat intelligence. NCSC works in formal partnership with the Five Eyes CERTs and regularly co-issues advisories with the US CISA, FBI, and the Dutch AIVD.

NCSC issued a cluster of high-profile advisories in the March-May 2026 window. On 25 March it warned of active reconnaissance against CVE-2026-3055 (CitrixBleed 3). On 31 March, a joint advisory with Dutch AIVD documented state-linked QR-code attacks against Signal, WhatsApp, and Messenger accounts. On 7 April, NCSC attributed APT28 as 'almost certainly' GRU Unit 26165 behind a SOHO router DNS hijacking campaign targeting Microsoft 365 OAuth tokens, attribution co-issued with the FBI. NCSC guidance carries regulatory weight beyond best-practice status. The UK ICO has established in both the Capita (£14m) and Advanced Computer Software (£3.07m) monetary penalty notices that NCSC cyber hygiene guidance (specifically Active Directory tiering and Privileged Access Management) constitutes the GDPR Article 32 technical standard.

Two significant developments landed in June 2026. On 17 June, NCSC chief executive Dr Richard Horne told the RUSI annual security lecture that NCSC managed more than 200 cyber incidents against UK critical national infrastructure in the year to May 2026, with approximately 75 per cent linked to state actors in Russia, China, and Iran, and warned that AI-enabled exploitation of known flaws at scale is expected by 2028. On 18 June, NCSC and CISA issued joint alerts after researcher Volodymyr Diachenko disclosed a privately-held database of 86,644 Fortinet FortiGate credentials spanning 194 countries, labelled FortiBleed, built via credential reuse and traffic interception running since at least February 2026, with targeting patterns consistent with intelligence preparation by a Russian-speaking actor weighted toward NATO members. The Cyber Security and Resilience Bill, which will place NCSC guidance on a statutory footing with penalties up to 4 per cent of global turnover, reached Commons Report Stage on 10 June 2026.

More questions
How is NCSC connected to GCHQ?
NCSC operates as part of GCHQ, the UK's signals intelligence agency. This gives NCSC advisories access to signals intelligence that commercial threat intelligence firms cannot replicate, enabling higher-confidence attribution assessments such as the APT28/GRU Unit 26165 designation.Source: NCSC
How many cyber attacks hit UK critical infrastructure in 2026?
NCSC managed over 200 cyber incidents against UK critical national infrastructure in the year to May 2026, with approximately 75 per cent linked to state actors in Russia, China, and Iran, according to NCSC CEO Dr Richard Horne at RUSI on 17 June 2026.Source: event
What is the FortiBleed Fortinet credential leak?
FortiBleed is a privately-held database of 86,644 Fortinet FortiGate firewall credentials from 194 countries, disclosed on 18 June 2026 by researcher Volodymyr Diachenko, built via credential reuse and traffic interception since at least February 2026 by a suspected Russian-speaking actor.Source: event
When does NCSC expect AI to enable large-scale cyber attacks?
NCSC CEO Dr Richard Horne said at RUSI on 17 June 2026 that AI-enabled exploitation of known vulnerabilities at scale is expected by 2028.Source: event