Common Questions

What has NCSC warned about in 2026?: In March–May 2026, NCSC issued advisories on CitrixBleed 3 (25 March), state-linked QR-code attacks on Signal and WhatsApp (31 March, co-issued with Dutch AIVD), and APT28's SOHO router DNS hijacking campaign targeting Microsoft 365 (7 April, co-issued with FBI).Source: NCSC
Does NCSC guidance have legal force in the UK?: NCSC guidance is not legislation, but the UK ICO has established in the Capita and Advanced Computer Software monetary penalty notices that NCSC guidance constitutes the GDPR Article 32 technical standard. Organisations that fail to follow published NCSC guidance face documented enforcement risk after a breach.Source: ICO
What is the NCSC's role in the Cyber Security and Resilience Bill?: The UK Cyber Security and Resilience Bill, currently progressing through Parliament, will expand NCSC's co-regulatory role alongside Ofcom and DSIT, placing NCSC technical guidance on a statutory footing for data-centre operators and critical national infrastructure providers.Source: UK Parliament / DSIT
How is NCSC connected to GCHQ?: NCSC operates as part of GCHQ, the UK's signals intelligence agency. This gives NCSC advisories access to signals intelligence that commercial threat intelligence firms cannot replicate, enabling higher-confidence attribution assessments such as the APT28/GRU Unit 26165 designation.Source: NCSC

Background

The National Cyber Security Centre (NCSC) is the UK's national cybersecurity authority, operating as part of GCHQ. It provides threat advisories, Incident Response support, and guidance to UK industry and government on cybersecurity standards. NCSC's advisory outputs are informed by GCHQ's signals intelligence collection, giving them a higher attribution-confidence basis than purely commercial threat intelligence. NCSC works in formal partnership with the Five Eyes CERTs and regularly co-issues advisories with the US CISA, FBI, and the Dutch AIVD.

NCSC issued a cluster of high-profile advisories in the March–May 2026 window. On 25 March it warned of active reconnaissance against CVE-2026-3055 (CitrixBleed 3). On 31 March, a joint advisory with Dutch AIVD documented state-linked QR-code attacks against Signal, WhatsApp, and Messenger accounts. On 7 April, NCSC attributed APT28 as 'almost certainly' GRU Unit 26165 behind a SOHO router DNS hijacking campaign targeting Microsoft 365 OAuth tokens — attribution co-issued with the FBI.

NCSC guidance carries regulatory weight beyond best-practice status. The UK ICO has established in both the Capita (£14m) and Advanced Computer Software (£3.07m) monetary penalty notices that NCSC cyber hygiene guidance — specifically Active Directory tiering and Privileged Access Management — constitutes the GDPR Article 32 technical standard. Organisations that depart from clear, published NCSC guidance face documented enforcement risk when a breach occurs. The pending Cyber Security and Resilience Bill will further cement NCSC's co-regulatory role, placing its guidance on a statutory footing alongside Ofcom and DSIT for data-centre and CNI operators.

How the World Sees Them

UK Government

NCSC's three advisories in this window reflect an advisory tempo that matches the threat environment; its GRU attribution advisory is a formal diplomatic act as well as a security notice.

Five Eyes partners

NCSC's co-attribution with FBI on APT28 continues the pattern of coordinated allied attribution; the PSA260407 advisory is a joint Five Eyes signal.

UK enterprise CISOs

NCSC guidance now has GDPR enforcement consequences via the ICO; failure to follow published guidance in a category covered by NCSC's recommendations is a breach-risk multiplier.