OrganisationGB

NCSC

UK National Cyber Security Centre; issued APT28 attribution advisory, CitrixBleed 3 guidance, and joint AIVD messaging-app warning in March–April 2026.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

Why does ignoring NCSC guidance now count as a GDPR violation?

Timeline for NCSC

#117 Apr

Issued advisory on CVE-2026-3055 on 25 March 2026 urging UK operators to patch

Cybersecurity: Threats and Defences: CitrixBleed 3 lands on SAML broker

#117 Apr

Mentioned in: F5 reclassifies DoS bug to 9.8 RCE

Cybersecurity: Threats and Defences

#117 Apr

Mentioned in: 17-year-old Office RCE back on KEV

Cybersecurity: Threats and Defences

#117 Apr

Published attribution-backed advisory on 7 April 2026 naming APT28 / GRU Unit 26165 for SOHO router DNS hijacking

Cybersecurity: Threats and Defences: GRU hijacks home routers for M365 logins

#117 Apr

Issued joint advisory with AIVD on 31 March 2026 warning of state-linked messaging app targeting of high-risk individuals

Cybersecurity: Threats and Defences: Signal, WhatsApp hit by three states

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What has NCSC warned about in 2026?: In March–April 2026, NCSC issued advisories on APT28's SOHO router DNS hijacking (co-issued with FBI on 7 April), CitrixBleed 3 (25 March), and state-linked QR-code attacks on Signal and WhatsApp (31 March, co-issued with Dutch AIVD).Source: NCSC
Does NCSC guidance have legal force in the UK?: NCSC guidance is not legislation, but the UK ICO has established in the Capita and Advanced Computer Software monetary penalty notices that NCSC guidance constitutes the GDPR Article 32 technical standard. Organisations that fail to follow published NCSC guidance face documented enforcement risk.Source: ICO

Background

The UK National Cyber Security Centre (NCSC) issued three Major advisories in the March–April 2026 window: an attribution-backed advisory on 7 April identifying APT28 as "almost certainly" GRU Unit 26165 behind the SOHO router DNS hijacking campaign ; a CitrixBleed 3 advisory on 25 March warning of active reconnaissance against CVE-2026-3055 ; and a joint advisory with AIVD on 31 March on state-linked QR-code attacks against Signal, WhatsApp and Messenger accounts.

NCSC is the UK's national cybersecurity authority, operating as part of GCHQ. It provides threat advisories, Incident Response support, and guidance to UK industry and government on cybersecurity standards. NCSC's advisory outputs are informed by GCHQ's signals intelligence collection, giving them a higher attribution-confidence basis than purely commercial threat intelligence.

For UK organisations, NCSC advisories carry regulatory weight under the Cyber Security and Resilience Bill framework: NCSC guidance is explicitly treated by the ICO as the Article 32 GDPR technical standard in its Capita and Advanced Computer Software enforcement precedents. Following NCSC guidance is not merely best practice; under the current enforcement template, failing to follow it in a category where it is clear and published constitutes a demonstrable GDPR breach risk.

How the World Sees Them

UK Government

NCSC's three advisories in this window reflect an advisory tempo that matches the threat environment; its GRU attribution advisory is a formal diplomatic act as well as a security notice.

Five Eyes partners

NCSC's co-attribution with FBI on APT28 continues the pattern of coordinated allied attribution; the PSA260407 advisory is a joint Five Eyes signal.

UK enterprise CISOs

NCSC guidance now has GDPR enforcement consequences via the ICO; failure to follow published guidance in a category covered by NCSC's recommendations is a breach-risk multiplier.