
NCSC
UK national cyber agency within GCHQ; advisories, attribution, and the GDPR Article 32 standard.
Last refreshed: 24 June 2026 · Appears in 1 active topic
Will the Cyber Security and Resilience Bill give NCSC guidance the force of statute on 10 June?
Timeline for NCSC
Published a joint advisory naming FSB Centre 16
Cybersecurity: Threats and Defences: NCSC names FSB Centre 16 over routersFlagged the FortiBleed credential set as privately held
Cybersecurity: Threats and Defences: Lynx crew cashes in FortiBleed haulCo-issued the Five Eyes AI cyber-risk statement on 22 June 2026
Cybersecurity: Threats and Defences: Five Eyes warn AI threat is months awayIssued joint alert on 18 June and recommended factory reset of affected Fortinet devices
Cybersecurity: Threats and Defences: 86,644 Fortinet logins become a hit listManaged 200+ UK CNI cyber incidents in the year to May 2026
Cybersecurity: Threats and Defences: NCSC counts 200+ UK infrastructure hitsWhat has NCSC warned about in 2026?
Does NCSC guidance have legal force in the UK?
What is the NCSC's role in the Cyber Security and Resilience Bill?
Background
The National Cyber Security Centre (NCSC) is the UK's national cybersecurity authority, operating as part of GCHQ. It provides threat advisories, Incident Response support, and guidance to UK industry and government on cybersecurity standards. NCSC's advisory outputs are informed by GCHQ's signals intelligence collection, giving them a higher attribution-confidence basis than purely commercial threat intelligence. NCSC works in formal partnership with the Five Eyes CERTs and regularly co-issues advisories with the US CISA, FBI, and the Dutch AIVD.
NCSC issued a cluster of high-profile advisories in the March-May 2026 window. On 25 March it warned of active reconnaissance against CVE-2026-3055 (CitrixBleed 3). On 31 March, a joint advisory with Dutch AIVD documented state-linked QR-code attacks against Signal, WhatsApp, and Messenger accounts. On 7 April, NCSC attributed APT28 as 'almost certainly' GRU Unit 26165 behind a SOHO router DNS hijacking campaign targeting Microsoft 365 OAuth tokens, attribution co-issued with the FBI. NCSC guidance carries regulatory weight beyond best-practice status. The UK ICO has established in both the Capita (£14m) and Advanced Computer Software (£3.07m) monetary penalty notices that NCSC cyber hygiene guidance (specifically Active Directory tiering and Privileged Access Management) constitutes the GDPR Article 32 technical standard.
Two significant developments landed in June 2026. On 17 June, NCSC chief executive Dr Richard Horne told the RUSI annual security lecture that NCSC managed more than 200 cyber incidents against UK critical national infrastructure in the year to May 2026, with approximately 75 per cent linked to state actors in Russia, China, and Iran, and warned that AI-enabled exploitation of known flaws at scale is expected by 2028. On 18 June, NCSC and CISA issued joint alerts after researcher Volodymyr Diachenko disclosed a privately-held database of 86,644 Fortinet FortiGate credentials spanning 194 countries, labelled FortiBleed, built via credential reuse and traffic interception running since at least February 2026, with targeting patterns consistent with intelligence preparation by a Russian-speaking actor weighted toward NATO members. The Cyber Security and Resilience Bill, which will place NCSC guidance on a statutory footing with penalties up to 4 per cent of global turnover, reached Commons Report Stage on 10 June 2026.