Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
20MAY

UK 24-hour reporting bill at Report

4 min read
09:58UTC

The Cyber Security and Resilience Bill passed Public Bill Committee. ICO fined Capita £14m for missing PAM and AD tiering, citing NCSC guidance as the GDPR baseline.

TechnologyAssessed
Key takeaway

NCSC guidance has effectively become enforceable GDPR baseline in the UK through ICO precedent.

The UK Cyber Security and Resilience (CS&R) Bill reached Report Stage on 2 March 2026, after the Public Bill Committee concluded in February and a carry-over motion was passed; the bill is expected to reach the House of Lords in the next parliamentary session 1. The substantive provisions rewrite the operating model for UK in-scope organisations. Initial incident reports become due within 24 hours, full reports within 72 hours. Data centres are classified as essential services under joint oversight from the communications regulator Ofcom and the Department for Science, Innovation and Technology (DSIT). The definition of organisations covered by statutory cyber standards widens beyond the current Network and Information Systems (NIS) perimeter.

The 24-hour clock is the operational change. For UK-listed companies, board-level incident-escalation playbooks now have to land within a single trading day, which is a tighter cycle than most legal and communications Teams have tested. Tabletop exercises run on a 72-hour assumption become out of date on the day the bill receives Royal Assent.

The enforcement template is already set. Per a decision by the UK Information Commissioner's Office (ICO), the information regulator fined outsourcing firm Capita £14 million in October 2025 for its 2023 breach, and the technical basis has become the 2026 template 2. The ICO cited Capita's absence of Privileged Access Management (PAM) controls, the tooling that gates and audits access to the highest-risk admin accounts, and the absence of Active Directory (AD) tiering, the Microsoft reference model for separating admin credentials by privilege level, as the General Data Protection Regulation (GDPR) security failures that enabled the attacker's privilege escalation. Precedent from Capita and the earlier Advanced Computer Software decision (£3.07m, March 2025) treats NCSC guidance as the GDPR technical baseline. For any organisation in ICO scope, NCSC cyber hygiene advice now carries the force of enforceable data-protection standard.

Deep Analysis

In plain English

The UK government is passing a law called the Cyber Security and Resilience Bill that will require certain organisations to report cyber attacks to the government within 24 hours, and provide a full report within 72 hours. Data centres will be classified as critical national infrastructure, meaning they will be regulated for security in the same way as power grids and water systems. Separately, the UK's privacy regulator (the ICO, Information Commissioner's Office) fined Capita, a large UK outsourcing company, £14 million for a 2023 data breach. The ICO said Capita failed to implement basic security controls that the NCSC (the UK's national cybersecurity agency) recommends: specifically, Privileged Access Management (which restricts who can access sensitive systems) and Active Directory tiering (which organises computer accounts by risk level). The ICO effectively said: if you ignore NCSC guidance and get breached, it is a legal breach of data protection law.

Deep Analysis
Root Causes

Data centres were excluded from the original Network and Information Systems (NIS) Regulations 2018 that implemented the EU NIS Directive in UK law. The CS&R Bill's essential-services classification for data centres corrects that structural gap, reflecting the fact that major cloud and co-location facilities now underpin critical infrastructure operations that the original regulations covered.

The ICO's decision to treat NCSC guidance as the GDPR technical baseline resolves a legal ambiguity that has existed since GDPR came into force: Article 32's 'appropriate technical and organisational measures' standard is deliberately non-prescriptive, and UK organisations have argued successfully in past ICO engagements that 'appropriate' is subjective.

The Capita decision operationalises NCSC guidance as the benchmark, converting a subjective standard into a specific published control catalogue.

What could happen next?
  • Consequence

    UK organisations in scope for the CS&R Bill must rebuild their incident-escalation procedures to guarantee board notification and regulator submission within a trading day, transforming cyber incident response from an IT function to a C-suite operational protocol.

  • Precedent

    The ICO Capita precedent means that any UK organisation that has not implemented PAM and AD tiering in line with NCSC guidance, and subsequently suffers a breach, faces a materially higher fine risk than before the October 2025 decision.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

Skadden· 17 Apr 2026
Read original
Causes and effects
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.