Wednesday 23 Aug 2023 @ 16:20
National Cyber Security Centre
Printable version

Categorising UK cyber incidents

Explaining the NCSC and UK law enforcement categorisation model for cyber incidents.

In the NCSC, the Incident Management (IM) team is responsible for triaging and categorising incidents. We do this by considering the severity of the incident and its potential impact on the UK. This informs our response and makes sure we direct our resources towards managing the most significant UK cyber incidents.

Outside of the NCSC, the only other operational teams with the authority to categorise a cyber incident are our counterparts in UK law enforcement, including the National Crime Agency.

Unsure who to report your cyber incident to?

Visit this UK government service to see whether you should report your incident to the NSC or another organisation.

GOV.UK/REPORT-CYBER

The framework was set up in 2018 and is flexible enough to allow the full range of incidents to be categorised, from national crisis through to cyber attacks against individuals.

The model has six levels of severity and is applied uniformly across all sectors including government, critical national infrastructure, charities, universities, schools, as well as small businesses and individuals.

Category definition        

Who typically responds?

What do they typically do?

Category 1

National cyber emergency

A cyber attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.

Immediate, rapid and coordinated cross-government response. Strategic leadership from ministers / Cabinet Office (COBR), technical cross-government coordination led by NCSC, working closely with law enforcement.

NCSC engages with the victim to provide advice and helps coordinate queries to the victim from government stakeholders, including to support a COBR meeting. As the UK's technical authority, NCSC provides a view on which incident response activities to follow.

Category 2

Highly significant incident

A cyber attack which has a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy.

NCSC leads the response (escalated to COBR if necessary), working closely with law enforcement (usually NCA) as required.

NCSC organises a tempo of engagement meetings to give a victim organisation advice suited to the severity of the incident. Where appropriate and on request of the victim organisation, NCSC supports them in engaging with the relevant Lead Government Department. As the UK's technical authority, NCSC provides a view on which incident response activities to follow.

Category 3

Significant incident

A cyber attack which has a serious impact on a large organisation or on wider/local government, or which poses a considerable risk to central government or UK essential services.

NCSC leads the response, working with law enforcement (usually NCA) as required.

NCSC organises a tempo of engagement meetings to give a victim organisation advice suited to the severity of the incident. Where relevant, as the UK's technical authority, NCSC provides a view on which incident response activities to follow.

Category 4

Substantial incident

A cyber attack which has a serious impact on a medium-sized organisation, or which poses a considerable risk to a large organisation or wider/local government.

NCSC or law enforcement (NCA or ROCU) leads the response, depending on the incident.

Advice is disseminated to the victim to support their response, potentially supported by a tempo of victim engagement meetings suited to the severity of the incident.

Category 5

Moderate incident

A cyber attack on a small organisation, or which poses a considerable risk to a medium-sized organisation, or preliminary indications of cyber activity against a large organisation or the government.

Law enforcement leads the response (likely ROCU or local police force), with NCA input as required.

Advice is disseminated to the victim to support their response, with possible follow-up support as required.

Category 6

Localised incident

A cyber attack on an individual, or preliminary indications of cyber activity against a small or medium-sized organisation.

Local police force leads the response with NCA input as required.

Advice is disseminated to the victim to support their response.
Channel website: https://www.ncsc.gov.uk/

Original article link: https://www.ncsc.gov.uk/information/categorising-uk-cyber-incidents

Share this article

Latest News from
National Cyber Security Centre

National Cyber Security Centre CTO: The tech market isn't working

15/05/2024 14:10:00

Ollie Whitehouse will say in his keynote speech that companies globally know how to build resilient, secure technology, but the market does not incentivise them to do so.

New laws to protect consumers from cyber criminals come into force in the UK

29/04/2024 14:22:00

From today, regulations enforcing consumer protections against hacking and cyber-attacks will take effect, mandating that internet-connected smart devices meet minimum-security standards by law.

NCSC enters new partnership for PDNS delivery

17/04/2024 13:05:00

The National Cyber Security Centre announces new partnership to deliver the Protective Domain Name System (PDNS) service.

UK holds China state-affiliated organisations and individuals responsible for malicious cyber activity

26/03/2024 10:31:00

UK calls out pattern of malicious cyber activity by Chinese state-affiliated organisations and individuals targeting democratic institutions and parliamentarians.

NCSC and partners issue warning about state-sponsored cyber attackers hiding on critical infrastructure networks

08/02/2024 11:05:00

GCHQ’s National Cyber Security Centre and partners share details of how threat actors are using built-in tools to camouflage themselves on victims’ systems.

Business leaders urged to toughen up cyber attack protections

24/01/2024 13:12:00

New guidelines to help directors and business leaders boost their resilience against cyber threats.

Exploitation of vulnerabilities affecting Ivanti Connect Secure and Ivanti Policy Secure

15/01/2024 10:15:00

Organisations are encouraged to take immediate action to mitigate vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways (CVE-2023-46805 and CVE-2024-21887), and follow the latest vendor advice.

UK exposes attempted Russian cyber interference in politics and democratic processes

08/12/2023 10:29:00

The UK condemns Russia’s sustained attempts at political interference in the UK and globally.

UK and allies expose Russian intelligence services for cyber campaign of attempted political interference

07/12/2023 14:25:00

The UK and allies call out the Russian Intelligence Services for a campaign of malicious cyber activity attempting to interfere in UK politics and democratic processes