National Cyber Security Centre
Categorising UK cyber incidents
Explaining the NCSC and UK law enforcement categorisation model for cyber incidents.
In the NCSC, the Incident Management (IM) team is responsible for triaging and categorising incidents. We do this by considering the severity of the incident and its potential impact on the UK. This informs our response and makes sure we direct our resources towards managing the most significant UK cyber incidents.
Outside of the NCSC, the only other operational teams with the authority to categorise a cyber incident are our counterparts in UK law enforcement, including the National Crime Agency.
Unsure who to report your cyber incident to?
Visit this UK government service to see whether you should report your incident to the NSC or another organisation.
The framework was set up in 2018 and is flexible enough to allow the full range of incidents to be categorised, from national crisis through to cyber attacks against individuals.
The model has six levels of severity and is applied uniformly across all sectors including government, critical national infrastructure, charities, universities, schools, as well as small businesses and individuals.
Category definition
Who typically responds?
What do they typically do?
Category 1
National cyber emergency
A cyber attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.
Immediate, rapid and coordinated cross-government response. Strategic leadership from ministers / Cabinet Office (COBR), technical cross-government coordination led by NCSC, working closely with law enforcement.
NCSC engages with the victim to provide advice and helps coordinate queries to the victim from government stakeholders, including to support a COBR meeting. As the UK's technical authority, NCSC provides a view on which incident response activities to follow.
Category 2
Highly significant incident
A cyber attack which has a serious impact on central government, UK essential services, a large proportion of the UK population, or the UK economy.
NCSC leads the response (escalated to COBR if necessary), working closely with law enforcement (usually NCA) as required.
NCSC organises a tempo of engagement meetings to give a victim organisation advice suited to the severity of the incident. Where appropriate and on request of the victim organisation, NCSC supports them in engaging with the relevant Lead Government Department. As the UK's technical authority, NCSC provides a view on which incident response activities to follow.
Category 3
Significant incident
A cyber attack which has a serious impact on a large organisation or on wider/local government, or which poses a considerable risk to central government or UK essential services.
NCSC leads the response, working with law enforcement (usually NCA) as required.
NCSC organises a tempo of engagement meetings to give a victim organisation advice suited to the severity of the incident. Where relevant, as the UK's technical authority, NCSC provides a view on which incident response activities to follow.
Category 4
Substantial incident
A cyber attack which has a serious impact on a medium-sized organisation, or which poses a considerable risk to a large organisation or wider/local government.
NCSC or law enforcement (NCA or ROCU) leads the response, depending on the incident.
Advice is disseminated to the victim to support their response, potentially supported by a tempo of victim engagement meetings suited to the severity of the incident.
Category 5
Moderate incident
A cyber attack on a small organisation, or which poses a considerable risk to a medium-sized organisation, or preliminary indications of cyber activity against a large organisation or the government.
Law enforcement leads the response (likely ROCU or local police force), with NCA input as required.
Advice is disseminated to the victim to support their response, with possible follow-up support as required.
Category 6
Localised incident
A cyber attack on an individual, or preliminary indications of cyber activity against a small or medium-sized organisation.
Local police force leads the response with NCA input as required.
Advice is disseminated to the victim to support their response.
