Cyber security and data protection

Report a cyber incident

Emergency response guide for reporting cyber attacks and data breaches. Covers who to contact (Report Fraud, ICO, NCSC, Police Scotland), what information to provide, legal deadlines, and what happens after you report.

UK-wide Updated 16 Feb 2026

Guide summary

If your business has a cyber attack or data breach, you must report it quickly. Contact Report Fraud or Police Scotland for cyber crime, the ICO within 72 hours for data breaches, and NCSC for serious attacks. Keep evidence like screenshots and emails.

Report cyber crime to Report Fraud or Police Scotland
Report data breaches to ICO within 72 hours
Forward phishing emails to report@phishing.gov.uk
Contact NCSC for serious cyber attacks
Preserve evidence like screenshots and emails
Get a crime reference number for insurance
Notify affected individuals if high risk
Use CIR Assured Service Provider for incidents
NHS must report within 72 hours for service impact
Financial firms follow FCA/PRA procedures

On this page

UK-wide

Respond to a ransomware attack

Emergency response guide for ransomware attacks. Covers immediate containment, recovery options, reporting requirements, and ransom payment decisions. For …

Cyber security requirements for UK businesses

How to protect your business from cyber threats and comply with UK cyber security requirements. Includes Cyber Essentials …

Data protection for healthcare providers

How healthcare providers must handle patient data under UK GDPR, including special category health data requirements, Caldicott Principles, …

Cyber security basics for small businesses

Practical, low-cost steps to protect your small business from cyber attacks. Covers the five Cyber Essentials controls, free …

Data protection annual compliance checklist

Annual checklist for verifying your data protection compliance. Covers ICO fee renewal, privacy notices, records of processing, breach …

Under active attack right now?

Disconnect affected systems from the network immediately
Do NOT pay any ransom demands
Report to the NCSC at report.ncsc.gov.uk
Call Report Fraud on 0300 123 2040 (England, Wales, Northern Ireland) or Police Scotland on 101

Then return to this guide for detailed reporting requirements.

When your business experiences a cyber incident, you may need to report it to multiple authorities depending on what happened. Getting this right protects your business legally and helps you recover faster.

This guide covers who to contact, what to report, and when - including the critical 72-hour deadline for data breaches.

Step 1: Identify what type of incident you have

Different incidents require reporting to different authorities. Your incident may fall into one or more categories:

Cyber crime (ransomware, hacking, fraud, phishing that resulted in loss) - Report to Report Fraud or Police Scotland
Personal data breach (customer or employee data accessed, lost, or stolen) - Report to the ICO within 72 hours if there is risk to individuals
Significant cyber attack (affecting critical systems or national infrastructure) - Report to NCSC
Suspected phishing email (no breach yet) - Forward to report@phishing.gov.uk

Many incidents require reporting to multiple authorities. For example, a ransomware attack that encrypts customer data should be reported to both Report Fraud (the crime) and the ICO (the data breach).

Cyber incident reporting contacts and procedures

Who to report cyber incidents to, including Action Fraud, ICO, NCSC, and geographic variations for Scotland.

Different cyber incidents require reporting to different authorities. All UK organisations should know their reporting obligations and have key contacts readily available.

Cyber crime reporting (England, Wales, NI): Report Fraud (formerly Action Fraud) - reportfraud.police.uk or 0300 123 2040
Cyber crime reporting (Scotland): Police Scotland via 101 (Scotland has not signed up to Report Fraud process)
Report Fraud phone hours: Monday-Friday 8am-8pm (24/7 for organisations under live attack)
Report Fraud from abroad: +44 300 123 2040
Data breach reporting (all UK): ICO at ico.org.uk/for-organisations/report-a-breach (within 72 hours if risk to individuals)
ICO helpline: 0303 123 1113 (Monday-Friday 9am-5pm)
Phishing email reporting: NCSC Suspicious Email Reporting Service (SERS) - forward to report@phishing.gov.uk
NCSC Cyber Incident Response (CIR) Scheme: Industry assurance scheme - all UK organisations should use CIR Assured Service Provider when dealing with cyber incidents
NHS organisations (NIS OES in England): Report to NHS England within 72 hours for incidents with adverse effect on security or significant impact on service continuity
Financial services firms: Report to FCA/PRA as per firm's notification procedures
Operators of Essential Services: Report to sector regulator within 72 hours
Digital service providers: Report to ICO within 72 hours if substantial impact
Under active cyber attack (need help): NCSC at ncsc.gov.uk and CIR provider immediately
What Report Fraud cannot do: Not investigative body, cannot guarantee police investigation or advise on report contents
Why report even if not investigated: Builds intelligence picture, identifies patterns, informs national policing priorities

Step 2: Report cyber crime to the police

All cyber crimes should be reported to help police build intelligence and catch criminals. Even if your individual case is not investigated, your report contributes to the national picture.

What to report to Report Fraud

When you contact Report Fraud (or Police Scotland), be ready to provide:

Your business name and contact details
When you discovered the incident (date and time)
What type of attack occurred (ransomware, business email compromise, invoice fraud, etc.)
How the attack happened (if known)
Financial losses (actual and potential)
Whether you have backups of affected data
Any evidence you have (emails, screenshots, ransom notes)

Important: Preserve evidence before attempting recovery. Take screenshots of ransom messages. Do not delete suspicious emails. Keep logs of what happened and when.

What happens after you report

You will receive a crime reference number. Keep this for insurance claims and other reports. Report Fraud passes reports to the National Fraud Intelligence Bureau (NFIB), which analyses patterns and allocates cases to local police forces for investigation where appropriate.

Note: Not every report results in a police investigation. Reports are prioritised based on severity, evidence available, and likelihood of identifying suspects.

Step 3: Report data breaches to the ICO

If the cyber incident involved personal data (names, email addresses, financial information, health data, etc.), you have a separate legal obligation under UK GDPR.

ICO data breach notification requirements (72-hour rule)

Two-tier notification requirements under UK GDPR, including the 72-hour rule for reporting to ICO and requirements for notifying affected individuals.

Under UK GDPR, organisations must report personal data breaches to the Information Commissioner's Office (ICO) within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms. A two-tier system applies:

Risk to individuals: Report to ICO within 72 hours
High risk to individuals: Report to ICO within 72 hours AND notify affected individuals without undue delay

The clock starts when you become aware of the breach, not when it originally happened or when you complete full investigation.

ICO reporting timeline: Within 72 hours of becoming aware of the breach
Threshold for ICO reporting: Breach likely to result in risk to rights and freedoms of individuals
Threshold for individual notification: Breach likely to result in high risk to rights and freedoms of individuals
Individual notification timeline: Without undue delay
When clock starts: When you become aware of the breach (sufficient evidence to believe incident occurred and meets threshold)
How to count 72 hours: Count hours, not working days (weekends and bank holidays count)
If you miss 72 hours: Still must report, must provide reasons for delay
Phased reporting permitted: Yes - initial report within 72 hours with available information, updates without undue delay
ICO reporting method: Online tool at ico.org.uk/for-organisations/report-a-breach
Exceptions to individual notification: Data encrypted/unintelligible, measures taken to eliminate high risk, or disproportionate effort (use public communication instead)
Record keeping requirement: Document all breaches whether or not reported to ICO (UK GDPR Article 33(5))
Recommended record retention: At least 3 years (aligns with ICO investigation timeframes)

The 72-hour clock

You have 72 hours from when you become aware of a reportable breach to notify the ICO. This means:

The clock starts when you have reasonable certainty a breach occurred - not when your investigation is complete
Weekends and bank holidays count - the clock does not pause
If you cannot gather all information in 72 hours, report what you know and provide updates later

When in doubt, report. The ICO prefers you to report breaches that turn out to be less serious than expected, rather than fail to report serious breaches.

What to include in your ICO report

The ICO's online reporting tool asks for:

Your organisation details and Data Protection Officer (if you have one)
Nature of the breach (what happened)
Categories of personal data affected (names, financial, health, etc.)
Approximate number of individuals affected
Likely consequences for those individuals
Measures taken to address and mitigate the breach

You can submit an initial report with partial information and provide updates as your investigation progresses.

UK GDPR data breach notification requirements

72-hour breach notification requirement under UK GDPR Article 33. Pure data reference.

UK GDPR requires data controllers to report certain personal data breaches to the ICO and, in some cases, to the individuals affected.

ICO notification deadline: Within 72 hours of becoming aware of the breach
Clock starts when: You have 'reasonable certainty' a breach has occurred, not when you know full details
When notification required: If the breach is likely to result in a risk to people's rights and freedoms
When notification NOT required: If breach is unlikely to result in any risk to individuals - but must still record internally
Individual notification: Required without undue delay if risk to individuals is HIGH
Legislation: UK GDPR Articles 33 and 34

Required notification content (Article 33(3))

Nature of the breach (what happened)
Categories and approximate numbers of individuals affected
Categories and approximate numbers of records affected
Name and contact details of your DPO or other contact point
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate harm

Phased reporting: If full information unavailable within 72 hours, report what you know and provide details later 'without undue further delay'
Internal record-keeping: ALL breaches must be documented (whether notified to ICO or not) for audit purposes
Penalty for notification failure: Up to £8.7 million or 2% of global annual turnover (whichever is higher)

Report a breach to the ICO

Step 4: Report significant attacks to NCSC

The National Cyber Security Centre (NCSC) is the UK government's technical authority on cyber security. Report to them if:

You are under active attack and need technical guidance
The attack affects critical national infrastructure or services
You have identified a new type of attack or vulnerability
The attack is sophisticated or state-sponsored
Multiple organisations appear to be targeted

The NCSC does not replace police reporting - report to both if appropriate.

NCSC Cyber Incident Response

For serious incidents, the NCSC maintains a list of Cyber Incident Response (CIR) Assured Service Providers - companies vetted to help organisations respond to and recover from cyber attacks. If you need professional incident response help, use an assured provider.

Step 5: Report phishing attempts

If you receive a suspicious email, text, or website link - but have not clicked on it or been compromised - forward it to the NCSC's Suspicious Email Reporting Service:

Suspicious emails: Forward to report@phishing.gov.uk
Suspicious text messages: Forward to 7726
Suspicious websites: Report at report.ncsc.gov.uk

The NCSC uses these reports to take down malicious websites and warn others. Over 10 million suspicious emails are reported each year.

Sector-specific reporting

Some sectors have additional reporting requirements to their regulators.

Professional & Financial Services Requirement

Financial services firms

FCA and PRA-regulated firms must report material cyber incidents to their regulators in addition to Report Fraud and the ICO.

Follow your firm's existing incident notification procedures for FCA/PRA reporting. Significant incidents affecting customer data or service availability typically require notification within 24-72 hours.

FCA operational resilience guidance

Healthcare & Social Care Requirement

NHS organisations and suppliers

NHS organisations designated as Operators of Essential Services under NIS Regulations must report significant incidents to NHS England within 72 hours.

If you handle NHS patient data, also notify your NHS Digital contact and consider Caldicott Guardian involvement for patient confidentiality issues.

NHS Data Security and Protection Toolkit

Manufacturing & Engineering Requirement

Operators of Essential Services

If your organisation is designated as an Operator of Essential Services (OES) or Relevant Digital Service Provider (RDSP) under NIS Regulations, you must report incidents with significant impact to your sector regulator within 72 hours.

This is in addition to ICO and police reporting where applicable.

NIS Regulations guidance on GOV.UK

After reporting: what to do next

Reporting is just the first step. After you have notified the relevant authorities:

1

Keep your reference numbers safe

You will receive reference numbers from Report Fraud, the ICO, and potentially others. Keep these together - you will need them for insurance claims, follow-up communications, and if authorities contact you.
2

Notify affected individuals (if required)

If the ICO breach was high risk, you must notify affected individuals directly. Tell them what happened, what data was affected, what you are doing about it, and what they can do to protect themselves.
3

Document everything

Keep a detailed timeline of the incident, your response, and all communications with authorities. This is required under UK GDPR and will help if you face questions later.
4

Review your insurance

If you have cyber insurance, notify your insurer as soon as possible. They may provide incident response support and will guide you on making a claim.
5

Conduct a post-incident review

Once the immediate crisis is over, review what went wrong and how to prevent it happening again. Update your security measures, policies, and staff training based on lessons learned.

NCSC cyber threat statistics 2025

Current statistics on cyber attacks targeting UK organisations from NCSC Annual Review 2025.

The UK is experiencing record cyber threats. The National Cyber Security Centre (NCSC) states: "The question is no longer if your organisation will face a cyber incident, but when."

NCSC CEO Richard Horne's warning: "Cyber criminals will target organisations of all sizes, operating in any sector."

Nationally significant attacks (year to September 2025): 204 attacks (up from 89 previous year)
Nationally significant attacks per week: 4 per week
Increase in highly significant incidents: 50% increase
Proportion of attacks classified as nationally significant: 48% (record high)
Ransomware incidents per week: 35-40 incidents per week (up from 20-25 in 2024)
Ransomware classification: Most acute cyber threat to UK organisations (NCSC)
Small businesses targeted by ransomware: 71% of ransomware attacks
Average ransomware downtime: 21 days
Average ransom demand: £100,000-£500,000 (varies widely)
Suspicious emails reported to SERS: 10.9 million in past year
Successful attacks beginning with phishing: Over 90%
People using easy-to-guess credentials: 19%
Businesses reviewing supplier cyber risk: Only 14% in last 12 months

Get help recovering

Beyond reporting, you may need help to recover from a cyber incident:

NCSC guidance: Free guidance on responding to specific attack types at ncsc.gov.uk
CIR Assured Providers: Vetted incident response companies for professional support
Cyber insurance: Your insurer may provide incident response services
IT support: Your existing IT provider or an emergency IT specialist

Do not pay ransoms. The NCSC and law enforcement strongly advise against paying ransoms. Payment does not guarantee you will get your data back, funds criminal organisations, and makes you a target for future attacks.

Official reporting services

Legal basis

This guidance is based on the following UK legislation.

Primary legislation

Data Protection Act 2018

Act 2018

UK-wide

Secondary legislation

Network and Information Systems Regulations 2018

SI 2018

UK-wide

Other legislation

UK GDPR (retained EU law)

EU Retained 2016

UK-wide

Related guides in Compliance & Legal