The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

At a glance

  • The NCSC is the UK’s technical authority for cyber threats. It is part of the Government Communications Headquarters (GCHQ) and has several roles in NIS.
  • It acts as the ‘computer security incident response team’ or CSIRT. This means it monitors incidents, provides early warnings, disseminates information, conducts cyber threat assessments and provides general technical support to competent authorities.
  • It is also the ‘single point of contact’ (SPOC). In this role it receives information on NIS incidents from all competent authorities and co-ordinates with its counterparts in other Member States.
  • The NCSC has published a ‘NIS guidance collection’, primarily for OES.

In brief

What is the National Cyber Security Centre (NCSC)?

The NCSC is the UK’s ‘technical authority’ for cyber incidents. It is part of GCHQ, one of the UK’s security services, and was formed in 2016 to provide a unified national response to cyber threats. It was created out of a number of pre-existing organisations which included:

  • GCHQ’s ‘Communications-Electronics Security Group’ (CESG), which was the national technical authority for information assurance and advises organisations on how to protect their network and information systems from threats;
  • CERT UK, the former a computer security incident response team;
  • the Centre for Cyber Assessment (CCA), also part of GCHQ, responsible for providing cyber threat assessments to UK government departments; and
  • the cyber functions of the Centre for the Protection of the National Infrastructure (CPNI).

The UK’s National Cyber Security Strategy 2016-2021 outlines the Government’s intent behind setting up the NCSC. The strategy will also be used as the ‘NIS national strategy’ as required under Regulation 3.

Further reading

Visit the the NCSC’s website for more information.

What role does the NCSC have?

NIS does not mention the NCSC by name – a number of functions are assigned to GCHQ itself. These are carried out by the NCSC. It acts as the ‘single point of contact’ (SPOC) and ‘computer security incident response team’ (CSIRT).

Single point of contact (SPOC)

The SPOC’s role largely concerns cross-border co-operation where incidents affect more than one Member State. It also produces reports on incident notifications. 

Regulation 4 of NIS designates the NCSC as the SPOC. It is required to:

  • liaise with SPOCs, CSIRTs and competent authorities in other countries to ensure cross-border co-operation;
  • consult and co-operate with relevant law enforcement authorities; and
  • co-operate with the competent authorities when they undertake enforcement actions.

The SPOC must also submit reports to a ‘Cooperation Group’ at European level. These are based on annual reports that competent authorities provide to the SPOC about the number and nature of any NIS incidents.

Computer Security Incident Response Team (CSIRT)

NIS assigns the CSIRT a range of functions. Regulation 5 designates the NCSC as the CSIRT. In this role, it is required to:

  • monitor incidents;
  • provide early warning, alerts, announcements and dissemination of information about risks and incidents;
  • respond to incidents notified to it by competent authorities;
  • provide dynamic risk and incident analysis and situational awareness;
  • participate in the ‘CSIRTs network’ at European level;
  • establish relationships with the private sector;
  • promote the adoption and use of common or standard practices for incident and risk handling procedures, and incident, risk and information classification schemes; and
  • co-operate with the competent authorities when they undertake enforcement actions.

Competent authorities may share information with the NCSC where this is necessary for the requirements of NIS. This has to be limited to information that is ‘relevant and proportionate’ to the purpose of the sharing.

Under Regulation 12(8), the ICO is also required to share incident notifications with the NCSC as soon as reasonably practicable.

How does this relate to the ICO’s functions in respect of the GDPR?

For most organisations, only the GDPR will apply. If you are not an OES or an RDSP, then you have no NIS obligations. However, for OES and RDSPs both laws may apply at the same time.

The ICO is the UK’s supervisory authority for the GDPR, with powers and functions as specified in that legislation. This means that wherever organisations covered by NIS also process personal data, we have a different, yet related, set of regulatory functions.

The NCSC is the UK ‘technical authority’ for cyber issues. Although it does not have a regulatory function in respect of the GDPR, where cyber breaches take place there is a clear link between what we do in enforcing the GDPR and what the NCSC does in the wider ‘cyber landscape’.

The NCSC’s specific functions under NIS, coupled with the ICO’s role as the competent authority for RDSPs, simply serve to reinforce this link.

The UK Government’s ‘Cyber Security Regulation and Incentives Review’ in 2016 stated that the GDPR would be the main means by which ‘cyber hygiene’ in the UK economy would be improved, in concert with NIS for OES and RDSPs. The review also outlined the Government’s intent for the ICO and the NCSC to collaborate, given the overlap in the legislation.

Since then, the ICO and the NCSC have worked closely together on both NIS and the GDPR, and we expect continued collaboration in the future.

Further reading

Read the UK Government’s Cyber Security Regulation and Incentives Review for more information. 

What guidance has the NCSC released about NIS?

The NCSC has developed a package of technical guidance for the NIS Directive, starting with a set of ‘high-level security principles’. The full guidance collection was published in January 2018 on the NCSC's website. This guidance is aimed specifically at operators of essential services, more than RDSPs, although it may still have relevance.