Cyber incident grab bag: Coordinating with central government and law enforcement

The central government coordination and engagement with law enforcement that occurs when a council experiences a cyber incident.

It can feel overwhelming knowing who to contact in the immediate aftermath of an incident, and what support is available.

This section helps you:

understand who to contact and when
access support available across government and law enforcement
coordinate engagement as your understanding of the incident develops.

Your key strategic actions

(Note: these are a strategic guide, not an exhaustive list of every action you should take.)

To ensure that you manage effective external coordination with central government, law enforcement and other partners through your response and recovery you should:

Triage the incident: use the government's Where to report a cyber incident tool if an incident is suspected, to help triage the situation and identify which organisations need to be notified.
Report to National Cyber Security Centre (NCSC) promptly: report all suspicious activity and confirmed cyber incidents promptly to the NCSC via its Incident Reporting Form. Do not wait for full confirmation before reporting.
Ensure that you use secure communications: do not complete any forms or make contact using a network you believe has been compromised. Use alternative devices or networks.
Do not delay reporting to the Information Commissioner’s Office (ICO): if a personal data breach is suspected, use the ICO’s self-assessment tool and report immediately. Submit based on the information available, even if details are incomplete. You can update your report as new information becomes available.
Engage a Cyber Incident Response (CIR) provider: if you need expert assistance during an attack and potentially into recovery. Use the MHCLG Cyber Incident Response service where available, or NCSC assured suppliers.
Ensure key partners have up to date contact details: where possible, maintain current contact details with National Crime Agency (NCA), National Cyber Security Centre (NCSC), Regional and Local Cyber Crime Units. Ensure your Data Protection Officer (DPO) details are also kept up to date on the ICO register.
Be prepared for wider government engagement: reporting to NCSC may trigger wider coordination across government. MHCLG and relevant government departments may be informed centrally and contact you directly. Be prepared to respond to requests for information, support coordination, and engage where your services, data, or funding are affected.

Stage one: Confirming the need to act (initial hours)

Reporting to the NCSC

Report all suspicious activity and confirmed cyber incidents to the NCSC's via its ‘Report an Incident’ form. Do not delay reporting while waiting for incident confirmation, as this could delay the response/reporting process. This service is monitored 24/7, and an NCSC Defence Watch Officer will get back to you.

Information provided will be held securely with strictly limited access and may be shared with law enforcement partners and relevant government departments to support coordination and mitigation. The NCSC will not share details with regulators, such as the ICO, without first seeking your consent.

For English councils, reports are also shared with MHCLG, who will assess whether additional support is needed, including activation of the Cyber Incident Response (CIR) service.

Notifying Report Fraud

This can be done by calling Report Fraud on 0300 123 2040 or 0300 123 2050 (for people who are deaf or hard of hearing). The service is available 24/7, and calling can result in a quicker response than using the online reporting tool. Ensure the incident is recorded as a crime report, not an information report, so it is acted upon and you receive a crime reference number.

Have key organisational details to hand, for example your company registration number (if applicable, check if this applies to your council). Following your report, the case may be triaged and shared with the National Crime Agency (NCA), Regional Organised Cyber Crime Unit, or local police, who may contact you directly.

Reporting to the ICO early

Do not delay reporting to the ICO. If your incident involves a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, you should report it to the ICO without delay (within 72 hours of becoming aware). Report based on the best information available. You can update your report as more details emerge. Use the ICO’s self-assessment tool if you are unsure. The tool can help you decide whether reporting is required.

Keep your assessment under review. Even if reporting is not required initially, reassess as your understanding of the incident develops, as the level may change.

If your risk assessment indicates that a report should be made, notify the ICO without delay, based on the best available information.

Be prepared to provide:

what has happened
when and how you became aware of the breach
who has been or may be affected by the breach
what you are doing in response
who to contact for further information
who else you have notified.

Stage two: taking your crucial first steps (days)

Once your incident has been reported, engagement with central government will be coordinated centrally. The organisations you hear from will depend upon the type of incident (for example, whether it has affected your own systems or systems used by suppliers to provide you with services) on how your incident is categorised. You can refer to the NCSC incident categorisation guidance for full details, but in practice:

For the most significant incidents (likely to be categorised as level 2 or 3), you should expect to coordinate with central government, the NCA and NCSC.
For less severe but still impactful incidents (category 4, 5 or 6), the NCSC will typically pass incident details to the National Crime Agency (NCA), who will then task the relevant Regional Organised Crime Unit (ROCU) or local police force to lead any criminal investigation, while NCSC provides guidance. Your ROCU contact may be from a police force that is outside your local area - you can ask for verification if needed.

Expect this to evolve. Not all impacts will be clear at the outset. The categorisation of your incident may change, and you may engage with more or fewer departments as a result.

Support is available regardless of severity. The NCSC and NCA will both be on hand to support with response during this stage.

From NCA – investigation support

The NCA, or the relevant Police Cyber Crime Unit, will support any criminal investigation into the incident. They may offer support by providing advice, guidance, and potentially relevant technical indicators (like IoCs – Indicators of Compromise or TTPs – Tactics, Techniques, and Procedures) to help your technical teams identify, evidence, and mitigate the compromise.

Be prepared to:

share required information promptly to support their investigation (including via third party suppliers where needed)
make relevant council technical resources available to work with law enforcement.

From NCSC – Advice and guidance

The NCSC provides expert advice and guidance to support your response and will work alongside law enforcement efforts where needed (for example, technical advice or communications guidance).

Direct deployment of NCSC technical staff for onsite remediation is highly unlikely. Where NCSC staff are involved directly, this is typically for liaison or specialist intelligence gathering.

Support from MHCLG – Cyber Incident Response Service

This section reflects arrangements for councils in England. Councils in Scotland, Wales, and Northern Ireland should still report incidents to the National Cyber Security Centre (NCSC), but devolved government support, coordination arrangements, and access to incident response services may differ.

MHCLG provides a Cyber Incident Response (CIR) service for English councils, giving access to an NCSC-assured provider to help contain incidents and eradicate threats, reducing disruption to critical systems, and services. This service operates 24/7, ensuring support is available at any time.

MHCLG will assess whether your incident meets the threshold for a severe incident, based on information provided through your NCSC report and the scale of impact (for example, service disruption, data loss, and operational impact).

If the threshold is met:

MHCLG will confirm activation
A CIR provider will contact you, typically within 30 minutes, to begin containment and eradication support.

If the threshold is not met, other advice and support may be provided.

The CIR service covers:

containment – limiting the spread and impact of the incident
eradication – removing the threat actor and addressing vulnerabilities.

Funded support does not include recovery of systems following containment and eradication. Councils can access recovery support through the same provider at their own cost.

If an incident does not meet the activation threshold, MHCLG will still offer guidance and help coordinate support across government. Incidents will continue to be monitored should circumstances change. MHCLG retains the discretion to activate the CIR service if an incident that was initially deemed ineligible escalates over time.

Engaging and support from the LGA

The LGA’s Cyber, Digital and Technology team provides 365-day support to councils responding to cyber incidents. The LGA can support you by:

offering non-technical advice and guidance to help you navigate the response
connecting you with other councils and organisations who have managed similar incidents
providing peer support and coaching through the response
signposting to sector networks, including Warning, Advice and Reporting points (WARPs), for regional intelligence and mutual support.

Working with the ICO

Re-assess whether you need to report. If you have not already, confirm whether the incident involves a notifiable data breach. Reports must be made within 72 hours of discovering a breach that meets the reporting threshold.

Be prepared to engage with the ICO. The ICO may contact you as part of your response. It’s important you promptly provide as much accurate information as you can. The ICO recognises that your understanding of the incident will develop over time, and you can provide further updates as your investigation and recovery progresses.

The actions you can take to manage government engagement and provide reassurance

Establish clear points of contact. Ensure there are clear single points of contact for your organisation’s cyber security leads, Chief Executive and emergency response team so agencies can reach you quickly.
Agree communication and reporting cadences. Set expectations for how often you will provide updates and how engagement with government bodies will be managed. Follow the approach set out in your emergency plans where you can.
Share your response approach. Communicate your priorities and decision making principles to support alignments with partners. See ‘Delivering your services’ for further information.

Stage three: Building confidence through your response (weeks)

Establishing reporting cadences with government

As your response progresses, you are likely to establish regular reporting and meeting cadences with the appropriate government departments and law enforcement agencies. The cadence of these should be suited to how severe the incident is.

Meetings must be set up on secure channels outside of the compromised network, and dependent on the severity of the incident.

Meetings will involve relevant government departments and your local or regional cyber crime unit (ROCU).

These meetings will provide the opportunity to:

update government on the response efforts so far, including service restoration
share SitReps (situational reports)
identify where additional support may be needed.

Use these updates to communicate your priorities and decision-making principles for restoring services (see ‘Delivering your services’ for more information).

Review if wider government engagement is needed

For any cyber incident directly impacting an English local authority, MHCLG will coordinate the central government response, working closely with the Government Cyber Coordination Centre (GC3) and NCSC. MHCLG will also notify other government departments that may have an interest in or be impacted by the incident.

Expect engagement to expand where needed. Relevant government departments may be brought into the response through existing coordination arrangements and may contact you directly. For example, if your benefit system has been impacted by the incident, or if there might be any possibility of movement between your network and theirs, the Department of Work and Pensions could be brought into the response.

Where incidents involve suppliers, government coordination may be led by the department responsible for that sector. For example, incidents affecting adult social care providers may involve the Department of Health and Social Care.

Coordination arrangements in these scenarios are still evolving, so you may be asked to engage with different departments depending on the nature of the incident.

What to expect

Engagement will scale up or down. Depending on the impacts and categorisation of your incident, do not be surprised if communication and reporting change. If the impacts from the incident are well managed, and you have been able to provide some confidence to departments on your response efforts, in may be appropriate to reduce the meeting and reporting cadences.

Conversely, if the impacts of the incident are considered to be national, across the public sector and/or highly significant, you may be asked to attend other meetings with coordinating groups in government. This is for departments across government to support you in responding to the incident.

Stage four: Designing your recovery path (months)

Key contacts

NCSC: report a cyber incident
ICO: Report a breach or call 0303 123 1113 (Monday-Friday, 9am- 5pm).
Report Fraud (NCA reporting): 0300 123 2040 (24/7). Use to report cyber crime by phone.
NCA officer verification: 0370 496 7622 (24/7). Use to verify the identity of an NCA officer. This number is not used for outgoing calls.
LGA (non-technical support): [email protected] (24/7). For advice, peer support and connections across the sector.

Useful resources and case studies

ICO – UK GDPR data breach reporting (DPA 2018)
NCSC – Categorising UK cyber incidents
Find an assured Cyber Incident Response provider – NCSC.GOV.UK
Maintain your council’s contact details with central government using MHCLG’s online service and MyNCSC. This will allow the NCSC Incident Management team to notify the council if a vulnerability and/or suspicious activity is identified via Early Warning.

Cyber incident grab bag: Coordinating with central government and law enforcement

Your key strategic actions

Key contacts

Useful resources and case studies

Highlighted pages

Cyber incident grab bag for local authorities

Cyber incident grab bag: Healthy teaming

Cyber incident grab bag: Informing and supporting

Cyber incident grab bag: Delivering your services

Cyber incident grab bag: Safely restoring technology and systems

Cyber incident grab bag: Protecting data

Cyber incident grab bag: Working with elected members

Cyber incident grab bag: Ensuring your incident response reflects reality

Cyber incident grab bag: Service and situational guidance