Stricter reporting requirements put pressure on companies’ incident response plans
Executive summary
The UK’s proposed Cyber Security and Resilience Bill, the EU Digital Operational Resilience Act, and other regulatory frameworks are mandating stricter incident reporting requirements.
While the trend is towards stricter incident reporting requirements, significant complexity remains due to differences across regulatory frameworks, including variations in reporting criteria, timeframes, and penalties for non-compliance.
Strict incident reporting obligations reflect concern that cyber incidents are inevitable in today’s threat landscape, shifting focus from prevention towards response, recovery, and resilience.
Increase your organisation’s resilience to cyber threats
and ensure compliance with regulatory requirements
In April 2025, the UK Government released additional information on its proposed Cyber Security and Resilience Bill (CSRB) [LINK].
Early attention focused on key themes such as expanded regulatory oversight, new executive powers for the Government, and the inclusion of additional entities – such as data centres and managed service providers (MSPs) – under the definition of critical infrastructure [LINK].
However, the proposed changes to cyber incident reporting are significant and may have been overshadowed by the headline developments. The proposals will impact a wide range of organisations including those newly brought into scope.
The proposed changes to incident reporting
Under the proposed changes, the scope of a reportable incident would be expanded. Whereas the 2019 Network and Information Systems (NIS) regulations required a reportable incident to have disrupted the continuity of an essential service [LINK], the new proposals shift the focus to an incident’s potential to cause significant impact [LINK]. This significantly expands the scope of reportable incidents.
The timeframe and reporting obligations for regulated entities would also be tightened. Organisations would be required to inform both their regulator and the UK National Cyber Security Centre (NCSC) within 24 hours of becoming aware of a significant incident, with a more detailed report required within 72 hours [LINK].
This represents a significant change from the current NIS framework, reducing the initial reporting windows from 72 to 24 hours and expanding the list of required recipients to include the NCSC in addition to sector-specific regulators. Moreover, digital services and data centres will be required to inform customers who may have a second-order impact from an incident.
These changes are significant in comparison to the relatively conservative proposals in the rest of the bill. More entities will be required to report a wider scope of incidents, within tighter timeframes, and to multiple authorities.
What are other regulations mandating for incident reporting?
The CSRB is not an isolated case; several major regulatory frameworks now impose strict incident reporting obligations, and the overall regulatory trajectory appears to be moving towards increasingly stringent requirements. The table below compares requirements across multiple frameworks.
| Regulatory framework | Incident report time frame | Report recipients | Scope of a reportable incident |
|---|---|---|---|
| EU Digital Operational Resilience Act (DORA) 2023 |
Initial notification – within 4 hours of classifying the incident as major, and no later than 24 hours after initial awareness Intermediate report – Within 72 hours from the initial notification Final report – No later than one month |
Relevant competent authority Clients when a major incident affects the clients’ financial interests |
“An ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions” |
| Dutch Cyber Beveiligingswet (Cbw) 2025 |
Initial notification – Without delay or within 24 hours after initial awareness Intermediate report – may be requested by the CSIRT or relevant authority Final report – No later than one month |
Relevant competent authority The designated country specific incident response team (CSIRT) Recipients of services if a significant incident interrupts services |
Every significant incident. A significant incident “causes or could cause a serious operational disruption of services or financial losses for the entity” |
| EU Network and Information Security (NIS2) Directive EU 2022/2555 2023 |
Initial notification – Within 24 hours after initial awareness Intermediate report – Within 72 hours of awareness of the incident (not of initial notification) Final report – Within one month after the initial notification |
Relevant competent authority The designated CSIRT |
“It has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned” |
| UK Prudential Regulation Authority (PRA) CP17/24 2025 Consultation under assessment in July 2025 |
Initial report – Within 24 hours of awareness that an incident meets a threshold Intermediate report – upon a significant change in the circumstances Final report – Within 30 working days, or 60 where justified |
Relevant competent authority | “Firms may use their existing internal processes to determine the scale and potential impact of an incident and assess whether it meets the thresholds for reporting” |
| EU General Data Protection Regulation (GDPR) 2019 | Within 72 hours of personal data breach |
Competent supervisory authority Affected individuals when the breach is likely to result in high risk to their rights and freedoms |
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” |
| Saudi Arabia Personal Data Protection Law 2021 | Within 72 hours of personal data breach | The Saudi Data and AI Authority (SDAIA) | “Any unauthorised or accidental disclosure, access, alteration, or loss of personal data, whether in electronic or physical form” |
The table indicates a trend toward shorter timeframes for initial notification of reportable cyber incidents. Regulations such as the EU’s DORA and the Dutch Cbw are mandating rapid reporting under 24 hours. Reporting within 24 hours is becoming the new standard benchmark across the regulations broadly.
In parallel, a three-stage reporting process is becoming standardised in both EU and UK regulatory frameworks, reflecting a growing demand from regulators for more detailed and continued insight into the nature of incidents and the corresponding incident response measures.
Mirroring the CSRB, other regulatory frameworks are expanding the range of entities to whom cyber incidents must be reported. This typically includes both the relevant competent authority and the designated CSIRT.
The requirement that entities should inform service recipients or clients if a significant incident is likely to disrupt their operations has been mandated by the most recent European regulations, such as the Dutch Cbw and the EU’s DORA. Given the UK’s historical tendency to align with EU cyber regulation, it is likely that similar obligations will be introduced in the UK. Several high-profile cyber incidents in the UK retail sector originating from third-party providers may increase urgency around the adoption of such requirements [LINK, LINK].
Why are regulators mandating stricter incident reporting requirements?
The changes are intended to provide regulators and the NCSC with more accurate intelligence about the evolving threat landscape. In 2025 the UK government described a ‘generational challenge’ from rising geopolitical tensions. The assertive posturing of China and Russia and policy inconsistency in the US is heightening the risk of open conflict [LINK].
Central to the escalating threat environment is the growing use and effectiveness of disruptive cyber campaigns. Adversarial states are increasingly partnering with non-state actors and proxies to pursue aggressive, strategic objectives below the threshold of conventional war, facilitating persistent and systemic confrontation while maintaining plausible deniability. Rather than targeting typically well-defended government or military assets, state and non-state cyber actors are targeting ‘soft targets’ in the private sector and civil society, intending to impose costs on governments by targeting their populations directly [LINK].
The shift in regulations implicitly acknowledges that cyber incidents are perceived as an inevitability; in 2023 UK businesses experienced approximately 8.58 million cyber crimes of all types [LINK]. Regulatory pressure is underlining that organisational focus must increasingly transition beyond preventative measures and focus more on resilience and recovery: business as usual approaches are no longer tenable [LINK].
TYBURN RECOMMENDATIONS
At Tyburn St Raphael, we specialise at countering evolving cyber and hybrid threats to risk-sensitive organisations. Our experts come from UK government, military, and academic backgrounds. We provide training designed to develop best security practices with impactful exercises for businesses and provide tailored cybersecurity solutions.
We recommend:
Establish clear internal guidance on applicable cyber regulations
Organisations should clarify their regulatory requirements, including identifying unique and overlapping requirements imposed by different frameworks.
Ensure incident response plans are compliant with regulatory changes
Incident response reporting obligations are becoming increasingly stringent, but differences persist in the specifics of reporting requirements. Incident response plans must be updated regularly to ensure compliance in this changing environment.
Stress test the effectiveness of incident response plans with exercises
Exercising not only strengthens incident response plans, but is also increasingly a regulatory obligation in itself. Expert guidance can provide tailored advice to maximise the benefit gained from mandated exercising.
