The NCSC is the UK’s technical authority for tackling cyber threats. It is part of the Government Communications Headquarters (GCHQ) which has a statutory responsibility to provide advice and assistance on cryptography and other matters relating to the protection of information to the armed forces, other organisations and the public. The ICO is the UK’s independent regulator empowered to take a regulatory action under a number of UK statutes and regulations including the Data Protection Act 2018, UK GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PEC) and the Network and Information Systems Regulations 2018 (NIS Regulations). It has a wide range of statutory duties to monitor and enforce these laws including the power to administer fines for breach.

The ICO and the NCSC have signed an MOU, to be reviewed every two years, establishing a framework for cooperation and information sharing, to assist each in discharging their functions. The MOU is a statement of intent and is not legally binding.

The MOU includes commitments by both to work together on the development of cyber security standards and guidance and a commitment by the NCSC to support the ICO, in connection with the ICO performing its regulatory work, in assessing and influencing improvement in cyber security of regulated organisations.

The MOU contains an information-sharing commitment including the NCSC sharing relevant cyber threat information with the ICO (e.g. assessments of companies within scope of the NIS regulations) and the ICO sharing information about cyber incidents with the NCSC (both on an anonymised and aggregated basis, and on an organisation-specific basis where appropriate) to assist the NCSC in its functions. The MOU states that NCSC will not share information with the ICO unless it has consent from the relevant organisation to do so, and neither will share unless it is permitted by law. Finally, when both parties are engaged in managing a cyber security incident, they will seek to coordinate their work to the extent reasonably practicable and appropriate to minimise disruption to the organisation’s efforts to contain and mitigate harm. Specifically, the ICO will increasingly continue to recognise and incentivise engagement with the NCSC on cyber security matters and will consider whether it can be more specific on how engagement with the NCSC on cyber incidents might be factored into its calculation of any regulatory fines.

For more information and to access the MoU, click here.