A minister at the FCDO has indicated that, while overall levels of attacks requiring the GCHQ agency’s response have declined in 2025, the higher tiers of incident have risen markedly

In the past 10 months, there has been a twofold increase in the number of “nationally significant incidents” requiring the intelligence services to manage the response at a UK-wide level, a minister has claimed.

According to Jake Doughty, a junior minister at the Foreign, Commonwealth and Development Office, since September 2024, the National Cyber Security Centre has “managed more than 200 incidents”. As an overall figure, this appears to represent a marked reduction from the 2023/24 year, during which the NCSC led the response to 430 incidents during the 12 months to the end of August last year.

With less than two months to go of 2024/25, the circa-200 figure for the year to date also seems likely to come in significantly below the 355 and 371 incidents requiring NCSC-led response in 2021/22 and 2022/23, respectively.

But the year-to-date figure 2025 “includes twice as many nationally-significant incidents as the same period a year ago”, Doughty said.

The NCSC’s website indicates that, after the top-tier category of “national cyber emergency”, comes two further classes of attack for which the agency is always required to lead the response; highly significant; and significant incidents.

Related content

• NCSC head warns of fundamental ‘contest for cyberspace’ as annual report shows 44% hike in most serious incidents
• MoJ cyber strategy sets plan to appoint security SRO for all IT systems and create unified staff identity system
• New GDS-led cyber ops will be ‘more interventionist’

The former is defined as a “cyberattack that has a serious impact on a large organisation, or poses a considerable risk to central government or UK essential services”, while the less serious classification is applied to a “cyberattack which has a serious impact on a large organisation or on wider/local government, or which poses a considerable risk to central government or UK essential services”.

The fourth tier of attack – “substantial incidents” – may see the NCSC lead the incident response, or this may be managed by law-enforcement agencies. The response to lower-tier “moderate” or “localised” incidents will always be led by law enforcement, rather than the NCSC – which is part of GCHQ.

“The cyber threat picture in the UK is diverse,” said Doughty, who was responding to a written parliamentary question from Conservative MP Blake Stephenson. “Cybersecurity incidents can be reported into several different agencies within the UK depending on the type and severity of the incident. The UK’s National Cyber Security Centre provides practical, expert guidance tailored to help businesses of all sizes build resilience against evolving cyberthreats. NCSC also addresses a wide range of national cyber threats, from protecting citizens against online harm to responding to major cyber incidents. I recently met with NCSC colleagues to discuss the trends in threats and attacks and how we ensure high levels of resilience.”