Incident Notification Helper
Something's happened. Who do you tell, by when, and what do you say?
As a supplier you'll often have a contractual duty to notify your CNI customer of a security incident — sometimes within very tight windows. Knowing whether an event needs reporting, and to whom, is genuinely hard when you're in the middle of it. Describe what happened and this tool tells you whether notification is required, who needs to know, and by when — with a pre-filled draft ready to send.
No statutory-threshold jargon. Just a clear answer when you need it most.
How it works
Three steps from incident description to notification draft, built for speed under pressure.
Describe what happened
Select the type of incident and answer a short set of questions about what systems and data were affected, when the incident occurred, and whether it is still ongoing.
Get your notification obligations
The tool tells you whether notification is likely required, who needs to know, and by when — based on what you've described. No jargon, no statutory thresholds to decode.
Send your pre-filled notification
For each required notification, the tool generates a pre-filled draft you can review and send. The draft is written in the language your recipients expect to see.
Incident types the tool covers
Ransomware or malware attack
Systems encrypted, data held to ransom, or malware spreading through your network.
Data breach or unauthorised access
Personal or sensitive data accessed, copied, or exfiltrated by an unauthorised party.
Phishing or credential theft
An employee clicked a malicious link, submitted credentials, or had an account compromised.
System or service outage
A key system went down, whether due to attack, failure, or accidental misconfiguration.
Physical theft or loss
A device, laptop, or physical media containing company or customer data was lost or stolen.
Third-party or supplier incident
A supplier, sub-processor, or cloud provider you rely on has experienced a security incident.
Who you might need to notify
The tool evaluates each of these notification routes based on what you've described and tells you which apply to your specific situation.
Your CNI customer
Deadline
Typically 24–72 hours from discovery (check your contract)
When it applies
Contractual notification clause triggered
What to know
Most supply chain contracts with CNI operators now include mandatory incident notification. The window is often shorter than you expect.
Information Commissioner's Office (ICO)
Deadline
72 hours from becoming aware of the breach
When it applies
Personal data breach likely to cause risk to individuals
What to know
Only required when personal data is involved and the breach is likely to result in a risk to people's rights and freedoms. Not every incident qualifies, but many do.
National Cyber Security Centre (NCSC)
Deadline
No statutory deadline — report as soon as practical
When it applies
Significant cyber incident affecting UK organisations
What to know
Not mandatory for most SMEs, but strongly recommended for serious incidents. NCSC provides free support and the report helps protect other organisations.
Action Fraud
Deadline
As soon as possible after discovery
When it applies
Financially motivated cybercrime (fraud, ransomware payment)
What to know
The national reporting centre for fraud and cybercrime. Reporting helps build the national picture even when recovery isn't realistic.
Dealing with an incident right now?
Use the wizard to find out who to notify and by when — or talk to our team directly if you need hands-on support.