NCSC Logs 200 Critical-Infrastructure Incidents and Reframes Cyber as a Contest: What UK Schools, Charities and Businesses Should Do as DUAA Goes Live Tomorrow

On Tuesday 17 June 2026, the chief executive of the National Cyber Security Centre stood up at the Royal United Services Institute in Whitehall and reframed the conversation. Richard Horne told the audience that, in the year to May 2026, the NCSC had handled more than 200 cyber incidents affecting the UK's critical national infrastructure and the supply chains that underpin it, and that around three-quarters of those incidents were linked to hostile states — Russia, China, Iran. He argued that the language of "risk" had become inadequate, and that what is actually happening now is a contest: a contest of capability, of performance, of the will to keep raising the bar because the adversary is doing exactly the same. By 2028, he said, it is highly likely that AI-enabled offensive tooling will be used against the legacy systems still running underneath much of the country's infrastructure.

Thirty-six hours after that speech, the new data protection complaints duty under Section 164A of the Data Protection Act 2018 — inserted by Section 103 of the Data (Use and Access) Act 2025 — switches on for every UK controller, large and small, with no carve-outs for charities, schools or small businesses. It is the hardest, most universal statutory date in the UK data protection calendar this year, and it lands the morning after the NCSC chief told every board in the country that the threat picture has changed shape.

For ReadyToday's audience — schools and multi-academy trusts, charities, small and medium businesses and the IT teams behind them — both of those events land at the foot of the same supply-chain pyramid. The hostile-state attacks Horne described rarely arrive through the front door of a primary school, a 25-staff charity or a four-vehicle plumbing firm. They arrive through the systems those organisations depend on: the MIS supplier, the payroll provider, the CRM platform, the booking engine, the council that processes the school's free-school-meals data. The complaints that those same parents, donors and customers will be entitled to lodge under the DUAA from Friday morning are how the consequences come back upstream.

What follows is the practical version of those two events: what the speech actually said, what the duty actually requires, and the four-day, 30-day and 90-day plan to land both on the same page.

What Horne actually said, in plain English

Three things from the RUSI lecture are worth pulling out for a non-policy audience.

The first is the number. Two hundred-plus incidents affecting critical national infrastructure and its supporting ecosystem, in the twelve months to the end of May 2026. "Supporting ecosystem" is the phrase that matters: the supplier that sells the diagnostic kit to the hospital, the MSP that patches the council's firewalls, the small software house that built the bolt-on module the university uses to extend its student records system. The 75 per cent state-attributed share is not an estimate of the whole country's cyber-risk picture; it is the share of those critical-infrastructure incidents the NCSC adopted as nationally significant. The headline rate has held roughly steady since Horne first disclosed it last October. What has changed is who is doing them.

The second is the reframe. Treating cyber as a "risk" implies a quantifiable thing to be capped and insured against. Treating it as a "contest" implies a moving target — what was good enough last year is not good enough this year because the other side has spent the intervening twelve months getting better. For a school IT lead or a 12-staff charity, the practical version is that the cyber position cannot be put on a calendar and re-checked annually. It needs at least a quarterly cadence and, on the days when there is a major patch wave or a major incident in the news, a daily one.

The third is the to-do list. Horne addressed every board and every executive in every organisation, not just the regulated few. He asked them to focus on three core capabilities. Understand your exposure — what data you hold, what systems hold it, what suppliers can reach it. Build defences using proven security fundamentals — patching, multi-factor authentication, sensible identity controls, backups. And make sure the organisation can continue to operate, and recover quickly, after an attack. None of those is new. The novelty is that the NCSC chief said them in those words from a Whitehall stage three days before the DUAA went live and twelve days after a 13-school council, a 1,500-pupil secondary and a 35,000-student university were all hit in the same ten-day window.

That window is the one the previous post covered. <a href="/resources/blog/three-uk-education-cyberattacks-duaa-friday-2026-what-schools-charities-smbs-should-do">Three UK education cyberattacks</a> — Powys, Great Marlow School and the University of Nottingham — landed between 4 June and 12 June, with ShinyHunters' pre-authentication Oracle PeopleSoft zero-day (CVE-2026-35273, CVSS 9.8) as the technical thread through the last of them. Horne's RUSI speech is the strategic frame around that operational picture. The supplier-cascade story <a href="/resources/blog/gchq-moment-of-consequence-2026-what-uk-schools-charities-smbs-should-do">GCHQ's Annual Lecture</a> sketched out at Bletchley Park on 27 May has now been given a number — 200 incidents, 75 per cent state-linked — and a more pointed verb, "contest".

What goes live on Friday morning

Section 164A turns the moral expectation that organisations will deal with complaints from data subjects into a statutory obligation with five operative parts. A controller has to facilitate complaints (a public-facing route a member of the public can find and use), accept them by any route it offers, acknowledge each one within 30 days, investigate without undue delay, and give a clear outcome with a written note of the right to escalate to the Information Commissioner and the ICO's contact details. There is also a record-keeping requirement; six years is a defensible default in the absence of a statutory minimum.

The detail of what the public-facing page has to contain, and the sample acknowledgement language, is in <a href="/resources/blog/data-protection-complaints-19-june-2026-what-uk-schools-charities-smbs-should-do">the post from a fortnight ago</a>. None of that has changed since the ICO updated its final guidance on 8 May 2026; the only thing that changes on Friday is that the duty starts running. A 1,400-pupil school, a five-trustee charity and a three-employee plumbing business all have the same obligation in the same form. The ICO has signalled a measured approach during the initial transition; it has not signalled a grace period.

The next four days

Three jobs need to be finished before close of business on Thursday 18 June, or first thing on Friday 19 June if Thursday slips.

The complaints page is the one to land first. Public URL, electronic form plus at least one alternative route, named owner, acknowledgement template, log, and a brief for the people who answer the phone and the inbox so that a complaint that arrives by phone gets logged the same way as one that arrives by form. Put the link on the footer of every page on the site, not just the privacy notice. <a href="/resources/blog/ncsc-passkeys-april-2026-what-uk-schools-charities-smbs-should-do">Phishing-resistant authentication</a> on the inbox and on any administrator account that can read the complaints log is the next control to stand up; that inbox is now, by statute, a high-value target.

The second job is the Microsoft June 2026 Patch Tuesday wave, released on 10 June. Around 200 fixes, three publicly disclosed zero-days and a critical cluster of preview-pane remote code execution flaws in Outlook and Word. If a school laptop, a charity desktop or a small-business workstation has not picked up the June patch level, that is the priority. Patch any Hyper-V host in the same week. The Windows HTTP Protocol Stack and Remote Desktop Client fixes belong in the same wave.

The third job is a one-question written check with the IT provider: does anything in our stack, or in our key suppliers' stacks, run Oracle PeopleSoft or PeopleTools? Most ReadyToday-audience organisations will not. PeopleSoft is enterprise HR and finance, and it sits behind universities, large councils, big charities and mid-market businesses. But the question — and the supplier-cascade pattern it stands in for — is the one to put in writing while the news cycle is still fresh.

The next 30 days

By mid-July the goal is to have two artefacts in the board pack and one exercise in the diary.

The first artefact is a one-page exposure map: the data you hold, the systems that hold it, the suppliers that can reach it, and a named owner for each. Horne's first capability — understand your exposure — rendered into something a charity trustee or a school governor can read in five minutes. That map is the input to <a href="/resources/blog/cyber-resilience-pledge-2026-what-uk-smbs-charities-schools-should-do">Action 1 of the Cyber Resilience Pledge</a>: board-level cyber ownership.

The second is a one-page resilience plan: how you keep operating with the email system gone (the Great Marlow lesson), the MIS down (the Powys lesson) or the student records system taken (the Nottingham lesson). Who calls who in the first 60 minutes, where the printed contact list lives, the manual fallback for the routines that depend on the systems most likely to be hit.

The exercise is a 30-minute tabletop. Pick one of the three June incidents as the worked example, walk the first 24 hours, model the new statutory complaints route end-to-end, and time the acknowledgement. Cheap rehearsal beats expensive improvisation, and the tabletop forces the question of who owns the complaints log when the named owner is on annual leave.

Sign the organisation up to the NCSC Early Warning service if it is not already, and put Cyber Essentials renewal on the calendar.

The next 90 days

By mid-September the routines need to be invisible.

Put a standing quarterly number on the board pack: complaints received, average days to acknowledge, number escalated to the ICO, themes, and a one-line note on supplier incidents touched in the quarter. The same dashboard carries the supplier-due-diligence cadence: top five suppliers reviewed, key questionnaire rows refreshed, contractual incident-notification times confirmed.

Add new rows to the supplier questionnaire after the June 2026 news cycle. Which enterprise systems sit behind the supplier's service to you. When they were last patched. Whether the supplier has run an indicator-of-compromise sweep for CVE-2026-35273 across the 27 May to 9 June 2026 window. Whether AI features default on or off in the products the supplier sells you. The <a href="/resources/blog/agentic-ai-ncsc-five-eyes-2026-what-uk-schools-charities-smbs-should-do">agentic AI post from May</a> explained why those defaults are now a procurement question.

The Cyber Security and Resilience Bill, which cleared its Commons third reading on 10 June and moves to the Lords this summer, is the regulatory backdrop. Most ReadyToday-audience organisations will not be in direct scope but will be in the Bill's supply-chain shadow, because regulated buyers will start pushing its due-diligence expectations down their procurement chains long before Royal Assent. The Pledge is the cleanest free checklist for staying ahead of that cascade.

A second tabletop in late August closes the loop on the DUAA process. Three plausible complaints — one bundled with a subject access request, one arriving by phone on the August bank holiday, one from a former employee. Walk each end to end. Fix what bent before the autumn term.

Why this matters more this week than last

The Friday morning after a NCSC keynote of this size is the morning when both the regulator and the threat actors are watching the same calendar. The ICO will start receiving complaints escalations from organisations whose Section 164A processes exist only on paper. The threat actors will keep running the playbook that produced Powys, Great Marlow and Nottingham. And the boards that hear the message Horne sent on Tuesday will be the ones whose IT leads get the email asking for a one-page status by Monday.

Five practical takeaways.

• The NCSC handled more than 200 incidents affecting UK critical national infrastructure and its supply chain in the year to May 2026, with around 75 per cent attributed to hostile states. The supply-chain bit is the piece that reaches ReadyToday-audience organisations; act as if it does.
• Horne's three-capability frame — understand your exposure, build defences on proven fundamentals, recover quickly — is the cleanest free checklist for boards of any size. Turn each capability into a one-page artefact and put both on the next board pack.
• The DUAA complaints duty goes live on Friday 19 June 2026 with no transition window. If the public-facing page is not live by Thursday evening, it needs to go live on Friday morning before anything else.
• Patch the Microsoft June 2026 wave this week. The Outlook and Word preview-pane remote code execution flaws are the priority on every desktop and laptop; Hyper-V hosts go in the same week.
• Move the cyber and data protection conversation from quarterly to monthly, at least until the autumn. The contest framing is not rhetoric; it is a description of cadence.

If you would like a second pair of eyes on the complaints page, the patch position and the supplier list before Friday, that is exactly the kind of short, time-bounded job our <a href="/services/cybersecurity-resilience">cybersecurity and resilience</a> work is built for. A <a href="/contact/discovery">30-minute discovery call</a> will get you a one-page plan that covers the next four days, the next 30 days and the next 90 days.