Government crest UK Ministry of Housing, Communities and Local Government (MHCLG)

Go to Local Digital homepageALPHA

Laying the foundations for better local public services

Guidance for councils using the Cyber Incident Response service

The Ministry of Housing, Communities and Local Government (MHCLG) provides a Cyber Incident Response (CIR) service to support English councils experiencing severe cyber incidents. 

The service gives councils access to an NCSC-assured provider to help contain and eradicate threats, reducing disruption to critical systems and public services. 

This service is part of our Defend as One programme, which supports local government to strengthen cyber resilience through collaboration and shared expertise. 

 

When to use the CIR service 

The CIR service is designed for severe cyber incidents that significantly disrupt a council’s operations, critical services, or data integrity. 

MHCLG assesses all activation requests to confirm whether they meet the threshold for CIR support. 

 

Eligibility  

The service is available to all councils in England. 

Using the service is not mandatory. Councils remain responsible for their own IT infrastructure, security, and risk management. 

 

Reporting an incident 

If your council experiences a cyber incident: 

  1. Report it to the National Cyber Security Centre (NCSC) via their incident reporting portal.
  2. You should also notify, where relevant:
  • the Information Commissioner’s Office (ICO) 
  • the National Crime Agency (NCA) on 0300 123 2040 
  • your regional Warning, Advice and Reporting Point (WARP) for threat intelligence sharing 

When the NCSC receives a report, it shares details with MHCLG to assess whether the incident meets the CIR activation threshold. MHCLG monitors reports on a 24/7 basis. 

 

Activation and response 

If the incident meets the threshold, MHCLG will confirm activation by email.

The CIR provider will contact the council within 30 minutes of notification to begin containment and eradication support.

 

What’s included 

 

Funded phases

  • Containment: limiting the spread and impact of the incident on systems, data, and services
  • Eradication: removing the threat actor and mitigating exploited vulnerabilities

Optional phase (council-funded)

  • Recovery: restoring systems to a secure, operational state following containment and eradication

The service operates 24/7, ensuring support is available at any time.

 

Data sharing and confidentiality

Incident information will be shared only with relevant bodies to enable an effective and coordinated response.

These may include:

  • MHCLG
  • NCSC
  • Government Cyber Coordination Centre (GC3)
  • other impacted government organisations

Before activation, councils must sign a Memorandum of Understanding (MoU) confirming their agreement to data-sharing and post-incident reporting requirements. This will be sent via email from the provider. 

 

Providers 

The CIR service is delivered by two NCSC-assured providers with extensive experience supporting local government, KPMG and Accenture.

 

Post-incident reporting

After the incident concludes, councils will receive a post-incident report detailing:

  • the nature and impact of the incident 
  • actions taken
  • recommendations and lessons learned

These reports help strengthen local cyber resilience and inform MHCLG’s ongoing support for the sector. They will also be shared with MHCLG, the National Cyber Security Centre and the Government Cyber Coordination Centre (GC3).

 

Support for lower-severity incidents

If an incident does not meet the activation threshold, MHCLG will still offer guidance and help coordinate support across government. Incidents will continue to be monitored in case circumstances change. 

Contact

For questions or advice about the service, email [email protected].

 

Report a cyber incident

Report a Cyber Incident – NCSC

Related information