It’s been a busy time in the world of cyber. The fallout from Anthropic’s Mythos model continues (see our April blog) with new regulatory AI guidance, and the ICO has continued its cyber-fining streak, while the EU has developed new cyber reporting templates to help organisations.
New AI Guidance
While AI can help improve cyber defences, its ability to accelerate the speed, scale and sophistication of cyber threats has been a focus for the NCSC and regulators alike. We have recently seen a:
- Warning for organisations to ‘act now’ from the NCSC and other ‘five-eyes’ security agencies: AI has shifted cyber risk and organisations must therefore ‘act swiftly to remain ahead’. The guidance recommends organisations take some key actions, including ensuring the ‘core principles’ of: (1) security by design and default; (2) depth of response: resilience cannot depend on a single solution or technology; and (3) monitoring for new zero-day vulnerabilities as AI systems evolve at pace. This is one of a number of recent NCSC publications on AI and cyber security (see here).
- ICO blog on AI-powered cyber threats: In this recent blog, the ICO sets out the following five steps organisations should take to combat AI-powered risk:
- understand the threat landscape, including AI-enhanced phishing, deepfake social engineering, automated vulnerability scanning and data poisoning;
- get the basics right, from solid patching to multi-factor authentication – this is a key message we see throughout the cyber related guidance and in recent regulatory fines;
- restrict access - apply least privilege, audit privileged accounts, and hold third parties to appropriate standards;
- improve detection, monitoring and incident response, including by regularly testing your response plan; and
- protect personal data – unsurprisingly the data regulator focuses on areas such as data minimisation, regular audits, staff awareness training on AI-powered social engineering, and appropriate AI governance including DPIAs.
The blog is a useful checklist for compliance and security teams. More significantly, it emphasises that to “get the basics right”, organisations must have implemented both the 5 technical controls in the NCSC’s Cyber Essentials scheme and the Cyber Governance Code of Practice.
ICO fines Staffordshire Water (almost £1m)
Following a run of cyber related fines last year, the ICO has issued (last month) its first cyber fine of 2026. It fined South Staffordshire Plc and South Staffordshire Water Plc a total of £963,900 following a cyber breach caused by basic security failures (phishing, unpatched systems, inadequate monitoring - with end point detection covering 5% of the IT estate, etc.). The personal data of 633,887 individuals was extracted and published on the dark web. Lessons from the fine include:
- Seriousness of the infringements: The ICO identified long dwell times (over 20 months) and delayed detection as notable factors when deciding to issue a financial penalty.
- Follow NCSC guidance: It is clear from this, and other fines, that the ICO expects organisations to follow NCSC guidance to satisfy their security obligations under the GDPR (and it is now frequently considered to inform the legal standard of care from an information security perspective). The penalty notice repeatedly references NCSC guidance on preventing lateral movement, device security, and vulnerability management when assessing South Staffordshire's security measures.
- Post-incident conduct can significantly impact regulatory enforcement: The final penalty (£963,900) was significantly reduced from the starting point of £2,231,250 - partly for proportionality, but also due to South Staffordshire’s conduct, including its:
- degree of cooperation with the ICO’s investigation, including proactively communicating an admission of infringement during the investigation;
- proactive engagement with the NCSC and other relevant bodies at the time of the cyber-attack;
- actions to mitigate the damage suffered by data subjects, including providing affected current employees and notified customers with a free 12-month subscription to a credit monitoring service, setting up a dedicated helpline for customers, and arranging HR surgeries for employees.
- Settlement procedure in action. The ICO entered into early settlement (prior to a notice of intent being issued). As a result, it applied a 40% settlement reduction at the final stage of the final calculation, which aligns with the draft Settlement Procedure set out in its draft enforcement procedural guidance (the consultation for which closed in January).
Incident reporting templates
Finally, across the channel, the EU has produced a number of reporting templates to simplify incident reporting. We have recently seen a template for breach/incident notification under the GDPR published by the European Data Protection Board (currently subject to public consultation until 5 August 2026); and templates for NIS2 incident reporting published by the NIS Cooperation Group, comprising EU Member States, the European Commission and ENISA.
The Commission plans to adopt the latter through an implementing act, making them mandatory for all Member States and establishing a unified incident reporting framework across the EU. This is a welcome step given NIS2 does not have a GDPR style ‘one-stop shop’ process and organisations operating across the EU may therefore have to make multiple notifications following an incident. (Note: see our blog on the cyber aspects of the Digital Omnibus for details of other changes expected to the EU's reporting regime, including a single reporting platform).
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-06-25-18-41-32-015-6a3d765c156241708eb3f9e8.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-06-25-15-28-39-656-6a3d49271b5212dcba9047d5.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-06-24-08-08-15-748-6a3b906f9b1c050b1e34b2cb.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2026-06-19-08-43-24-403-6a35012c73211f29ec55ff1e.jpg)