Supporting councils with a Cyber Incident Response service 

MHCLG is making a new Cyber Incident Response (CIR) service available to English councils, helping them to respond quickly and effectively to severe cyber incidents. 

This support is part of Local Digital’s Defend as One programme, which aims to help councils address collective cyber threats by encouraging collaboration and knowledge sharing across local government, central government and beyond.  

About the CIR service 

This service provides access to a National Cyber Security Centre (NCSC) assured provider at Enhanced Level, supporting councils during severe incidents.  

By offering this support, we aim to: 

reduce the impact of attacks   speed up containment and recovery  help protect vital services and sensitive data 

We’re working towards a more unified and proactive approach to cyber resilience aligning with the ambitions set out in the Government Cyber Security Strategy. 

How the CIR service works 

The CIR service is available for severe cyber incidents with MHCLG assessing all activation requests and determining eligibility.  

If a cyber incident is severe enough to activate the CIR service, MHCLG will provide a council with: 

funded CIR support for the containment and eradication stages of a qualifying incident  optional recovery support, delivered by the same supplier at an agreed rate funded by the council through our contract 

You can find full details of the CIR service and its available support on our guidance for councils using the service. We recommend familiarising yourself with the offer and incorporating it into your incident response plans where possible.

The CIR service is not a substitute for the measures and preparation councils should have in place for cyber security incidents. Councils remain responsible for their own IT infrastructure and security.  

How to access the service during an incident 

In the event of a severe cyber incident affecting your council’s operations or critical services, you should report it to the NCSC through their reporting portal. You should also report incidents, where appropriate, to: 

the Information Commissioner's Office (ICO)   the National Crime Agency (NCA) or call 0300 123 2040  your regional Warning Advice and Reporting Point (WARP) to support wider threat intelligence sharing within the sector 

NCSC will share reports promptly with MHCLG, who will monitor the reports on a 24/7 basis so we can assess whether the incident meets the threshold for activating the CIR service. If the incident does qualify, you will receive an email confirmation, and the CIR provider will contact you directly to begin support.  

We want your feedback  

We are committed to improving this service. If you have comments, questions or suggestions, please contact us at This email address is being protected from spambots. You need JavaScript enabled to view it. 

Your feedback helps us refine and shape the service to better meet the needs of local government. 

Follow our channels for the latest updates and opportunities:  

LinkedIn   X (formerly Twitter)   Local Digital Newsletter    MHCLG Digital blog   Local Digital website