Incident reporting and what regulators really mean by ‘show me’

Cyber Resilience 9 July 2026

When organisations talk about regulatory compliance, the conversation often centres on policies, controls, and frameworks. In practice, regulatory scrutiny increasingly plays out in a very different way.

When disruption occurs, whether through a cyber incident, system failure, or third-party outage, regulators focus less on what was designed to happen, and more on what actually did happen.

Their attention turns to awareness, judgement, and control: how quickly issues were identified and understood, how decisions were made as information evolved, and whether services were managed effectively under pressure.

This article looks at what regulators now mean when they ask organisations to ‘show me’ and the practical areas they examine when incidents are reviewed in detail. If you’d like some background on why this change has taken place, we have written a separate post on operational resilience and the shift from policy to proof.

Having recognised the shift from policy-led assurance to evidence-led scrutiny, the next question organisations face is a practical one: what do regulators look at when they ask an organisation to ‘show me’?

Incident reporting now plays a central role in this process because it provides regulators with a structured timeline of how organisations behaved during disruption. Increasingly, incident reporting is not treated as a standalone administrative task. It is viewed as evidence of organisational communication and decision-making capability.

Across supervisory reviews and post-incident examinations, five consistent areas of focus emerge time and time again.

1. You can detect disruption early enough to matter

When incidents are reviewed after the fact, regulators pay close attention to the starting point: when did the organisation become aware something was wrong?

Detection is not limited to cyberattacks. It includes system failures, data issues, third-party outages, and unexpected service degradation. What matters is not whether alerts existed in principle, but whether disruption was recognised early enough to influence outcomes.

In practice, scrutiny often centres on:

  • How issues were first identified
  • Whether early warning signs were missed or discounted
  • How quickly concerns were escalated beyond technical teams

Delayed awareness frequently becomes a root cause, particularly where early indicators existed but were not acted upon.

Incident reporting requirements increasingly reflect this emphasis on awareness and escalation. Regulators are looking beyond whether incidents were eventually reported. They are examining whether organisations recognised the significance of issues early enough to take meaningful action.

This can expose important weaknesses in operational visibility. In some cases, alerts are generated but buried within excessive noise. In others, teams identify concerns but lack confidence around escalation thresholds or reporting responsibilities.

These issues become particularly significant during fast-moving incidents where timing directly influences impact. A delay of several hours in recognising a compromise, escalating a supplier outage, or identifying unusual activity can dramatically alter the outcome.

From a regulatory perspective, incident reporting is therefore closely tied to situational awareness. Organisations are increasingly expected to demonstrate that monitoring, escalation, and communication arrangements support early recognition of disruption rather than delayed reaction.

2. You can make clear, evidenced decisions under pressure

Once disruption is recognised, attention quickly shifts to decision-making.

Post-incident scrutiny often focuses less on what ultimately happened, and more on why specific decisions were taken at key moments. Regulators are interested in whether judgements were proportionate at the time, based on the information available, and whether those judgements can still be explained months later.

Common questions include:

  • Why was this issue escalated when it was?
  • Why was it reported, or not reported, to regulators and/or customers?
  • Who made the call, and on what basis?
  • What information was missing, delayed, or assumed?

Decisions do not need to be perfect. They do need to be reasoned, recorded, and defensible under pressure.

Good incident reporting is not simply about submitting notifications to external authorities. It is about maintaining a reliable record of evolving information, assumptions, actions, and decision rationale throughout an incident.

When regulators conduct post-incident reviews, they frequently reconstruct timelines in detail. They examine how information moved through the organisation, when leadership became involved, and how communication evolved as understanding improved.

Where evidence is fragmented or inconsistent, organisations often struggle to explain why particular actions were taken. This can create the impression that decisions were reactive, poorly coordinated, or unsupported by appropriate governance.

By contrast, organisations that maintain clear records during disruption are usually better positioned to demonstrate proportionate judgement. Even where outcomes were imperfect, evidence of structured thinking, and timely escalation often carries significant weight.

Incident reporting expectations are therefore becoming increasingly aligned with broader resilience objectives. Regulators want organisations to show that reporting processes support awareness and accountability rather than functioning purely as compliance obligations.

3. You can continue critical services during disruption

Regulators are not assessing organisations on their ability to prevent all incidents. The focus is on whether important services were maintained, degraded in a controlled way, or restored within realistic timeframes.

This scrutiny draws a clear distinction between aspirational recovery objectives and response arrangements that have been tested under conditions resembling real disruption.

In post-incident reviews, regulators often ask:

  • What workarounds existed?
  • Were continuity and recovery plans invoked or adapted?
  • Did teams understand service priorities in practice?
  • Were recovery actions taken because they were rehearsed, or because they were improvised under pressure?

This is where business continuity and disaster recovery testing becomes critical evidence. Regulators are looking beyond the existence of BCP and DR documentation and focusing on whether those arrangements have been exercised in a way that reflects plausible scenarios, including loss of systems, reduced staff availability, and third-party failure.

Testing is assessed on whether escalation routes were understood, recovery assumptions were realistic, and decision authority functioned as intended.

Where continuity and recovery arrangements have not been tested, or where testing did not lead to change, organisations often struggle to show that actions taken during a real incident were considered and proportionate.

In contrast, organisations that have regularly exercised disruption can explain not just what they did to restore services, but why those actions were taken, and why they were defensible at the time. A credible demonstration of resilience places far more weight on what was achievable in the moment than on what was documented beforehand.

4. You can manage third-party disruption as your own problem

One of the most significant changes in recent years is how third-party incidents are treated. Failures originating with suppliers are no longer viewed as external inconveniences. Instead, they are examined as integral parts of the organisation’s own resilience.

Regulators increasingly explore:

  • How well dependencies were understood before the incident
  • How quickly suppliers provided meaningful information
  • Whether contractual or operational arrangements supported timely escalation
  • How supplier delays affected internal decisions and recovery

Where information from third parties is late, incomplete, or informal, organisations are often challenged on how those gaps were handled and what assumptions were made in the meantime.

This area is becoming increasingly important as organisations continue relying on interconnected digital services, outsourced providers, and shared infrastructure.

Incident reporting expectations increasingly extend into supplier relationships because regulators recognise that organisations cannot separate themselves from the operational realities of their third-party ecosystem. This creates practical challenges for many organisations.

Supplier communication during incidents is often inconsistent. Updates may be delayed, incomplete, or overly technical. In some cases, suppliers themselves are still attempting to understand the scale of the disruption while customers are already facing pressure from regulators and stakeholders.

Regulators are interested in how organisations manage this uncertainty. They want to understand whether supplier escalation pathways were effective, whether contingency arrangements existed, and how decisions were made despite incomplete information.

This means organisations need visibility not only into their own incident response capability, but also into how suppliers communicate and recover during disruption.

5. You can demonstrate learning, not just closure

The final test comes after services are restored. Regulators expect to see evidence that incidents have led to tangible improvement, whether that is changes to escalation pathways or recovery planning.

Post-incident reports that simply describe what happened carry limited weight. What matters is whether the organisation can show that insight has been converted into action. This is another area where incident reporting has evolved significantly.

Historically, organisations sometimes treated incident closure as the end of the process. Once services were restored and immediate issues resolved, reporting obligations were considered complete. Today, regulators increasingly view post-incident learning as a core part of resilience maturity.

Regulators want to see whether incidents influenced future decision-making, whether weaknesses were addressed, and whether lessons were embedded into operational practices.

This often includes examining:

  • Whether root causes were properly understood
  • Whether recovery assumptions were challenged
  • Whether governance gaps were addressed
  • Whether testing and exercising improved afterwards
  • Whether leadership engagement changed as a result

In many ways, this reflects the wider shift from compliance to capability. Incident reporting frameworks in the UK are now encouraging organisations to view disruption as a source of operational insight rather than an isolated event to document and close.

Taken together, these areas reveal the practical meaning of ‘show me’ and how regulatory scrutiny now operates in practice.

For leaders, the implication is clear. Preparedness is no longer demonstrated by what exists on paper, but by how the organisation behaves when disruption occurs and whether those actions can still be explained and defended once the pressure has passed.

How can Net-Defence help?

As regulatory expectations continue evolving, organisations are being assessed on how they behave during disruption, not simply on whether policies and controls exist on paper. That creates a growing need for resilience strategies.

At Net-Defence, we support organisations in strengthening the operational foundations that regulators increasingly expect to see in practice. This includes helping businesses improve incident reporting processes, enhance monitoring, exercise continuity and recovery arrangements, and so much more.

If your organisation would benefit from sense-checking its current approach to incident reporting or post-incident preparedness, now is the right time to start that conversation before scrutiny arrives after the event. Get in touch today.

Further reading:

Defence, protection, security. We've got you covered.

Whether you need to enhance your approach to cyber threats, overhaul your IT infrastructure or improve your communications, we’re here to help and advise. Talk to a specialist today and take the next step towards being a stronger, more resilient business.

Speak to us today

Need support? Take Control.

The button below is to be used when instructed by our technical support team. This will allow a file to be downloaded to your device for them to take control and help solve the issues you are having.

ND Take Control

exe · 7.70MB

Please note: only to be used when instructed by a member of our support team. Windows devices only.