This study addresses the lack of empirical evaluation of mandatory cybersecurity reporting regimes, hindered primarily by the scarcity of data on cyberattacks against critical infrastructure. For the first time, it integrates official incident reports submitted under the UK’s 2024 Network and Information Systems (NIS) Regulations with intelligence data from the National Cyber Security Centre. Through cross-source comparison and systematic event classification, the research assesses the coverage effectiveness of the NIS Regulations. Findings reveal that the regulations capture only approximately 25% of significant cybersecurity incidents. Notably, in the healthcare sector, all reported incidents involve ransomware, whereas alternative intelligence sources indicate that espionage activities are more prevalent, highlighting substantial blind spots in the current reporting mechanism.

Existing cybersecurity literature lacks a source of empirical, representative data as to the true nature of cyberattacks on Critical National Infrastructure. We have obtained UK-wide data on incidents reported under the Network and Information Systems (NIS) Regulations in 2024 causing "a significant impact on the continuity" of essential services and comparator data from intelligence agencies. We find that 29% of NIS reports already concern cybersecurity incidents. As the UK Government seeks to extend cybersecurity reporting, we find the NIS Regulations are limited in their effectiveness; whilst our requests revealed 30 cybersecurity incidents reported under the NIS regulations, there were 89 incidents classified as "highly significant and significant" captured by the National Cyber Security Centre in the 2024 reporting year. Whereas 36% of Cybersecurity and Infrastructure Security Agency reported attacks concerned espionage, from NIS data we find 100% NIS-reportable cyberattacks concerning healthcare systems in England in 2024 were ransomware.