Terms and Conditions

  1. Status of this Agreement

    1. By accepting the following terms and conditions ("Terms and Conditions"), including any applicable Service-Specific Terms as defined in Clause 3.4 below (together the "Agreement") the individual doing so is entering into a legally binding contract on behalf of the organisation that individual represents, unless that organisation is a Central Government Body, in which case the Agreement operates as a non-legally binding memorandum of understanding.
    2. The individual entering into this Agreement represents that they have the authority to bind the organisation they represent to these Terms and Conditions, or that such organisation has otherwise agreed to the Agreement through its authorised representative. As such, use of the term "you" and "your" shall mean such organisation. Where one of your representative uses the Online Services (as defined below) on behalf of a third party organisation, such use shall remain your responsibility.
    3. If the individual accepting these terms does not have such authority, or if the relevant organisation does not otherwise agree with the terms of these Terms and Conditions, such individual or organisation must not use or access the Online Services. This Agreement takes effect on the earlier of when one of your representatives clicks to accept the Terms and Conditions when presented with the opportunity to do so, or when your representative uses the Online Services.
    4. Clause 21 of the Agreement defines certain defined terms used within the Agreement and the corresponding definitions to those terms. Additionally, for the purposes of this Agreement all references in this Agreement to "access" or "accessing" of the Online Services shall be a reference to access and/or use of any or all of the Online Services.
    5. Please note that if there is any conflict between these Terms and Conditions and any of the Service-Specific Terms, the Terms and Conditions shall take precedence.
  2. About the NCSC

    1. The Secretary of State for Foreign, Commonwealth and Development Affairs acting through the National Cyber Security Centre (the "NCSC") which is part of the Government Communications Headquarters ("GCHQ"), is a source of independent advice and assistance from government on protecting information and information systems.
    2. The aim of the NCSC's advice and assistance is to improve the security of the United Kingdom. One of the ways that the NCSC achieves this aim is by provision of various Online Services (as further described in this Agreement).
    3. The NCSC is not a separate legal entity to GCHQ and contracts on behalf of and for the benefit for GCHQ as a whole.
    4. All references in this Agreement to "we", "our" or "us" shall be construed as references to the NCSC.
  3. The Online Services

    1. This Agreement applies to both your accessing of the Online Services through the End Users, along with any advice and/or assistance that we may give to you as a result of or in connection with such access.
    2. Our advice and/or assistance may include written reports and any other advice we provide you verbally, in writing or electronically in connection with you accessing the Online Services.
    3. Our activities connected with the provision of the Online Services are intended to enable us, as the National Technical Authority for cyber, to better understand, and to advise and assist in detecting, managing and preventing, attacks against UK computer networks and systems.
    4. The following online services (collectively, the "Online Services") may be made available to you by the NCSC to you on the basis that you accept the Terms and Conditions:
      • the website portals made available to you by or on behalf of the NCSC to enable access to or in connection with the Cyber Defence Service set out in the next sub-clause;
      • the products, services and/or materials and outputs that may be made available under the following brands (the "Cyber Defence Services"):
        • Early Warning;
        • Exercise in a Box - subject to "Service-Specific Terms - Exercise in a Box";
        • Mail Check - subject to "Service-Specific Terms - Mail Check";
        • Protective Domain Name Service - subject to "Service-Specific Terms - Protective DNS"; and
        • Web Check - subject to "Service-Specific Terms - Web Check".
    5. The NCSC may alter and/or supplement this list of Online Services and the Service-Specific Terms from time to time when new Online Services become available. Not all of the Cyber Defence Services may be available to your organisation and as a result may not present on the website portals.
  4. End User Access and Organisations

    General Access of End Users

    1. To gain access to the Online Services, representatives of your organisation must first apply for login credentials from the NCSC. Following creation of an account, all End Users will be able to get limited access to the web portals making Cyber Defence Services available. Cyber Defence Services may be made available to End Users:
      • through the NCSC's MyNCSC platform (the "MyNCSC Platform") which enables End Users to access the Cyber Defence Services and utilise the functionality provided by the MyNCSC Platform once the End User has requested permissions from your Admin who will be responsible for granting specific access to the Cyber Defence Services on your behalf in accordance with the remainder of this Clause 4; or
      • by following a link or entering a direct URL End Users may be able to access some of the Cyber Defence Services without being an Admin and without requesting permissions from an Admin and where they do so such use is subject to Clause 4.4 below.
    2. MyNCSC - Appointing Admins

      The first time that the NCSC grants access to the Cyber Defence Service(s) via the MyNCSC Platform to a representative claiming to act on your behalf, that individual shall become an End User with elevated rights (an "Admin"). The NCSC shall be entitled to carry out verification procedures and processes to establish that the Admin is or is reasonably likely to be authorised to act on behalf of your organisation, and may request that you or the relevant individual shall provide such information and assistance to the NCSC as is requested by the NCSC. The NCSC shall, in its absolute discretion, be entitled to withhold access to one or any of the Cyber Defence Services until such times as the NCSC, in its absolute discretion, is satisfied that the relevant Admin is or is reasonably likely to be authorised to act on behalf of the relevant organisation.
    3. Once the Admin is approved by the NCSC, Admins are responsible for managing End Users access to the Cyber Defence Services via the MyNCSC Platform on your organisation's behalf within the capability of the Online Services (a "Member"). An Admin may allow another End User to become another Admin with equivalent rights to grant permissions on your behalf. Admins acknowledge that the NCSC may share their email address with individuals who have applied for access to MyNCSC where they are from the same organisation as the Admin. The NCSC may do this where it considers it reasonable to facilitate the registration of new End Users.
    4. Where an End User accesses the Online Services but without either becoming an Admin for your organisation or being granted access by a relevant Admin, they access those services on your behalf. Where more than one of your representatives accesses the Online Services in this way, they will each be asked to confirm acceptance of this Agreement on your behalf.
    5. MyNCSC - Managing Access

      Admins may at any time alter the access permissions of their relevant Members.
    6. You shall ensure that End Users hold and maintain, for the duration of them being granted permission access to the Online Services, sufficient authority to access and use the Online Services on your behalf. Should this position change you must notify the NCSC or require that your Admin promptly change or remove the relevant permissions of an End User.
    7. Should you become aware that an End User has breached this Agreement, you shall promptly revoke their permission(s) to access the Online Services on your behalf and inform the NCSC as soon as reasonably practicable.
    8. Nothing in this Agreement shall be construed as an acceptance of responsibility by the NCSC for identifying or verifying that the individual applying for the login credentials is a representative of your organisation with the necessary authority to enter into this Agreement on your behalf.
    9. The NCSC may, at its sole discretion and at any time, refuse to provide one or more of your representatives with access to the Online Service. The NCSC reserves the right, at its absolute discretion, to deactivate any accounts used by End Users and/or remove your (or an End User's) access to any or all of the Online Services at any time and for any reason.
  5. General Terms of Use

    1. In consideration of the NCSC granting you access to the Online Services and, among other things, the NCSC being able to collect the information outlined in Clause 11, both the NCSC and you agree to be bound by the terms of this Agreement. Should you not agree to any of these terms, you must not access the Online Services and must inform the NCSC.
    2. Use of the Online Services must at all times comply with the AUP set out in Clause 6.
    3. Save where otherwise approved by the NCSC, the login credentials, specifically any password or other unique access code, used to access the Online Services must not be disclosed to anyone but the End User to whom they concern. You must notify us immediately upon becoming aware of any breach of security or unauthorised use of any End User login credentials.
    4. You shall ensure that the Online Services are only deployed internally within your organisation and, where relevant, on or directed to I.T systems that you either own or have sufficient rights of use over.
    5. You shall ensure that you comply with the terms of this Agreement, and shall ensure that all End Users are aware of these Terms and Conditions and are in turn responsible for End User compliance with these Terms and Conditions
    6. The NCSC reserves the right, at its absolute discretion and without notice, to modify, suspend or terminate operation of or access to the Online Services, to modify or change the Online Services and/or to interrupt the operation of the Online Services as necessary to perform maintenance, error correction or other changes.
    7. This Agreement shall remain in force until terminated by either the NCSC or you in accordance with its terms.
    8. You acknowledge that the Online Services are provided on a non-exclusive basis.
  6. Acceptable use policy

    1. You are responsible for ensuring that any use of the Online Services on your behalf complies with the acceptable use policy set out in this Clause.
    2. You must only use the Online Serivces for lawful purposes. You may not use the Online Services or submit Content via or in connection with your accessing the Online Services in any way:
      • that breaches any applicable local, national or international law or regulation;
      • that is unlawful or fraudulent, or has any unlawful or fraudulent effect;
      • is damaging to the NCSC or another third party;
      • that could harm the Online Services or impair another use of them;
      • that violates the contractual, personal, intellectual property or other rights of another party; and
      • to assist a third party to do any of the above.
  7. Responsibility for your own security

    1. You are ultimately responsible for the security of your own I.T. systems and data. You should monitor and assess your security independently to your use of the Online Services. You acknowledge that:
      • by providing the Online Services, the NCSC is not taking responsibility for the security of your I.T. systems; and
      • as the owner or licensee of your I.T. systems and data, you are best placed to assess and manage the business risks to you if your security is compromised and to decide how to protect yourself. You are also best placed to appreciate the wider implications of any advice and assistance you may receive from use of the Online Services for the rest of your business.
  8. Term and termination

    1. The terms and conditions of this Agreement shall continue to apply until terminated by the NCSC or you in accordance with its terms.
    2. The NCSC may, at its absolute discretion, terminate this Agreement at any time without prior notice and/or revoke your or any End Users access to any or all of the Online Services.
    3. You may request that the NCSC revoke your access to the Online Services, close any or all of your End User accounts, and/or remove permissions associated with your account by contacting the email address provided in Clause 18.1.
    4. Subject to Clause 8.5 below, this Agreement shall terminate when the NCSC confirms in writing that all of your accounts have been closed.
    5. Any provision of this Agreement that is expressly or by implication intended to come into or continue in force on or after expiry or termination shall so continue, including without limitation the provisions of Clauses 2, 3, 8, 9, 10, 11, 12, 13, 14, 15, 16, 19 and 20.
  9. Disclaimer

    1. The NCSC does not warrant that access to the Online Services will be uninterrupted or error free, that defects will be corrected, that the Online Services or the servers that make it available are free of viruses or that the Online Services are fully functional, accurate and/or reliable.
    2. The Online Services are provided on an "As Is" and "As Available" basis. The Online Services are provided without warranties of any kind, whether express or implied.
    3. The NCSC's objective is to use our knowledge and position to provide organisations with independent cyber security advice and assistance from government. By entering into this Agreement you agree that, subject to Clause 9.6 below, neither the NCSC nor any of its employees, advisers or agents shall be liable to you or any third party for any loss, claim, damages or expense arising out of or in connection with this Agreement, whether direct, indirect or consequential, and whether this liability arises in tort, contract, by statute or otherwise. This exclusion includes (without limitation) losses, claims, damages and/or expenses caused by the negligence of the NCSC or any of its employees, advisers and agents. This exclusion also includes wasted management or office time and loss or damage incurred in connection with access to or inability to access the Online Services.
    4. Any advice or assistance that you receive from us under this Agreement is intended for your use only. If you share such advice or assistance with any third party in contravention of these terms, you acknowledge and accept that you are responsible for any direct or indirect liabilities that may arise as a result of you doing so.
    5. Subject to Clause 9.6 below, the NCSC and its employees, advisers and agents separately and expressly exclude all and any loss of or damage to your business or your market share; loss of or damage to your reputation; loss of profits or anticipated profit; loss of anticipated savings and/or damage to goodwill and/or costs of dealing with regulators and fines from regulators (in each case, whether direct or indirect) and for any and all indirect, special or consequential loss.
    6. Nothing in this Agreement affects the NCSC's liability for:
      • death or personal injury arising from its negligence,
      • its liability for fraud or fraudulent misrepresentation; or
      • any other liability which cannot be excluded or limited under applicable law.
  10. Reasonableness of Disclaimer

    1. For the avoidance of any doubt, we are setting out the basis upon which we consider the disclaimer set out above to be reasonable. If you disagree with any of these matters, you must not access the Online Services. The factors to which we draw particular attention are as follows:
      • the basis on which we provide you with advice and/or assistance, access to the Online Services, the limits to our role and your overall responsibility for security, as set out above;
      • the fact that you are not obliged to access the Online Services and that your access to the Online Services is granted free of charge;
      • the fact that we do not and cannot have the detailed knowledge of risks and exposure of your business, nor of your information and systems, that you have;
      • the fact that you can and should be taking advice and considering protection measures entirely independently of us; and
      • the fact that you are in a position to protect yourself from business risks by taking appropriate commercial actions including limiting your own liability as appropriate and/or taking out insurance.
  11. Information and records

    1. You agree that the NCSC may gather and retain:
      • logs of where you access the Online Services, which may contain information belonging to you;
      • information you make available to us in order to facilitate the operation of the Online Services;
      • information that is produced by you accessing the Online Services; and
      • where provided to us by you, contact details for representatives within your organisation, together the "Information".
    2. You agree and acknowledge that the NCSC may retain and use the Information in accordance with its policies and in order to carry out its statutory functions as set out in the Intelligence Services Act 1994, including but not to be limited to the following uses:
      • identifying and mitigating against cybersecurity threats;
      • identifying and analysing vulnerabilities in software and hardware;
      • providing, monitoring use of and improving the services offered by us; and
      • publishing the Information on an aggregated, anonymised basis; and
      • sharing with other parts of government, public sector bodies, and relevant third-parties to enable the same.
    3. Where you make Information available to the NCSC in connection with the Online Services you:
      • warrant and represent that you have sufficient rights to grant the licence set out in Clause 12 below; and
      • acknowledge and accept that you do so on the basis that such Information shall be governed by a TLP Marking of "Green".
    4. You agree and acknowledge that the terms of this Clause 11 shall apply to Information both collected from the date that you accept the terms of this Agreement and to Information previously collected by the NCSC.
  12. Intellectual Property

    1. Nothing in this Agreement affects the ownership of any intellectual property rights in material that you or the NCSC already own at the date you accept these terms.
    2. The Online Services and any material generated as a result of you accessing the Online Services is, unless stated otherwise, is Crown copyright. Unless the NCSC indicates that certain Crown copyright content may be available for use under a different arrangement, you may use or reuse the content in the Online Services without prior permission but must adhere to and accept the terms of the latest version of the Open Government Licence for public sector information. Where you do so, you must acknowledge the source of the content and include a link to the Open Government Licence wherever possible. Authorisation to reproduce a third party's copyright material must be obtained from the copyright holders concerned.
    3. You are not permitted to use the NCSC logos displayed in the Online Services under the terms of the Open Government Licence, and the NCSC's consent must be obtained prior to any use of the NCSC logos.
    4. Save for where the Organisation is a Central Government Body, you grant the NCSC a non-exclusive, worldwide, royalty-free, transferable, perpetual, and irrevocable licence to use, re-use, copy, adapt, and modify, for any purpose, any Content that you directly or indirectly provide or otherwise make available to us as a result of or in connection with you accessing the Online Services.
  13. Marketing and Publicity

    1. The NCSC (or other Central Government Bodies or other organisations on our behalf) may, from time to time, contact you using the contact details associated with the user account(s) through which you access the Online Services, to provide you with information we think will be of interest, to inform you about other NCSC or wider products, services or initiatives that we think may be of interest to you.
    2. Should an individual within your organisation no longer wish to receive these on your behalf they should contact enquiries@ncsc.gov.uk to inform us of this.
    3. Except where the NCSC gives written consent, you must not use the NCSC's name or branding in any promotion, marketing or announcement.
  14. Data Protection

    1. Subject to anything to the contrary in any of the Service-Specific Terms (where relevant in relation to a particular Online Service) the NCSC and you separately acknowledge and agree that to the extent it processes any personal data for the purposes of this Agreement or for the provision or receipt of the Services (as the context requires), it is a separate independent controller (as that term is defined in the data protection legislation). As such, each party is separately and independently responsible for its own compliance, at its own expense, with the requirements of all legislation and regulations in force from time to time relating to the use of personal data and the privacy of electronic communications in connection with this Agreement, including (i) the Data Protection Act 2018 and any successor UK legislation, as well as (ii) the UK General Data Protection Regulation (as defined in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018, (iii) the EU General Data Protection Regulation ((EU) 2016/679 as amended)(where applicable) and (iv) the Privacy and Electronic Communications Regulations (each as may be updated from time to time) any other directly applicable UK or European Union regulation or directive relating to data protection and privacy (and in the case of the latter, for so long as and to the extent that the law of the European Union has legal effect in the UK).
    2. When the NCSC receives Personal Data on an independent controller basis under this Agreement, the NCSC is satisfied that receipt of the Personal Data is in accordance with its performance of its statutory functions under the Intelligence Services Act 1994 and is in accordance with Section 4(2) of that Act.
    3. For the avoidance of doubt, the NCSC is subject to Part 4 of the Data Protection Act 2018. The NCSC treats personal data in accordance with the privacy notices published on its website at https://www.ncsc.gov.uk/.
    4. The NCSC Cookies Policy as updated from time to (https://www.ncsc.gov.uk/section/about-this-website/cookie-policy) applies to the website portals referred to in Clause 3.4(a).
    5. The NCSC may share your name and email address with others within your organisation for security, audit, and/or account administration purposes.
  15. Data Handling and TLP Marking

    1. Information made available to you through your use of the Online Services may be marked with a traffic light protocol marking (a "TLP Marking") to indicate how the information must be handled. Where material has a TLP Marking, you must adhere to the handling conditions such a marking imposes.
    2. The following table below details the handling conditions that various TLP Markings require:
    Colour When should it be used? How may it be shared
    TLP:RED Not for disclosure, restricted to participants only. Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.
    TLP:AMBER Limited disclosure, restricted to participants' organisations. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organisations involved. Recipients may only share TLP:AMBER information with members of their own organisation, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.
    TLP:GREEN Limited disclosure, restricted to the community. Sources may use TLP:GREEN when information is useful for the awareness of all participating organisations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organisations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.
    TLP:WHITE Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
  16. Freedom of Information

    1. The NCSC is exempt from the disclosure provisions of the Freedom of Information Act 2000 and may be subject to exemption under other UK information legislation. Where the Freedom of Information Act 2000 is applicable to you, if you receive an information request relating to the NCSC or to information supplied by us, please do not respond to it and inform the NCSC as soon as possible at ncscinfoleg@ncsc.gov.uk.
  17. Hyperlinks

    1. Where the Online Services contain links to other websites, these links are provided for information only. Unless explicitly stated, linking should not be taken as endorsement by the NCSC of any kind. The NCSC has no control over the content of those sites and accepts no responsibility for them or for any loss or damage that may arise from their use.
  18. General

    1. Any notice or communication to be given to the NCSC under this Agreement must be in writing and sent to enquiries@ncsc.gov.uk.
    2. The NCSC may, in its absolute discretion, vary this Agreement. You should check this Agreement frequently to see whether it has been updated. By continuing to access the Online Services (through any End Users), you agree to be bound by the revised terms. If a revision to this Agreement is material (to be determined by the NCSC), the NCSC will provide 30 calendar days' notice to End Users prior to any new terms taking effect.
    3. You acknowledge and accept that the NCSC may use third-parties to provide all or part of the Online Services.
    4. Should you not agree to any revision made to this Agreement in accordance with Clause 18.2 above you must stop, and ensure that your End Users stop, using the Online Services immediately and seek to terminate this Agreement in accordance with Clause 8.3.
    5. This Agreement constitutes the entire agreement between us in relation to your accessing of the Online Services. You acknowledge that you have not relied on any statement, promise, representation, assurance or warranty made or given by or on behalf of us which is not set out in these terms and that you shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in this Agreement.
    6. No failure or delay by the NCSC in exercising any of its rights under this Agreement shall operate as a waiver of such rights, nor shall any single or partial exercise preclude any further exercise of such rights. Any waiver by the NCSC of its rights will not be effective until it is delivered to you in writing.
    7. A person who is not a party to this Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any provision of the Agreement.
    8. Each party shall be solely responsible for any and all costs incurred by it (or by its agents, servants or other third-parties acting on behalf of the party) directly, indirectly or as a consequence of this Agreement.
  19. Disputes

    1. Subject to Clause 19.2, the NCSC may elect to have any claims or disputes with you resolved by way of confidential arbitration in front of a single arbitrator who shall be a Queen's Counsel agreed by the parties or, failing agreement, appointed by the chairman of the Commercial Bar Association.
    2. If you are a Central Government Body, in the event that the dispute or claim is not resolved by negotiation, the dispute or claim shall be progressively escalated upwards through an appropriate suitable escalation route within the NCSC and the Central Government Body until it is resolved.
  20. Governing law

    1. This Agreement and any dispute or claim (including non-contractual dispute or claims) arising out of or in connect with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
    2. Subject to Clause 20.1 above, you agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (whether contractual or non-contractual) that arises out of or in connection with the Agreement or its subject matter or formation.
  21. Definitions

    1. The following definitions apply to the capitalised terms used in this Agreement. Words in this Agreement importing the singular meaning include, where the context so admits, the plural meaning and vice versa:
    "Admin" has the meaning given to it in Clause 4;
    "Asset" means a domain, URL, IP address, endpoint, I.T asset and/or system which an organisation claims ownership or some other form of authorised interest in within MyNCSC as a preliminary to subscribing it to an Online Service so that the NCSC can assess or otherwise operate on it;
    "AUP" means the acceptable use policy set out in Clause 6;
    "Central Government Body" means a body that is part of the Crown and includes Government Departments, Non-Ministerial Departments or Executive Agencies as defined in the Public Sector Classification Guide, as published and amended from time to time by the Office for National Statistics.
    "Content" means any material or information made available to us by an End User;
    "Cyber Defence Services" has the meaning given to in it in Clause 3.4(b);
    "End User" means any individual that directly or indirectly accesses and/or makes use the Online Services on your behalf. For the avoidance of doubt, and where relevant, this includes Admins and individuals to whom an Admin has granted permission to access and/or make use of the Online Services on your behalf;
    "External User" means an End User who is not an employee , onsite contractor, or onsite agent of yours or your affliates;
    "Information" has the meaning given to it in Clause 11;
    "Member" has the meaning given to it in Clause 4;
    "Online Services" has the meaning given to it in Clause 3.4; and
    "TLP Marking" has the meaning given to it in Clause 15.

Service-Specific Terms- Exercise in a Box

  1. The following service-specific terms and conditions shall apply in addition to the Terms and Conditions of this Agreement where you use Exercise in a Box (‘EiaB').

General Terms

  1. EiaB provides users with a variety of "simulation" and "table top" cyber security exercises that are designed to test the user's mitigation and response abilities, and provide an indicator of overall maturity.
  2. Under the "simulation" exercise, users may download an HTML file which is intended to imitate the ability of hosted malicious software to communicate across the internet. The exercise is designed to test the user's ability to locate the file on their internet-facing ICT systems. The NCSC has taken reasonable efforts to ensure that running the HTML file should have no adverse effect on user's ICT systems and will make the HTML file's source code available to all users. Further information about what this HTML file does can be found on the website alongside the simulator itself. We encourage you to review the simulator's HTML file/ source code before deciding to run it on your system as you retain sole responsibility for deciding whether to deploy the file on your ICT systems.
  3. Under the "table top" exercises, the NCSC will provide users with realistic but hypothetical and non-exhaustive scenarios (such as cyber-attacks), which are designed to test users' decision-making processes and prompt discussion.
  4. Upon completion of the exercises, users will be prompted to complete a questionnaire, which will be made available to the user and retained by the NCSC for trends analysis purposes.
  5. The materials provided to you by us as a result of your access to and use of EiaB (the "EiaB Materials") may be updated by us periodically. We recommend that you periodically check to see whether the EiaB Materials that you are using are the latest versions.

Intellectual Property Rights

  1. The EiaB Materials are copyright of the Crown. The EiaB Materials are licenced to you on the following basis:
    • you may use EiaB Materials internally within your organisation as far as is reasonably necessary for you to successfully deliver the EiaB exercises within your organisation and to assess and improve your cyber security practices (the ‘Purpose');
    • where you reasonably deem necessary, you may share the EiaB Materials with your third party suppliers and advisors who require access to the EiaB Materials for you to fulfil the Purpose. You must make such third-parties aware of the terms of this licence, make sure that they do not onwardly disclose the EiaB Materials, and ensure that following conclusion of their involvement in the Purpose, they do not retain copies of or access to any of the EiaB Materials;
    • you may print out the EiaB Materials;
    • you must not modify the paper or digital copies of any EiaB Materials you have printed off or downloaded in any way, and you must not use any illustrations, photographs, video or audio sequences or any graphics separately from any accompanying text;
    • our status (and that of any identified contributors) as the authors of the EiaB Materials must always be acknowledged; and
    • you must not use any part of the EiaB Materials for commercial purpose.
  2. Where you submit written responses to us as part of the EiaB exercises (the "Submissions"), you grant us a non-exclusive, worldwide, royalty-free, transferable, perpetual, and irrevocable licence to use, re-use, copy, adapt, and modify the Submissions for any purpose.

Service-Specific Terms- Mail Check

  1. The following service-specific terms and conditions shall apply in addition to the Terms and Conditions of this Agreement where you use any or all of the products, services and/or materials that are made available under the branding "Mail Check" ("Mail Check").
  2. The Mail Check service is designed to assist users in configuring their email services to use email security protocols including TLS, DMARC, SPF, and DKIM.
  3. Mail Check collects data in the following ways:
    • Online look-ups: The NCSC will query the public Domain Name System (DNS) for records associated with secure email and attempt to connect to e-mail servers and initiate a secure communication (although the NCSC will not actually send e-mail). The information exchanged as part of this communication will tell the NCSC whether your mail servers support the secure exchange of e-mail using Transport Layer Security (TLS). If they do not, Mail Check helps you take steps to avoid e-mail being sent unencrypted over the internet.
    • DMARC reporting: The NCSC will work to understand whether your domains are implementing anti-spoofing controls, including DMARC. If anti-spoofing controls are not implemented well, through Mail Check, the NCSC aims to advise you on how to correctly configure those controls. Depending on how you configure your DMARC records, you can allow the NCSC to receive DMARC reports on your domains. These reports include statistical data and can also include redacted copies of spoofed or legitimate e-mails, depending on the DMARC configuration and what the email service provider sends in their DMARC reports.
  4. Data may be retained to support users in configuring their systems, and to enable the NCSC to conduct analysis in support of its mission.
  5. The NCSC may further develop Mail Check at any time and its features are subject to change. You should frequently check here to determine the current stated functionality of Mail Check to determine whether you wish to continue using the service.
  6. As Mail Check is under active development, the NCSC encourages you to provide it with any feedback that you may have on the service. The NCSC may use such feedback along with other data it collects from your use of Mail Check to further develop Mail Check. Feedback should be provided to mailcheck@digital.ncsc.gov.uk.

Service-Specific Terms- Protective DNS

  1. The following service-specific terms and conditions shall apply in addition to the other terms and conditions of this Agreement where you use any or all of the products, services and/or materials that are made available under the branding "Protective DNS" or "PDNS" ("PDNS").
  2. For the avoidance of doubt, the NCSC may use contractors who act on its behalf to provide and administer the PDNS.

What is DNS?

  1. Users access information online through domain names (e.g. NCSC.gov.uk). Web browsers interact through Internet Protocol (IP) addresses. The Domain Name system translates domain names to IP addresses so browsers can load Internet resources.
  2. The PDNS offers a digital roaming service that allows for the PDNS to be deployed to devices that don't connect to the internet via a centralised network managed by your organisation.

Outline of PDNS

  1. The NCSC PDNS uses a range of government, commercial and community sources to identify malicious content.
  2. If users try to access a domain name or IP address that is flagged as hosting malicious content then the PDNS attempts to prevent them from doing so.
  3. The PDNS is not an arbiter of taste or decency it is designed to protect users from sites containing known malicious content.
  4. The NCSC PDNS is a resolver only, so organisations can use the service without moving your existing internet DNS records.


  1. The PDNS will attempt to block access to IP addresses and domain names which are believed to be associated with malware or other threats. Notwithstanding this, the NCSC provides no guarantee as to the effectiveness or reliability of the PDNS, that the PDNS will function in the way intended, nor that all malicious domain names and IP addresses will be successfully blocked.
  2. Where the PDNS roaming service is deployed on your devices, limited personal data (such as I.P. addresses or device identifiers) may be gathered from the device making use of the service. You shall ensure that those who use your devices have been suitably informed of the processing concerned and shall direct such users to the NCSC's privacy notice at (https://www.ncsc.gov.uk/section/about-this-website/privacy-statement). You acknowledge and accept that the PDNS roaming service shall not be deployed until such steps have been taken. You shall provide written confirmation that you have taken such steps along with supporting evidence on request.
  3. The NCSC is not responsible for any third party content that you may access over the internet via the PDNS.
  4. Domains/ IP addresses that you ask to be allowlist must meet the following criteria:
    • III. they are the IP address/range of IP addresses that your organisation will use to connect to the service; and
    • IV. they are domains or IP addresses that are part of your organisations critical infrastructure.
  5. The NCSC recommends as best practice that all organisations have backup DNS provisioning for failover in the event of an outage across a primary provider.
  6. The NCSC is not responsible for issues encountered through incorrect configurations of the PDNS. Support is available upon request to help configure the PDNS correctly.

Service-Specific Terms- Web Check

  1. The following service-specific terms and conditions shall apply in addition to the other terms and conditions of this Agreement where you use any or all of the products, services and/or materials that are made available under the branding "Web Check" ("Web Check").

What Web Check does

  1. The NCSC has designed Web Check to perform precise testing of website security. Web Check is designed to minimise the volume of traffic it will send to websites when carrying out tests. Web Check will indicate what its scanning reveals about vulnerabilities and/or suboptimal configurations that affect the websites in question.
  2. The NCSC uses information from a range of sources in order to provide Web Check, and as those sources are liable to change on a frequent basis, the result of each query that is provided by the NCSC must only be considered valid at the time it is provided.
  3. Scans are limited to those which:
    • address a number of common threats to web security;
    • can be automated to give reliable, unambiguous results; and
    • are design to impose a low load on and not damage the scanned site.


  1. You can manage the Assets that you want to run Web Check on by subscribing them to Web Check in a MyNCSC Asset portfolio or Web Check watchlist. Once an Asset has been subscribed, the Web Check services will continue to run automatically until you unsubscribe or delete that Asset. You accept that Web Check shall continue to run automatically on all subscribed Assets. It is your responsibility to unsubscribe or delete Assets should you no longer wish for Web Check to run on them.
  2. You must only subscribe Assets to Web Check that you are the owner of and/or have the requisite authority to run tests such as Web Check on and where you subscribe an Asset, you warrant and represent that this is the case. You further warrant that your use of Web Check on the Assets you have subscribed will not infringe the rights of any third-parties.
  3. Should at any point you no longer own and/or have the authority to run Web Check on a subscribed Asset in your MyNCSC Asset portfolio or Web Check watchlist, you must unsubscribe or delete it as soon as reasonably practicable and in any event no later than 48 hours after such ownership or authority ceases to exist. Should, for any reason, you not be able to comply with the obligations of this paragraph, you must provide reasons why by notifying the NCSC in accordance with Clause 18.1 of the Terms and Conditions before the expiry of the 48-hour period.
  4. You are solely responsible for assessing any output information you receive from Web Check including but not limited to results, analysis, and indicators and for determining the weight you put on such outputs when determining the security and suitability of the Assets subscribed to Web Check.
  5. You accept that use of Web Check does not guarantee the absence of security-related issues or the secure operation of the subscribed Assets. You acknowledge that the NCSC can only provide results based on such information as it holds at the relevant time and that as a result, the outputs that Web Check provides may change at any time.

The terms of this Agreement were last amended on November 8 2023. Version 1.3.2.