UK Cyber Security and Resilience Bill – More Entities in Scope

Taking shape on the cyber security landscape

Supply chain vulnerabilities and cyber security regulation are in the spotlight again as the Government releases a policy statement (April 2025) with its legislative proposals for the new Cyber Security and Resilience (CSR) Bill, announced in the King’s Speech in July 2024.

In his Ministerial foreword to the policy statement, the Secretary of State for Science, Innovation and Technology outlines that,

‘…the legislative proposals reflect the insights we have gathered from our international partners, including valuable lessons from the European Union on the implementation of its NIS2 regime. They are also informed by consultations conducted by the previous Government in 2022 and 2023…’.

According to the .gov.uk webpages for the policy statement, the CSR Bill will be laid before Parliament later this year. Read the full policy statement here >

Essential and digital services 

The current cross-sector cyber security framework in the UK is to be found in The Network and Information Systems Regulations 2018 (NIS 2018). The entities to which NIS 2018 apply are:

• Operators of Essential Services (OES), covering five sectors (transport, energy, drinking water, health, and digital infrastructure), and
• Relevant Digital Service Providers (RDSPs).

In terms of enforcement, there are twelve regulators, called ‘competent authorities’, within NIS 2018.

In this blog we explore the detail within the Government’s April 2025 proposal for bringing more entities in scope of the new regulatory framework. The three entities are:

• managed service providers (MSPs),
• designated critical suppliers (DCS), and
• data centres.

Managed Service Providers

The CSR Bill is to define the managed services that will come within scope of the new legislation. Earlier research suggests these measures would ‘secure a further 900 – 1100 MSPs’. Read the research here >

It is proposed that, under the CSR Bill, MSPs would be subject to the same duties as RDSPs.

Characteristics

While precise wording is subject to final drafting, the following four characteristics ‘reflect the services intended to be included’:

‘A managed service is a service which:

1. is provided to another organisation (i.e., not in-house), and;
2. relies on the use of network and information systems to deliver the service, and;
3. relates to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications, and/or IT networks, including for the purpose of activities relating to cyber security, and;
4. involves a network connection and/or access to the customer’s network and information systems’.

The role of the ICO

Under NIS 2018, it is the Information Commissioner’s Office (ICO) that is the regulator for RDSPs, regulating cloud computing services, online search engines and online marketplaces. The ICO will also act as the regulator for MSPs.

The ICO’s ability ‘to gather information to assist them in determining the criticality of regulated digital services and their risk-based approach’ will be enhanced. There would be powers too for the ICO to enforce failures to register with the ICO.

Designated Critical Suppliers 

Regulators may individually designate a supplier as a DCS if the supplier’s goods or services are so vital that disruption could have a major impact on the essential or digital service it supports.

‘DCS are therefore expected to account for a very small number and percentage of those suppliers providing goods or services to OES and RDSP’.

Threshold criteria

For a supplier to be individually designated as a DCS by a regulator, the likely threshold criteria for designation are listed as follows:

• ‘Supply of goods or services: The supplier provides goods or services (including digital services) to an OES (regulated by that regulator) or to an RDSP (in the case of the ICO).

• Significant disruptive effect: The regulator judges that a failure or disruption in that supplier’s goods or services – or an incident affecting the supplier’s network and information systems – could have a significant disruptive effect on the provision of the essential or digital service.
• Reliance on networks and information systems: The supplier’s goods or services depend on networks and information systems, making them relevant to the scope of the regulatory framework. This is intended to ensure that suppliers only fall within scope if their goods or services involve or rely upon technology (such as IT infrastructure or operational technology) that could be targeted or disrupted.
• Not already regulated: The supplier is not subject to similar cyber resilience regulations elsewhere (e.g., under Part 2 of the Communications Act 2003, as amended by the Telecommunications (Security) Act 2021) or elsewhere under the 2018 Regulations’.

Data centres 

Towards the end of the Government’s legislative proposal document is a section dedicated to additional measures that are under consideration. These are commitments additional to those made in the King’s Speech, and the CSR Bill may or may not be decided upon as the ‘legislative vehicle’ to take these measures forward. One of these measures is in relation to data centres.

Data centres were designated as critical national infrastructure (CNI) in September 2024.

‘In recognition of this, the Government is committed to introducing proportionate regulatory oversight’.

An essential service

To work in practice, data infrastructure would be classified as a relevant sector and data centres an essential service.

At or above 1MW capacity would bring a UK data centre in scope, unless an enterprise data centre, which only in scope if at or above 10MW capacity.

Duties of data centres would involve:

• notifying and providing certain information,
• having in place measures to manage risk, and
• reporting significant incidents.

In-scope organisations

The Government’s policy paper concludes with its overall rationale: that an update to the UK’s critical infrastructure framework will provide protection against hostile cyber actors targeting critical sectors and supply chains, whilst also fostering secure networks and systems key for growth and innovation.

It is worth noting that the Government’s policy document refers to aligning, where appropriate, the CSR Bill with the EU’s NIS2 regime. There is also reference to incident reporting being no more onerous than equivalent requirements in NIS2.

In-scope organisations will need to keep progress of the CSR Bill on their radar and, where relevant, consider how its proposed provisions compare with the EU’s NIS2 Directive.

Our experienced team of technology solicitors can support you if you would like to learn more about these significant changes to the UK’s cyber security landscape.