UK Cyber Security and Resilience Bill – headlines for the data centre sector

December 03, 2025
Marcus Evans Rosie Nance
Marcus Evans Rosie Nance
Posted in Tech Regulation insights

The UK’s Cyber Security and Resilience Bill (the Bill) has started marking its way through Parliament.  The Bill proposes amendments to the UK’s Network and Information Systems Regulations 2018 (NIS Regulations).  The NIS Regulations implemented Directive (EU) 2016/1148, the EU’s first NIS Directive, and already impose cybersecurity obligations on some sectors. 

The government has not announced a target date for the Bill’s becoming law, the expectation is that it could receive Royal Assent by next spring.

This blog post includes headline points on new and existing obligations for the data centre sector.  The government has published a factsheet on the Bill, and a policy paper on data centres.

Data centres

Providers of data centre services will be brought into scope as Operators of Essential Services (OES).

A ‘data centre service’ means the provision of a physical structure which contains an area for the housing, connection, and operation of relevant IT equipment and provides supporting infrastructure for or in connection with the operation of relevant IT equipment.  There is also a threshold requirement of 10 megawatts for provision of a data centre service on an enterprise basis, or 1 megawatt for provision of a data centre service otherwise than on an enterprise basis.

Obligations for providers of data centres

Notification to the competent authority (Ofcom) within 3 months of designation (in practice, this will likely mean 3 months from entry into force).

  • Nominate a UK representative if established outside the UK.
  • Take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies.
  • Take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of an essential service, with a view to ensuring the continuity of those services.
  • Incident notification to the competent authority (Ofcom) – initial notification in 24 hours and a full notification in 72 hours.
  • Notification to customers likely to be adversely affected by the incident as soon as reasonably practical after the full notification to the competent authority.

Other ways players in the sector can be brought into scope

Cloud computing services: the NIS Regulations already included obligations for providers of cloud computing services (enabling access to a scalable and elastic pool of shareable computing resources), as Relevant Digital Service Providers (RDSP).

Managed services: the Bill also adds a new category of Relevant Managed Service Providers (RMSP), for “provision of ongoing management of information technology systems” via the supplier’s connecting to or obtaining access to network and information systems relied on by the customer.  The government’s April 2025 policy paper had suggested we would see an exclusion for intra-group service provision, but the Bill does not appear to include this exclusion.

RDSPs and RMSPs have similar obligations to providers of data centre services around notification to the competent authority, security, incident notification, and customer notifications.  The Information Commissioner (or, shortly, the Information Commission) will be the competent authority.

Critical suppliers: alternatively, organisations can be brought into scope via designation by a competent authority as a critical supplier to an OES, RDSP, or RMSP.

Penalties and other changes

The Bill introduces the possibility of penalties of up 4% worldwide turnover (or £17m if higher).  The threshold for notification of an incident has been lowered, and the requirement for initial notification in 24 hours has also been introduced.

The EU position under Directive (EU) 2022/2555 (NIS2)

Many of the changes proposed by the Cyber Security and Resilience Bill were inspired by NIS2, such as lowering the incident notification threshold and introducing a 24-hour notification requirement.  NIS2 also applies to data centre service providers, cloud computing service providers, and managed service providers. 

However, there are various differences on scope and application.  There is no critical supplier equivalent under NIS2, but NIS2 covers a much broader range of sectors.  NIS2 introduces personal liability for senior management, unlike the Cyber Security and Resilience Bill.  Maximum penalties under NIS2 are a little lower, at 2% worldwide turnover in the previous financial year or EUR 10 million (exact penalties will be set on a member state level).

Our take

Organisations not previously in scope – like providers of data centre services, as well as managed service providers – will need to familiarise themselves with the new obligations and prepare to comply.  

Providers of cloud computing services should also ensure they are ready to comply with new obligations, and in the meantime, ensure they are complying with existing obligations.  The NIS Regulations came into force in 2018, and were somewhat overshadowed by the GDPR.  As a result, it is not unheard of for organisations to be unaware that they already have obligations under UK cyber security legislation.  

Alongside UK obligations, organisations may also have obligations under NIS2 in the EU. If they serve the financial services sector, Regulation 2022/2554 (DORA) may also mean that they have contractual obligations as ICT service providers, or may be brought under direct supervision as critical suppliers.  

With turnover-based penalties proposed under the Bill, and obligations to navigate under NIS2 and potentially DORA, it will be crucial for organisations to ensure they comply with obligations across the EU and UK and get ready to comply with new obligations in the UK.