Regulatory Compliance

UK’s Cyber Security and Resilience Bill set to redefine data centre obligations with stricter oversight and designation as critical infrastructure

Wednesday, 10 December 2025 7:48AM UTC

The UK Parliament's new Cyber Security and Resilience Bill introduces significant changes for data centre operators, including designation as Critical National Infrastructure and tougher incident reporting requirements, signalling a major shift in digital security regulation.

The UK’s Cyber Security and Resilience Bill has begun its parliamentary passage and proposes substantial changes to the Network and Information Systems Regulations 2018 that will directly reshape obligations for the data centre sector. According to the original report, the government has not announced a firm timetable for the Bill to become law, but officials expect it could receive Royal Assent by next spring. ^[1]^[5]^[2]

Central to the Bill is the explicit inclusion of providers of data centre services as Operators of Essential Services (OES). The government’s policy material defines a "data centre service" as the provision of a physical structure housing, connecting and operating relevant IT equipment together with supporting infrastructure, and sets capacity thresholds for designation , 10 megawatts for enterprise provision and 1 megawatt for other commercial provision. Designation is accompanied by a statutory requirement to notify the competent authority (Ofcom) within three months of designation. ^[1]^[4]^[2]

Designated data centre operators will face new and existing duties to take "appropriate and proportionate technical and organisational measures" to manage risks to the networks and information systems underpinning their essential services, and to reduce the impact of incidents while ensuring continuity of service. The Bill strengthens incident reporting by lowering the notification threshold and requiring an initial report to the competent authority within 24 hours and a full report within 72 hours; operators must also notify customers likely to be adversely affected "as soon as reasonably practical" after the full notification. ^[1]^[2]^[4]

Beyond physical data centres, the Bill enlarges the regulated perimeter to capture other supplier types. Cloud computing providers continue as Relevant Digital Service Providers (RDSP) under the updated framework, while a new category , Relevant Managed Service Providers (RMSP) , would cover "provision of ongoing management of information technology systems" where the supplier connects to or accesses customers’ network and information systems. The Bill does not appear to enact the intra-group exclusion considered in earlier policy papers, potentially widening scope for multinational suppliers. The Information Commissioner (shortly to be the Information Commission) will be the competent authority for RDSPs and RMSPs. ^[1]^[2]

The Bill also introduces a route for organisations to be pulled into scope by designation as a critical supplier to an OES, RDSP or RMSP. Separately, government announcements have designated data centres as Critical National Infrastructure, a move intended to align them more closely with sectors such as energy and water and to ensure greater government support during major incidents. That designation underlines the strategic rationale for tighter regulation and operational resilience measures. ^[3]^[6]^[1]

Enforcement and sanctions are significantly strengthened: the Bill contemplates turnover-based penalties of up to 4% of worldwide turnover (or £17m if higher), and tightens notification timing compared with the 2018 Regulations. Government statements frame the Bill as part of a broader drive to harden national cyber defences and ensure continuity of essential public services. Industry data and policy commentary suggest these measures aim both to deter lax security practices and to improve incident response across critical digital infrastructure. ^[1]^[2]^[5]

The Bill draws clear inspiration from the EU’s NIS2 directive , for example, the reduced notification threshold and 24‑hour initial reporting mirror NIS2 , but important differences remain. NIS2 covers a broader set of sectors and introduces personal liability for senior management, while the UK Bill adds a critical supplier designation that has no direct NIS2 equivalent. Maximum monetary penalties under NIS2 are generally lower (around 2% of worldwide turnover or €10m, to be set at member‑state level), meaning organisations operating across the UK and EU will need to navigate divergent obligations and enforcement regimes. Firms serving regulated financial services should also consider whether DORA obligations apply alongside NIS2 and the UK Bill. ^[1]

For operators and suppliers, the practical message is immediate: organisations not previously in scope , notably some data centre operators and managed service providers , must familiarise themselves with the new duties, incident reporting timelines and potential penalties. Providers of cloud computing services should ensure continued compliance with existing NIS obligations while preparing for the Bill’s expanded requirements. Given the interplay with NIS2, DORA and national designations such as CNI, businesses with cross‑jurisdictional footprints will need coordinated compliance plans to manage overlapping supervisory expectations. ^[1]^[4]^[2]

📌 Reference Map:

##Reference Map:

^[1] (InsideTechLaw) - Paragraph 1, Paragraph 2, Paragraph 3, Paragraph 4, Paragraph 5, Paragraph 6, Paragraph 7, Paragraph 8
^[2] (UK government policy statement) - Paragraph 1, Paragraph 3, Paragraph 4, Paragraph 6, Paragraph 8
^[3] (UK government news: data centres CNI) - Paragraph 5
^[4] (UK government factsheet: data centres) - Paragraph 2, Paragraph 3, Paragraph 8
^[5] (UK government collection: Cyber Security and Resilience Bill) - Paragraph 1, Paragraph 6
^[6] (UK government news: strengthened data storage protections) - Paragraph 5

Source: Noah Wire Services

More on this

https://www.insidetechlaw.com/blog/2025/12/uk-cyber-security-and-resilience-bill-headlines-for-the-data-centre-sector - Please view link - unable to able to access data
https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement - The UK government has introduced the Cyber Security and Resilience Bill to enhance the nation's cyber defences and protect essential public services. The Bill aims to reform and expand the existing Network and Information Systems (NIS) Regulations 2018, increasing protection against cyber attacks and ensuring the continuity of critical services. Key measures include broadening the scope of regulated entities, enhancing incident reporting requirements, and empowering regulators to enforce stricter security standards across various sectors, including data centres, managed service providers, and critical suppliers.
https://www.gov.uk/government/news/data-centres-to-be-given-massive-boost-and-protections-from-cyber-criminals-and-it-blackouts - UK data centres have been designated as Critical National Infrastructure (CNI), recognising their vital role in supporting digital services and economic activities. This designation ensures that data centres receive greater government support during critical incidents, enhancing their resilience against cyber attacks, environmental disasters, and IT blackouts. The move aligns data centres with other essential services like energy and water, underscoring their importance in maintaining national security and economic stability.
https://www.gov.uk/government/publications/deleted-cyber-security-and-resilience-network-and-information-systems-bill-factsheets/data-centres - The UK government plans to bring data centres into the regulatory framework of the Network and Information Systems (NIS) Regulations 2018. Data centres meeting specific capacity thresholds—1 megawatt for commercial data centres and 10 megawatts for enterprise data centres—will be designated as Operators of Essential Services (OES). This designation requires data centre operators to implement appropriate measures to manage risks and report significant incidents, thereby enhancing the security and resilience of critical digital infrastructure.
https://www.gov.uk/government/collections/cyber-security-and-resilience-bill - The Cyber Security and Resilience Bill, introduced to Parliament on 12 November 2025, aims to strengthen the UK's cyber defences and protect essential public services. The Bill seeks to reform and expand the existing Network and Information Systems (NIS) Regulations 2018, increasing protection against cyber attacks and ensuring the continuity of critical services. Key measures include broadening the scope of regulated entities, enhancing incident reporting requirements, and empowering regulators to enforce stricter security standards across various sectors, including data centres, managed service providers, and critical suppliers.
https://www.gov.uk/government/news/security-measures-strengthened-to-bolster-uk-data-storage-protections - The UK government has introduced tougher security and resilience measures for data centres operating in the UK to protect against potential disruptions, including cyber-attacks and extreme weather events. These measures require data centres to implement minimum security and resilience standards, with regulators ensuring compliance within the sector. The initiative aims to safeguard national security and make the UK more attractive to potential tech investors by enhancing the protection of critical data storage facilities.
https://www.gov.uk/government/news/data-centres-to-be-given-massive-boost-and-protections-from-cyber-criminals-and-it-blackouts - UK data centres have been designated as Critical National Infrastructure (CNI), recognising their vital role in supporting digital services and economic activities. This designation ensures that data centres receive greater government support during critical incidents, enhancing their resilience against cyber attacks, environmental disasters, and IT blackouts. The move aligns data centres with other essential services like energy and water, underscoring their importance in maintaining national security and economic stability.

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 8

Notes: The narrative presents recent developments regarding the UK's Cyber Security and Resilience Bill, introduced to Parliament on 12 November 2025. The earliest known publication date of similar content is 14 December 2023, when the UK government announced plans to bolster data storage protections. The report includes updated data and references to the Bill's progress, indicating a higher freshness score. However, the presence of earlier versions with different figures or dates suggests potential discrepancies. Additionally, the narrative includes direct quotes from government publications, which may indicate recycled content. The inclusion of a press release from the UK government adds credibility and supports the high freshness score. Overall, the freshness score is 8, reflecting recent developments with some potential discrepancies.

Quotes check

Score: 7

Notes: The narrative includes direct quotes from government publications, such as the Cyber Security and Resilience Bill Policy Statement. These quotes appear to be used verbatim, suggesting potential reuse of content. Variations in wording across different sources indicate possible paraphrasing or selective quoting. The absence of online matches for some quotes raises the possibility of original or exclusive content. However, the reliance on government publications suggests a mix of original and reused content. The quotes check score is 7, indicating a moderate level of originality with some reused content.

Source reliability

Score: 9

Notes: The narrative originates from InsideTechLaw, a reputable organisation known for its expertise in technology law. The inclusion of direct quotes from official UK government publications, such as the Cyber Security and Resilience Bill Policy Statement, further enhances the reliability of the information presented. The use of official sources and the reputation of InsideTechLaw contribute to a high source reliability score of 9.

Plausibility check

Score: 8

Notes: The narrative aligns with recent developments in UK cyber security legislation, including the introduction of the Cyber Security and Resilience Bill to Parliament on 12 November 2025. The inclusion of direct quotes from government publications adds credibility to the claims made. The report provides specific details, such as capacity thresholds for data centres and incident reporting requirements, which are consistent with the Bill's provisions. The language and tone are consistent with official government communications, further supporting the plausibility of the information. Overall, the plausibility check score is 8, indicating a high level of credibility and consistency with known facts.

Overall assessment

Verdict (FAIL, OPEN, PASS): PASS

Confidence (LOW, MEDIUM, HIGH): HIGH

Summary: The narrative provides a detailed and up-to-date overview of the UK's Cyber Security and Resilience Bill, incorporating recent developments and direct quotes from official government publications. The use of reputable sources and the alignment with known facts support a high level of confidence in the accuracy and reliability of the information presented. While there are indications of potential content reuse, the overall assessment is positive, leading to a 'PASS' verdict with high confidence.

Cyber Security
Data Centres
UK Legislation