Expert Insights

You are here:

Home
Expert Insights
UK Cybersecurity and Resilience Policy Statement April 2025 - Impacts for Managed Services Providers and Data Centres

UK Cybersecurity and Resilience Policy Statement April 2025 - Impacts for Managed Services Providers and Data Centres

20 May 2025

Introduction

The UK has an already complex cybersecurity law framework. This includes data protection law, laws on the security of network and information systems, principally the UK’s Network and Information Systems (NIS) Regulations 2018, together with more laws relating specifically to national security, and other sector-specific regulation.

In sectors such as financial services there are also additional requirements around outsourcing, operational resilience and, where there is an EU dimension, digital operational resilience through the Digital Operational Resilience Act (DORA). Further, there are also overarching macroprudential obligations for this sector, which create additional reporting requirements.

In this context, knowing who to report an incident to, and how it will be managed, can be a complex process and the process to “operationalise” many of these regulations has proved difficult in practice for business.

The UK Government announced in 2024 that it had added data centres as an additional sector for critical national infrastructure. This has led to a policy paper updated on 1 April 2025, “Cybersecurity and Resilience Policy Statement”, which introduces more specific proposals on how the UK’s cybersecurity framework can be updated. In particular, this proposes some changes to the NIS regulations, and specific additions for managed services and data centres which will be introduced under a new Cyber Security and Resilience Bill. There are also proposals to streamline the reporting structure.

This note analyses some of the key proposals. At present the Department for Science, Innovation & Technology (DSIT) is also conducting a series of public workshops in relation to the proposed Bill, to ensure that the regulations remain focused and contain adequate technical definitions so that risk of overlap and inconsistency is reduced. This is very necessary and businesses are encouraged to participate in this consultation in order to ensure a smoother path to regulation.

In the Policy Statement, the Secretary of State for Science, Innovation & Technology, the Rt. Hon. Peter Kyle MP, sets out the strategic context for regulation, stating that the UK is facing unprecedented threats to critical national infrastructure, posing a risk to UK citizens. He reports that the National Cybersecurity Centre’s annual review in 2024 described the threat landscape as “diffuse and dangerous” including threats from organised crime and third-party states. The concern is that resilience is not improving at the rate necessary to keep pace with cyber threat.

Current Regulations

The Network and Information Systems Regulations 2018 are the UK’s only cross-sector cybersecurity legislation. The NIS regulations currently cover five sectors: transport, energy, drinking water, health and digital infrastructure, together with certain digital services, which are: online marketplaces, online search engines and cloud computing services.

The Government proposes to update these regulations in the Cybersecurity and Resilience Bill. The proposals are that draft regulations will be consulted on in late 2025/2026 with a proposal for a bill coming into law in 2026 and active supervision following towards the end of 2026/2027.

Key additions are:

Managed service providers

The Government recognises that managed service providers are crucial to the UK supply chain and economy, as they manage a very significant proportion of the economy’s IT systems and networks. As such, the Government believes that managed services providers may be an attractive target for malicious actors. Noting that exact wording will be subject to final drafting, the Policy Statement states that:

“A managed service is a service which: (1) is provided to another organisation (i.e. not in house); (2) relies on the use of network and information systems to deliver the service; (3) relates to ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, applications and/or IT networks including for the purposes of activities relating to cybersecurity; and (4) involves a network connection and/or access to the customer’s network and information systems.”

It is proposed that firms falling within this definition will be subject to the same duties as “relevant digital service providers” (RDSP’s) under the NIS regulations. The Information Commissioners Office (ICO) would regulate and enforce the information gathering, investigation and enforcement powers in this context. Currently, relevant digital service providers under the NIS regulations include cloud computing services that employ more than 50 persons with an annual turnover or balance sheet exceeding €10 million, and which either has a head office in the UK or a nominated representative established in the UK. Relevant digital service providers were required to apply to register with the ICO by 1 November 2018 and must notify the ICO within three months of becoming an RDSP.

RDSPs are obliged to identify and take appropriate and proportionate measures to manage the risks posed to the security of the network and information systems on which they rely to provide relevant services, including cloud computing services. These measures must (having regard to the state of the art) ensure a level of security of network and information systems appropriate to the risk posed, prevent and minimise the impact of incidents affecting their network and information systems with a view to ensuring the continuity of those services and take into account the following elements:

security of systems and facilities;
incident handling;
business continuity management;
monitoring auditing and testing; and
compliance with international standards.

RDSPs must notify the ICO without undue delay and in any event no later than 72 hours after becoming aware of an incident which has a substantial impact on the provision of any of the services, and provide sufficient information to enable the ICO to determine the significance of the impact.

Reporting Obligations

In terms of reporting section 2.2 of the paper provides recommendations on improving incident reporting. Section 2.2.2 is important for businesses to study as this provides how the measure will work in practice. There is an intention to expand the incident reporting criteria as it is believed that the current definition (resulting in interruption to the continuity of the essential or digital service) is too narrow and many incidents of concern are not reported. This will be looked at in the bill but the government’s intention is to capture incidents that are capable of having a significant impact on the provision of the essential digital service, and incidents that significantly affect the confidentiality, availability and integrity of systems. Examples given include compromise of data, confidentiality, spyware or other incidents significantly affecting the integrity of the system. There will be a two stage reporting structure which will require within scope entities to notify their regulator and also inform the National Cyber Security Centre (NCSC) no later than 24 hours after becoming aware of the incident, followed by an incident report within 72 hours. This is similar to equivalent requirements under the EU’s NIS2 directive, and case for in scope financial services entities. Reporting will be streamlined by encouraging reporting at the same time to the regulator and to the NCSC. Transparency will be achieved by an obligation to alert customers who may be affected by the incident. Customer reporting is an additional measure which has not yet been prescribed in any detail, but could potentially add significantly to a reporting burden notwithstanding streamlining of reporting to regulators.

The answer to this paper summarises some of the current reporting requirements, and demonstrate the complexity of managing an incident in which multiple property obligations are triggered.

Supply chain security and critical suppliers

The Cybersecurity and Resilience Bill will also look at supply chains more widely, including potentially supply chain duties for operators of essential services and relevant digital service providers in relation to their management of cyber risks in the supply chain itself. The Policy Statement states:

“These duties will be designed to ensure appropriate and proportionate measures are taken – such as contractual requirements, security checks or continuity plans – to prevent vulnerabilities in suppliers from undermining essential or digital services.”

The relevant regulators will be able to individually designate suppliers as “critical” where their services are so critical that their disruption could cause a significant disruptive effect on the essential digital service it performs.

The expectation is therefore that this aspect of the new Act as it comes into force will only apply to a very low number of suppliers, but no guidance is yet given as to how suppliers will be designated and what the thresholds will be in detail. The Policy Statement does acknowledge that those in scope must be able to cause a significant disruptive effect, and there is an express provision to avoid overlap with suppliers who are already regulated. It is also possible that some small and micro relevant digital service providers may become critical suppliers regardless of size if they meet the relevant criteria.

Data centres

The Policy Statement puts forward initial proposals, which are very brief at present, to bring data centres into the scope of the regulatory framework. This will build upon the designation of data centres as CNI in the King’s Speech in September 2024. The Government is committed to “introducing proportionate regulatory oversight” in this regard. The measure will be introduced by classifying data infrastructure as a relevant CNI sector and data centres as an essential service, irrespective of the nature of services offered from them or their ownership.

The current proposal is for data centres to be in scope at or above “1MW capacity” but, for enterprise data centres, which are deemed to be those operated by a business solely to deliver and manage the IT needs of the business, to be in scope only if they are at or above 10MW capacity.

The operation of these data centres will require certain duties to be met, including notifying and providing “certain information”, having in place appropriate and proportionate measures to manage risk and reporting significant incidents.

It is expressly stated that the scope would be adjustable over time, under specified conditions, to account for developments in the market and risk landscape. Although the detail on this is brief at present, DSIT is undertaking public consultations to give greater context and overview on the scope of the proposed regulation. DSIT are currently finalising policy delivery for a draft bill to be introduced in the current parliamentary session and are working on the current drafting for the bill.

In order to draw a distinction between managed services providers and data centres, DSIT intends to be clear that the operation of a data centre is distinct from the operation of the IT equipment that a data centre houses. As such, the regulations relating to data centres will extend to the infrastructure in the data centre or supporting the data centre, but not the IT equipment and virtual elements that are housed within the data centre.

It is intended that the threshold requirements will be established by reason of megawatt operational IT load of the data centre, and therefore PUE calculations may possibly be disregarded from the calculation of the relevant 1MW and 10MW thresholds.

The current intention is to define data centres and data centre operators in the Bill, so there is certainty in the industry. Other European laws and standards have attempted to define data centres for other purposes, so these definitions will be considered. This is an extremely important task and detailed feedback is required from industry in this regard. One example of a possible issue might be that an enterprise data centre may be owned by a service company which separate from the regulated entity, and which is required to support multiple group entities with different businesses. Many large businesses (for example within financial services) operate IT services through a dedicated service company, so intragroup services between a group service company and its trading entities should not constitute the provision of colocation services, which could otherwise risk falling within the 1MW threshold for regulatory data centres for colocation services, rather than the overall operations of the facility remaining as an enterprise data centre for the benefit of the wider group.

Further clarification will also be needed to establish, for example, that, if there was a facility which was on a campus but which had separate dedicated infrastructure, whether this would form part of a colocation provider’s data centre, if it operated multiple buildings on the campus or where, if a building is separately occupied and managed by an enterprise, whether the obligations would fall on the enterprise as an enterprise data centre but not on the campus owner.

A careful approach will be taken, however, to manage overlaps between data centre operators, some of whom will already be managed service providers, relevant digital service providers or operators of essential services by reason of them owning data centre facilities as well as running IT services. It is clear that there will be reporting requirements for those businesses in scope to provide annual updates and notify of significant changes to information during the year, e.g. a change in operational structure or ownership.

It is proposed that Ofcom may be the independent regulator for data centres but this has not yet been confirmed. This may result in a difference between the current regulations for managed service providers and for data centres where the ICO is the regulator. The practical implications of this must be reviewed to assess whether different regulators for different functions of, and in, the data centre will be workable. Ofcom oversees telecommunications so there is logic to the proposal but it is a moot point whether the data centre is an extension of its network and energy infrastructure for this purpose.

Conclusion

There will be a number of very detailed considerations to work through once the Bill is published, in particular matching and managing reporting obligations. Customers of managed service providers and data centres should review contracts to establish whether they will need to obtain transparency over the reporting processes that are required, and to establish whether and how in scope organisations will report to individual customers, as well as to regulators, and the confidentiality and security requirements around this.

There is some discussion in the sector whether, and if so what, benefits might accrue from these operators coming within scope, and whether there are benefits such as sharing of sector-wide information and greater integration with national cyber security authorities that will add benefit to business and assist in the building of cyber resilience and proactive management of threats.

The provisions on supply chain will need to be examined very carefully by managed digital service providers, as this may require further patching and remediation of contracts, as well as new procedures to come into place. At present, there is no information on this, but clear flexibility and terms with supply chain will need to be introduced so that appropriate policies, procedures and management processes are in place.

For those parties who are potentially coming in scope, there is sufficient information in the current NIS regulations and guidance for parties to start to prepare and to review how information gathering, reporting and management might be undertaken.

Annexure 1

Summary sample of Breach reporting requirements under current law
Regulation	Incident trigger	Notification deadline	Content of notification	Sanctions
UK General Data Protection Regulation and the Data Protection Act 2018^[1] (UK GDPR) EU General Data Protection Regulation^[2] (EU GDPR)	A security event leading to a personal data breach A security event is any incident which may potentially compromise the confidentiality, integrity or availability of personal data. A personal data breach is “any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed”.	ICO Controllers must notify the ICO or the relevant EU supervisory authority without undue delay and, where feasible. within 72 hours of becoming aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. A controller is considered to have become aware of the breach when they “have a reasonable degree of certainty that a security incident has led to personal data being compromised.”^[3] Processors must notify the relevant controller without undue delay. 2. Data subjects Controllers must notify affected data subjects without undue delay where the personal data breach is likely to result in a high risk to the rights and freedoms of individuals.	ICO Nature of personal data breach including: Categories of data subjects affected; Approximate number of data subjects; Categories of personal data records affected; and Approximate number of personal data records. Name and contact details of the DPO or other contact which can provide further information; A description of the likely consequences of the personal data breach; Measures taken or proposed to be taken to address the personal data breach including measures to mitigate its possible adverse effects. 2. Data subjects The notification to a data subject must be in clear and plain language and contain the same elements as described above. Notifying a data subject is not required if either of the following is satisfied: The controller has implemented appropriate technical and organisational protection measures which have rendered the personal data intelligible to any person not authorised to access (e.g. encryption); The controller has taken subsequent measures to ensure the high risk to individuals is not likely to materialise; or Such notification would involve disproportionate effort. In such cases the controller must issue a public communication which informs data subjects in an equally effective manner.	Failure to report a breach may result in a maximum fine of 20 million euros (17.5 million pounds) or 4% of the annual global turnover, whichever is greater.
UK Network and Information Systems Regulations 2018^[4] (NIS Regulations)	Operators of Essential Services (OESs) Any incident* which has a significant impact on the continuity of an essential service provided by an OES, taking into account: The number of users affected by the disruption of the essential service; The duration of the incident; and The geographical area affected by incident. Relevant Digital Service Providers (RDSPs) Any incident* which has a substantial impact on the provision of either of the following digital services: Online marketplaces Online search engines Cloud computing services. An incident* is defined under the NIS Regulations to mean “any event which has an actual adverse effect on the security of network and information systems”.	OESs must notify their sector-dependent designated competent authority without undue delay and in any event no later than 72 hours of becoming aware of any significant incident. RDSPs (as defined in Section 2.1) must notify the ICO without undue delay and in any event no later than 72 hours of becoming aware of any incident having a substantial impact. The requirement to notify the ICO applies only if the RDSP has access to information which allows it to evaluate whether the impact of an incident is substantial. To determine this, the RDSP must consider the following factors in addition to the ICO’s guidance: The number of users affected by the incident, and in particular the users relying on the digital service for the provision of their own services; The duration of the incident; The geographical area affected by the incident; The extent of the disruption to the functioning of the service; and The extent of the impact on economic and societal activities.	The notice by the OES to the competent authority must be in the form as determined by that authority, and the information provided is limited to only the information which may reasonably be expected to be within the knowledge of that OES. Any notification must provide: The operator's name and the essential services it provides. The time the NIS Incident occurred. The duration of the NIS Incident. Information concerning the nature and impact of the NIS Incident. Information concerning any, or any likely, cross-border impact of the NIS Incident. Any other information that may be helpful to the competent authority The competent authority will consult with the ICO when addressing incidents which result in related personal data breaches to ensure alignment between the data protection and cybersecurity regime. RDSPs must provide sufficient information to enable the ICO to determine the significance of any cross-border impact. In particular, the notification must include: The RSDP’s name and the relevant digital services provided; The time of the incident; The duration of the incident; The information explaining the nature and impact of the incident; The information concerning any or any likely cross-border impact of the incident; and Any other information that may be helpful to the ICO.	Failure to report an incident may result in a maximum fine of £17 million.
EU Digital Operational Resilience Act (DORA)^[5]	Major ICT-related incidents must be notified to the relevant competent authority, defined as “an incident which has a high adverse impact on systems that support critical or important functions”. Significant cyber threats may be voluntarily notified, defined as “a cyber threat with technical characteristics which indicate it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident”.	Major ICT-related incidents* Initial notification to the relevant competent authority: Within four hours of classifying the incident as a major incident, but not later than 24 hours from the time of detection of the incident. Intermediate report: Within 72 hours of the classification of the incident as a major incident, or when regular activities have been resumed. Final report: No later than one month from the classification of the incident as a major incident, unless the incident has not been resolved. In such cases, the final report must be delivered no later than the day after the incident has been resolved permanently. *This wording reflects the draft Regulatory Technical Standards on the notification and reports for major incidents and significant cyber threats, which may be subject to change.	Major ICT-related incidents* The different phases of notification align with a comprehensive list of requirements as to the content of these notifications under the DORA Regulatory Technical Standards. For example, the initial notification must include, among other information, the incident reference code, the date and time of the incident, description of the incident, the relevant classification criteria, and information as to how the incident was discovered as well as its origination. The intermediate report supplements the above with additional information including: the date and time when regular activities have been restored; the threats and techniques used by the threat actor; affected infrastructure; and temporary actions taken to recover from the incident. Finally, the final report must set out the root causes of the incident, the dates and times when the incident was resolved, as well as details surrounding the direct and indirect costs and losses stemming from the incident, among other information. Significant cyber threats* Where a significant cyber threat is notified, this should be in the form specified in the Annexes under the DORA Regulatory Technical Standards. The information must be complete and accurate, and should include: General information about the reporting entity; Date and time of detection of the significant cyber threat and any other relevant timestamps related to the threat; Description of the significant cyber threat; Information about the potential impact of the cyber threat on the financial entity, its clients and/or financial counterparts; The classification criteria that would have triggered a major incident report, if the cyber threat had materialised; Information about the status of the cyber threat and any changes in the threat activity; Description of the actions taken by the financial entity to prevent the materialisation of the significant cyber threats, where applicable; Information about notification of the cyber threat to other financial entities or authorities; Information on indicators of compromise, where applicable; and Other relevant information, where available.	The level of maximum fines are determined at the Member State level.
Critical National Infrastructure (CNI) as set out under the proposed Policy Statement, which will expand the reporting requirements under the NIS Regulations.	An incident which has a significant impact on the provision of the essential or digital service under the NIS Regulations, or an incident which significantly affects the confidentiality, availability, integrity of a system. (Draft)	Entities in scope will have to notify a) their competent regulatory authority and b) the National Cyber Security Centre no later than 24 hours after becoming aware of an incident, and issue an incident report within 72 hours of becoming aware of the incident.	The details as to the content of the notification have not been finalised yet.	N/A

^[1]Articles 4, 33 and to 34 of the UK GDPR.

^[2] Articles 4, 33 and 34 of the EU GDPR.

^[3]Article 29 Working Party 29, Guidelines on Personal data breach notification under Regulation 2016/679, page 10.

[4] Regulations 11 and 12 of the NIS Regulations.

^[5]Article 19 DORA; Articles 2 to 7 DORA Regulatory Technical Standards on the content of the notification and reports for major incidents and significant cyber threats and determining the time limits for reporting major incidents.

Our thinking

IBA Annual Conference 2025

Simon Ridpath

Events
07 November 2025
Find out more
Next Gen Rural Professionals Drinks Reception

Events
02 July 2025
Find out more
The Future of AI and Copyright Regulation in the UK: The Data (Use and Access) Bill finally gets Lords approval in the UK

Rebecca Steer

Quick Reads
13 June 2025
Find out more
HM Land Registry's Digital Drive - Delays Persist but perhaps there is light at the end of the tunnel?

Maisy-Jane Cook

Quick Reads
13 June 2025
Find out more
Key aspects of the FCA’s PISCES Sourcebook

Jodie Dennis

Insights
12 June 2025
Find out more
Mike Barrington and Mary Perham write for Tax Adviser on what the proposed changes to business property relief mean for investors and entrepreneurs, and for their businesses

Mike Barrington

In the Press
12 June 2025
Find out more
Bloomberg quotes Catrin Harrison on the recent exodus of non-doms from the UK

Catrin Harrison

In the Press
12 June 2025
Find out more
Trusts and Matrimonial Disputes in England

Tom Watts

Insights
12 June 2025
Find out more
The Financial Times and Daily Mail quote Emma Humphreys on the impact of the UK Government's Spending Review on housebuilding targets

Emma Humphreys

In the Press
11 June 2025
Find out more
Alumni Drinks Reception

Events
11 June 2025
Find out more
Consultation on Private International Law and Digital Assets Law Commission Proposes Landmark Reforms

Racheal Muldoon

Insights
10 June 2025
Find out more
Navigating International M&A Disputes: Insights and Strategies for 2025

Stephen Burns

Quick Reads
10 June 2025
Find out more
Bridging Differences: The Role of Mediation in Resolving Cross-Border Trust Disputes

Tamasin Perkins

Insights
10 June 2025
Find out more
Rachel Warren writes for Solicitors Journal on the new failure prevent fraud offence

Rachel Warren

In the Press
09 June 2025
Find out more
MoneyWeek quotes Mary Perham on whether business property relief can be claimed on a furnished holiday let

Mary Perham

In the Press
09 June 2025
Find out more
Anti-greenwashing in the UK, EU and the US: the outlook for 2025 and best practice guidance

Caroline Greenwell

Insights
09 June 2025
Find out more
Landmark rulings from the Italian Revenue Agency on income tax exemption on gains from Italian shares held in trust

Nicola Saccardo

Quick Reads
09 June 2025
Find out more
Sowing doubt: slashing green farm funding is a risk we can't afford

Maddie Dunn

Quick Reads
06 June 2025
Find out more
Can a contractor adjudicate to recover outstanding retention monies from the employer’s assignee?

Kate Knox

Insights
05 June 2025
Find out more
HS2 - still no sign of a train leaving the station

Richard Flenley

Quick Reads
05 June 2025
Find out more