Cloud Providers CSRB Compliance Guide
Complete guide to Cyber Security and Resilience Bill compliance for Cloud Service Providers, Online Marketplaces, and Search Engines. Understand RDSP obligations under Bill 329.
Sector Overview
Cloud Service Providers are the backbone of modern digital infrastructure, hosting everything from government applications to financial systems. Under the Cyber Security and Resilience Bill (Bill 329), cloud computing services, online marketplaces, and online search engines are regulated as "Relevant Digital Service Providers" (RDSPs).
Service Categories - What is a Relevant Digital Service?
Under Part 2, Section 7 of Bill 329, a "relevant digital service" means:
"An online marketplace, an online search engine or a cloud computing service"
— Bill 329, Part 2, Section 7, Regulation 1(2)
Cloud Computing
IaaS, PaaS, SaaS services
Online Marketplace
Platforms connecting buyers and sellers
Search Engine
Online search services
What is a Cloud Computing Service?
According to Part 2, Section 7 of Bill 329, a "cloud computing service" is defined as:
"A digital service which enables access to a scalable and elastic pool of shareable computing resources (such as networks, servers, software and storage) where: (i) there is broad remote access to the service, (ii) the service is capable of being provided on demand and on a self-service basis, (iii) the pool of computing resources may be distributed across two or more locations, and (iv) the service is not provided by a person solely for use for the purposes of a business or other activity carried on for that person, and which is not a managed service"
— Bill 329, Part 2, Section 7, Regulation 1(2)
Key Characteristics:
- Broad remote access: ability to access from any authorised location by any capable device
- Scalable and elastic: capable of being automatically increased or deprovisioned according to demand
- On-demand and self-service: can be provisioned without manual intervention
- Distributed resources: may be across multiple locations
- Not for own use: not provided solely for the provider's own business
- Not a managed service: managed services are separately regulated
Exclusions:
Public electronic communications networks and services (as defined by the Communications Act 2003) are explicitly excluded from being relevant digital services. Managed services are also excluded from the cloud computing service definition.
Are You a Relevant Digital Service Provider (RDSP)?
Under Part 2, Section 7 of Bill 329, you are a Relevant Digital Service Provider (RDSP) if you meet all of these conditions:
You're an RDSP if you:
- Provide a relevant digital service (cloud computing, online marketplace, or search engine) in the United Kingdom (whether or not you're established in the UK)
- Are not designated as a critical supplier under regulation 14H in relation to that service
- Are not a micro or small enterprise as defined in Commission Recommendation 2003/361/EC
- Either: (a) are not subject to public authority oversight, OR (b) are subject to public authority oversight but derive more than half your income from commercial activities
Exemptions:
Micro and small enterprises (as defined by Commission Recommendation 2003/361/EC) are exempt from RDSP designation. However, you must monitor if you grow beyond these thresholds.
Security Duties - Regulation 12
Under Part 2, Section 8 of Bill 329, Regulation 12 sets out your security duties:
Regulation 12 Requirements:
- You must identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems referred to in paragraph (1)
- The measures must ensure a level of security of network and information systems appropriate to the risk posed
- You must have regard to any relevant guidance issued by the Information Commission
— Bill 329, Part 2, Section 8, Regulation 12
Registration Requirements - Regulation 14
Under Part 2, Section 14 of Bill 329, Regulation 14 requires RDSPs to register with the Information Commission:
Information You Must Provide (within 3 months):
- The name of the RDSP
- The RDSP's proper address (registered/principal office for companies, principal office for partnerships)
- Where the RDSP is a body corporate: the names of the directors
- Where the RDSP is a partnership: the names of the partners or persons having control or management of the partnership business
- Which relevant digital services the RDSP provides
- Up-to-date contact details (including email addresses and telephone numbers)
Update Requirements:
You must notify the Information Commission in writing of any change to the information listed above as soon as reasonably practicable, and in any event before the end of the period of 7 days beginning with the day on which the change took effect.
Registration Date:
The registration date is either: (a) where conditions are satisfied on the day section 14 comes into force, the date 3 months after that day; or (b) in any other case, the date 3 months after the day on which you first become an RDSP.
— Bill 329, Part 2, Section 14, Regulation 14
UK Representative Requirements - Regulation 14A
If your principal office is outside the United Kingdom, Part 2, Section 14 requires you to nominate a UK representative:
- You must nominate in writing a representative in the United Kingdom
- You must notify the Information Commission of the representative's name and contact details (including email address and telephone number)
- You must comply within 3 months: (a) if this applies on the day section 14 comes into force, within 3 months of that day; or (b) otherwise, within 3 months of becoming an RDSP to which this regulation applies
- You must notify the Information Commission of any change to the representative information as soon as reasonably practicable, and in any event before the end of 7 days beginning with the day the change took effect (for representative changes) or the day you became aware (for contact detail changes)
- The Information Commission or GCHQ may contact the representative instead of or in addition to you for the purposes of carrying out their functions
— Bill 329, Part 2, Section 14, Regulation 14A
Incident Reporting Requirements - Regulation 12A
Under Part 2, Section 15 of Bill 329, Regulation 12A sets out strict incident reporting requirements:
⚠️ Critical Timeline:
What is an RDSP Incident?
An incident is an "RDSP incident" if:
- The incident has affected or is affecting the operation or security of the network and information systems relied on to provide the relevant digital service
- The impact of the incident in the United Kingdom or any part of it has been, is or is likely to be significant having regard to factors including: extent of disruption, number of users affected, duration, geographical area, data confidentiality/authenticity/integrity/availability compromise, impact on users' systems, and impact on economy or day-to-day functioning of society
Required Information in Full Notification:
- The RDSP's name and the relevant digital service to which the incident relates
- The time the incident occurred, its duration and whether it is ongoing
- Information concerning the nature of the incident
- Where the incident was caused by a separate incident affecting another regulated person: details of that separate incident and of the regulated person
- Information concerning the impact (including any cross-border impact) which the incident has had, is having or is likely to have
- Such other information as the RDSP considers may assist the Information Commission in exercising its functions
Reporting Requirements:
Notifications must be in writing, provided in such form and manner as the Information Commission determines. You must send a copy of the notification to CSIRT (Computer Security Incident Response Team) at the same time as sending it to the Information Commission.
— Bill 329, Part 2, Section 15, Regulation 12A
Customer Notification Requirements - Regulation 12C
After giving a full notification under Regulation 12A, Part 2, Section 16 requires you to notify affected customers:
- You must, as soon as reasonably practicable, take reasonable steps to establish which of your customers in the United Kingdom are likely to be adversely affected by the incident
- After those steps have been taken, you must notify those customers of the incident
- When considering whether a customer is likely to be adversely affected, you must take into account: (a) the extent of any actual or likely disruption to the provision of the relevant digital service, (b) whether the confidentiality, authenticity, integrity or availability of any data relating to the customer is likely to be compromised, and (c) any other impact on network and information systems of the customer
- A notification must provide details of the nature of the incident and explain why you consider that the customer is likely to be adversely affected by the incident
— Bill 329, Part 2, Section 16, Regulation 12C
Penalties for Non-Compliance
Under Part 2, Section 21 of Bill 329, Regulation 18 sets out financial penalties:
Higher Maximum Amount (Serious Failures):
For failures including:
- Failure to fulfil duties under regulation 12(1) - security duties
- Failure to notify an incident under regulation 12A(1) - incident reporting
- Failure to comply with regulation 12A(5) and (6) - notification requirements
- Failure to comply with a direction under regulation 12B(4)(b) - public disclosure
- Failure to comply with regulation 12C(1)(b) and (3) - customer notification
Maximum: £17,000,000 or 4% of global turnover (whichever is greater)
Standard Maximum Amount (Administrative Failures):
For failures including:
- Failure to comply with regulation 12A(7) - sending copy to CSIRT
- Failure to comply with regulation 14(2) or (3) - registration requirements
- Failure to comply with requirements in regulation 14A - UK representative
Maximum: £10,000,000 or 2% of global turnover (whichever is greater)
— Bill 329, Part 2, Section 21, Regulation 18
Benefits of CSRB Compliance
Competitive Advantage
- Stand out from competitors who aren't compliant
- Access high-value contracts with regulated sectors
- Demonstrate security maturity to enterprise clients
Business Benefits
- Build stronger client trust and improve retention
- Reduce cyber risk and incident costs
- Improve your security posture and resilience
Direct References from Bill 329
Part 2, Section 7 - Digital Services
Defines "relevant digital service" as an online marketplace, an online search engine, or a cloud computing service. Defines "cloud computing service" as a digital service enabling access to scalable and elastic pool of shareable computing resources with broad remote access, on-demand and self-service basis, distributed across locations, not for own use, and not a managed service.
Bill 329, Part 2, Section 7, Regulation 1(2)
Part 2, Section 8 - Duties of Relevant Digital Service Providers
Regulation 12 requires RDSPs to identify and take appropriate and proportionate measures to manage risks to network and information systems, ensure a level of security appropriate to the risk, and have regard to Information Commission guidance.
Bill 329, Part 2, Section 8, Regulation 12
Part 2, Section 14 - Registration Requirements
Regulation 14 requires RDSPs to register with the Information Commission within 3 months, providing company name, address, directors/partners, services provided, and contact details. Changes must be notified within 7 days. Regulation 14A requires non-UK RDSPs to nominate a UK representative within 3 months.
Bill 329, Part 2, Section 14, Regulations 14 and 14A
Part 2, Section 15 - Incident Reporting
Regulation 12A requires RDSPs to report incidents within 24 hours (initial notification) and 72 hours (full notification) to the Information Commission, with a copy to CSIRT simultaneously. Regulation 12C requires notification of affected UK customers as soon as reasonably practicable.
Bill 329, Part 2, Section 15, Regulations 12A and 12C
Need Help with Cloud Provider CSRB Compliance?
Our expert team helps Cloud Service Providers, Online Marketplaces, and Search Engines implement and prove compliance with CSRB.