Join Our Mailing List

Be the first to hear about updates

Be the first to hear about updates on the Cyber Security and Resilience Bill. Stay informed about compliance requirements, key changes, and important announcements.

Critical Suppliers

Critical Suppliers CSRB Compliance Guide

Complete guide to Cyber Security and Resilience Bill compliance for Critical Suppliers. Understand designation criteria, obligations, and regulatory requirements under Bill 329.

Sector Overview

Critical Suppliers are organisations that supply goods or services to Operators of Essential Services (OES), Relevant Digital Service Providers (RDSPs), or Relevant Managed Service Providers (RMSPs), where their failure could disrupt essential services and have significant impact on the economy or day-to-day functioning of society. Under the Cyber Security and Resilience Bill (Bill 329), these suppliers can be designated as "critical suppliers" and subject to regulatory oversight.

Supply Chain Risk: CSRB recognises that attacks on suppliers can cascade to disrupt essential services, making critical suppliers a key focus for regulatory oversight.

Designation Criteria - Regulation 14H

Under Part 2, Section 12 of Bill 329, Regulation 14H sets out when a person can be designated as a critical supplier:

A designated competent authority may designate you if:
  • You supply goods or services directly to an OES for which the authority is the designated competent authority
  • You rely on network and information systems for the purposes of that supply
  • The authority considers that an incident affecting your systems has the potential to cause disruption to: (a) the provision of any essential service by the person to which you supply, or (b) the provision of essential services, relevant digital services or managed services by persons to which you supply
  • The authority considers that any such disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom
  • The designation is not prevented by regulation 14I
Information Commission Designation:

The Information Commission may designate you if you supply goods or services directly to an RDSP or an RMSP, with similar criteria regarding potential disruption and significant impact.

Key Considerations:
  • The authority must consider whether the OES, RDSP or RMSP could obtain the goods or services from an alternative source in the event of an incident
  • The authority must consider the likely nature, scale and duration of potential disruption
  • The authority must consider whether risks could be adequately managed through duties imposed on the regulated person, or through other regulatory functions

— Bill 329, Part 2, Section 12, Regulation 14H

Restrictions on Designation - Regulation 14I

Under Part 2, Section 12 of Bill 329, Regulation 14I sets out when you cannot be designated as a critical supplier:

You may not be designated if:
  • You are already deemed to be designated or designated as an OES for a subsector in relation to the provision of an essential service
  • You are an RDSP in relation to the provision of a relevant digital service
  • You are an RMSP in relation to the provision of a managed service

— Bill 329, Part 2, Section 12, Regulation 14I

Designation Process - Regulation 14J

Under Part 2, Section 12 of Bill 329, Regulation 14J sets out the consultation and procedure for designation:

Before Designation, the Authority Must:
  • Consult relevant persons (other designated competent authorities, the Information Commission, and other appropriate persons)
  • Give you notice in writing which: (a) provides reasons for the proposed designation, and (b) specifies a reasonable period within which you may make written representations
  • Have regard to any representations you make
After Designation:

The authority must give you a notice confirming the decision, setting out:

  • The reasons for the decision
  • The date on which the designation takes effect

A copy of the notice must be given to persons consulted. The authority may provide for the designation to take effect on a date later than specified in the notice.

— Bill 329, Part 2, Section 12, Regulation 14J

Revocation of Designation - Regulation 14K

Under Part 2, Section 12 of Bill 329, Regulation 14K sets out when and how your designation can be revoked:

Revocation by Authority:

A designated competent authority or the Information Commission may revoke your designation if it considers that the conditions for designation are no longer met.

Your Obligation to Notify:

If you have reasonable grounds to believe that you would no longer meet the conditions for designation, you must:

  • Notify the authority of that belief in writing, providing evidence in support
  • Where you believe designation would be prevented by regulation 14I(b) or (c), also notify the Information Commission
  • Do this as soon as practicable
Authority's Duty:

The authority must have regard to your notification and evidence in considering whether to revoke your designation. The consultation and procedure requirements under Regulation 14J apply to revocation.

— Bill 329, Part 2, Section 12, Regulation 14K

Coordination - Regulation 14L

Under Part 2, Section 12 of Bill 329, Regulation 14L requires coordination where you are designated by multiple authorities:

  • If you are designated by multiple designated competent authorities, each must coordinate the exercise of its functions with the others
  • If you are designated by both designated competent authorities and the Information Commission, they must coordinate with each other
  • The relevant regulators must coordinate to determine whether you meet requirements for designation and by which regulator(s) designation should be made
  • Coordination duties do not apply to the extent that compliance would impose a disproportionate burden

— Bill 329, Part 2, Section 12, Regulation 14L

Obligations as a Critical Supplier

As a critical supplier, you are subject to regulatory oversight and must comply with:

  • Information requests from designated competent authorities or the Information Commission under Regulation 15
  • Enforcement notices under Regulation 17 if you fail to comply with requirements
  • Financial penalties under Regulation 18 for non-compliance
  • Inspections under Regulation 16
  • Any requirements imposed through regulations made under Part 3 of the Bill
⚠️ Important:

The specific obligations you face will depend on the requirements imposed by the designated competent authority or Information Commission. You may be required to provide information, allow inspections, and comply with security requirements.

Penalties for Non-Compliance

Under Part 2, Section 21 of Bill 329, Regulation 18 sets out financial penalties for critical suppliers who fail to comply with requirements:

Higher Maximum Amount (Serious Failures):

Maximum: £17,000,000 or 4% of global turnover (whichever is greater)

Standard Maximum Amount (Administrative Failures):

Maximum: £10,000,000 or 2% of global turnover (whichever is greater)

— Bill 329, Part 2, Section 21, Regulation 18

Benefits of Being Compliant

Business Benefits
  • Demonstrates security maturity to regulated customers
  • Reduces risk of supply chain disruption
  • Improves your competitive position
Strategic Benefits
  • Access to contracts with regulated sectors
  • Builds trust with essential service providers
  • Reduces cyber risk and incident costs

Direct References from Bill 329

Part 2, Section 12 - Critical Suppliers

Regulation 14H sets out the criteria for designating critical suppliers. Regulation 14I sets restrictions on designation. Regulation 14J sets out consultation and procedure. Regulation 14K sets out revocation. Regulation 14L sets out coordination requirements.

Bill 329, Part 2, Section 12, Regulations 14H, 14I, 14J, 14K, 14L

Need Help with Critical Supplier CSRB Compliance?

Our expert team helps Critical Suppliers understand designation criteria and implement compliance measures.

Talk to Our Compliance ExpertsTake Readiness Assessment