Join Our Mailing List

Be the first to hear about updates

Be the first to hear about updates on the Cyber Security and Resilience Bill. Stay informed about compliance requirements, key changes, and important announcements.

Data Centres

Data Centre CSRB Compliance Guide

Complete guide to Cyber Security and Resilience Bill compliance for Data Centre Operators. Understand threshold requirements, registration, and incident reporting under Bill 329.

Sector Overview

Data centres are the physical backbone of the digital world - powering cloud platforms, AI workloads, public services, and essential systems. Under the Cyber Security and Resilience Bill (Bill 329), data centres meeting specific capacity thresholds are regulated as Operators of Essential Services (OES) in the data infrastructure subsector.

Critical Infrastructure: Data centres are now recognised as essential services due to their role in supporting critical national infrastructure and the digital economy.

What is a Data Centre Service Under CSRB?

According to Part 2, Section 4 of Bill 329, Schedule 2, paragraph 11, a "data centre service" is defined as:

"A service consisting of the provision of a physical structure (a 'data centre') which: (a) contains an area for the housing, connection and operation of relevant IT equipment, and (b) provides supporting infrastructure for or in connection with the operation of relevant IT equipment."

— Bill 329, Part 2, Section 4, Schedule 2, paragraph 11(4)

Key Definitions:
  • Relevant IT equipment: equipment used for the purposes of providing information technology services
  • Supporting infrastructure: includes (a) infrastructure for the supply of electricity, (b) infrastructure for environmental control (heating, ventilation, air conditioning, control of airborne dust, humidity, flames), (c) infrastructure to ensure the security of the data centre and IT equipment, (d) infrastructure to ensure the resilience of the data centre and IT equipment
  • Structure: includes a building or part of a building, and references to a structure include references to a group of structures

— Bill 329, Part 2, Section 4, Schedule 2, paragraph 11(5), (6), (8)

Threshold Requirements - Are You Regulated?

Under Part 2, Section 4 of Bill 329, Schedule 2, paragraph 11, data centres are regulated based on their "rated IT load":

Non-Enterprise Data Centres

1 Megawatt

For data centre services provided in the UK, otherwise than on an enterprise basis, the threshold requirement is that the rated IT load is equal to or greater than 1 megawatt.

Enterprise Data Centres

10 Megawatts

For data centre services provided in the UK on an enterprise basis, the threshold requirement is that the rated IT load is equal to or greater than 10 megawatts.

What is Rated IT Load?

The "rated IT load" of a data centre is:

"The maximum electrical power available for the operation of relevant IT equipment housed in the data centre"

— Bill 329, Part 2, Section 4, Schedule 2, paragraph 11(8)(b)

Enterprise Basis Definition:

A data centre service is provided on an "enterprise basis" if:

  • The data centre is owned or managed by a person in connection with the carrying on of an undertaking by that person, and
  • The sole purpose of the data centre is to provide information technology services for that undertaking

— Bill 329, Part 2, Section 4, Schedule 2, paragraph 11(7)

Regulatory Authority

Under Part 2, Section 4 of Bill 329, the designated competent authorities for the data infrastructure subsector are:

The Secretary of State for Science, Innovation and Technology and the Office of Communications (Ofcom) acting jointly

— Bill 329, Part 2, Section 4, Schedule 1

Information Requirements - Regulation 8ZA

Under Part 2, Section 13 of Bill 329, Regulation 8ZA requires data centre operators to provide information:

Information You Must Provide (within 3 months):
  • The person's name
  • The person's proper address (registered/principal office for companies, principal office for partnerships, or address for service of documents)
  • Where the person is a body corporate: the names of the directors
  • Where the person is a partnership: the names of the partners or persons having control or management of the partnership business
  • Up-to-date contact details (including email addresses and telephone numbers)
Update Requirements:

You must notify the designated competent authority in writing of any change to the information listed above as soon as reasonably practicable, and in any event before the end of the period of 7 days beginning with the day on which the change took effect.

— Bill 329, Part 2, Section 13, Regulation 8ZA

Security Duties

As an Operator of Essential Services (OES) in the data infrastructure subsector, you must comply with security duties under Regulation 10 of the NIS Regulations:

  • Take appropriate and proportionate technical and organisational measures to manage risks posed to the security of network and information systems on which you rely for the provision of the essential service
  • Take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of those network and information systems
  • Have regard to any relevant guidance issued by the designated competent authority

Incident Reporting Requirements - Regulation 11A

Under Part 2, Section 15 of Bill 329, Regulation 11A sets out specific incident reporting requirements for data centre services:

⚠️ Critical Timeline:
24 Hours: Initial notification must be given before the end of 24 hours beginning with the time you first become aware that a data centre incident has occurred or is occurring
72 Hours: Full detailed notification must be given before the end of 72 hours beginning with that time
What is a Data Centre Incident?

A "data centre incident" means an incident which could have had, has had, is having or is likely to have:

  • A significant impact on the operation or security of the network and information systems relied on to provide the data centre service in the United Kingdom, or
  • A significant impact on the continuity of the data centre service provided in the United Kingdom, or
  • Any other impact, in the United Kingdom or any part of it, which is significant
Required Information in Full Notification:
  • The OES's name and the data centre service to which the incident relates
  • The time the incident occurred, its duration and whether it is ongoing
  • Information concerning the nature of the incident
  • Where the incident was caused by a separate incident affecting another regulated person: details of that separate incident and of the regulated person
  • Information concerning the impact (including any cross-border impact) which the incident could have had, has had, is having or is likely to have
  • Such other information as the OES considers may assist the designated competent authority in exercising its functions
Reporting Requirements:

Notifications must be in writing, provided in such form and manner as the designated competent authority determines. You must send a copy of the notification to CSIRT (Computer Security Incident Response Team) at the same time as sending it to the designated competent authority.

— Bill 329, Part 2, Section 15, Regulation 11A

Customer Notification Requirements - Regulation 11C

After giving a full notification under Regulation 11A, Part 2, Section 16 requires you to notify affected customers:

  • You must, as soon as reasonably practicable, take reasonable steps to establish which of your customers in the United Kingdom are likely to be adversely affected by the incident
  • After those steps have been taken, you must notify those customers of the incident
  • When considering whether a customer is likely to be adversely affected, you must take into account: (a) the extent of any actual or likely disruption to the provision of the data centre service, (b) whether the confidentiality, authenticity, integrity or availability of any data relating to the customer is likely to be compromised, and (c) any other impact on network and information systems of the customer
  • A notification must provide details of the nature of the incident and explain why you consider that the customer is likely to be adversely affected by the incident

— Bill 329, Part 2, Section 16, Regulation 11C

Crown Application

Under Part 2, Section 5 of Bill 329, data centre services provided by or on behalf of the Crown are generally subject to the NIS Regulations, with specific exemptions:

Exemptions:

The regulations do not apply to data centre services provided by or on behalf of the Crown where:

  • The person providing the service is the Security Service, the Secret Intelligence Service, or GCHQ, or
  • The service is provided on a commercial basis on behalf of His Majesty's Government and is provided for the purpose of enabling the storage, processing or transmission of information or other material which is classified as 'secret' or 'top secret'

— Bill 329, Part 2, Section 5, Regulation 8(7ZB)

Penalties for Non-Compliance

Under Part 2, Section 21 of Bill 329, Regulation 18 sets out financial penalties for Operators of Essential Services:

Higher Maximum Amount (Serious Failures):

For failures including:

  • Failure to fulfil security duties under regulation 10(1) and (2)
  • Failure to give notification in relation to an incident as required by regulation 11A(2)
  • Failure to comply with regulation 11A(5) and (6) in relation to a notification
  • Failure to comply with regulation 11C(2)(b) and (4) - customer notification

Maximum: £17,000,000 or 4% of global turnover (whichever is greater)

Standard Maximum Amount (Administrative Failures):

For failures including:

  • Failure to comply with requirements in regulation 8ZA - information requirements
  • Failure to comply with regulation 11A(7) - sending copy to CSIRT

Maximum: £10,000,000 or 2% of global turnover (whichever is greater)

— Bill 329, Part 2, Section 21, Regulation 18

Benefits of CSRB Compliance

Competitive Advantage
  • Demonstrate security maturity to enterprise clients
  • Access high-value contracts with regulated sectors
  • Stand out from competitors who aren't compliant
Business Benefits
  • Build stronger client trust and improve retention
  • Reduce cyber risk and incident costs
  • Improve your security posture and resilience

Direct References from Bill 329

Part 2, Section 4 - Data Centres to be Regulated as Essential Services

Adds data infrastructure subsector to Schedule 1 (designated competent authorities) and Schedule 2 (essential services and threshold requirements). Defines data centre service, rated IT load, and sets thresholds: 1MW for non-enterprise data centres, 10MW for enterprise data centres.

Bill 329, Part 2, Section 4, Schedule 2, paragraph 11

Part 2, Section 5 - Operators of Data Centre Services: Crown Application

Sets out that data centre services provided by or on behalf of the Crown are generally subject to the NIS Regulations, with exemptions for Security Service, Secret Intelligence Service, GCHQ, and services handling 'secret' or 'top secret' classified information.

Bill 329, Part 2, Section 5, Regulation 8(7ZA), (7ZB)

Part 2, Section 13 - Provision of Information by Operators of Data Centre Services

Regulation 8ZA requires data centre operators to provide information to the designated competent authority within 3 months, including company name, address, directors/partners, and contact details. Changes must be notified within 7 days.

Bill 329, Part 2, Section 13, Regulation 8ZA

Part 2, Section 15 - Incident Reporting for Data Centre Services

Regulation 11A requires data centre operators to report incidents within 24 hours (initial notification) and 72 hours (full notification) to the designated competent authority, with a copy to CSIRT simultaneously. Regulation 11C requires notification of affected UK customers as soon as reasonably practicable.

Bill 329, Part 2, Section 15, Regulations 11A and 11C

Need Help with Data Centre CSRB Compliance?

Our expert team helps Data Centre Operators implement and prove compliance with CSRB requirements.

Talk to Our Compliance ExpertsTake Readiness Assessment