Digital Infrastructure CSRB Compliance Guide
Complete guide to Cyber Security and Resilience Bill compliance for DNS providers, IXPs, and domain registrars. Understand essential service obligations under Bill 329.
Sector Overview
Digital infrastructure operators are the silent enablers of the UK's online ecosystem. From Domain Name System (DNS) services and internet exchange points (IXPs) to domain registrars and root zone maintainers, these providers ensure the smooth and secure functioning of internet traffic. Under the Cyber Security and Resilience Bill (Bill 329), these foundational services are recognised as essential to national digital resilience.
Why Digital Infrastructure Operators Are In Scope
Digital infrastructure operators may be in scope under Bill 329 in several ways:
You're in scope if you operate:
- Are an operator of essential services in the digital infrastructure sector (meeting threshold requirements in Schedule 2)
- Provide cloud computing services, online marketplaces, or search engines (regulated as RDSP under Part 2, Section 7)
- Provide managed services - ongoing IT management for digital infrastructure (regulated as RMSP under Part 2, Section 9)
- Authoritative DNS or recursive DNS services used by essential entities or regulated sectors
- Internet exchange points (IXPs) critical to UK routing or peering that support essential services
- Domain registrars managing .uk domains or infrastructure-critical namespaces
- Any infrastructure service underpinning national internet stability
- Carry on essential activities or provide activity-critical supplies (subject to Part 3 regulations)
- May be subject to directions for national security purposes (Part 4)
As Operators of Essential Services (OES)
Digital infrastructure operators providing essential services in the digital infrastructure sector are listed as operators of essential services (OES) in Schedule 2, subject to threshold requirements.
As an OES, you must:
- Comply with security duties under Regulation 10
- Report incidents within 24 hours (initial) and 72 hours (full) under Regulation 11
- Send a copy of incident notifications to CSIRT
- Comply with information requests and inspections under Regulations 15 and 16
- Have regard to guidance from your designated competent authority
As Relevant Digital Service Providers (RDSP)
Under Part 2, Section 7 of Bill 329, digital infrastructure operators offering cloud computing services, online marketplaces, or search engines may be regulated as Relevant Digital Service Providers (RDSPs):
- Register with the Information Commission within 3 months (Regulation 14)
- Comply with security duties under Regulation 12
- Report incidents within 24 hours (initial) and 72 hours (full) under Regulation 12A
- Notify affected customers as soon as reasonably practicable under Regulation 12C
- Comply with information requests and inspections
As Relevant Managed Service Providers (RMSP)
Under Part 2, Section 9 of Bill 329, digital infrastructure operators offering managed services (ongoing IT management for digital infrastructure) may be regulated as Relevant Managed Service Providers (RMSPs):
- Register with the Information Commission within 3 months (Regulation 14C)
- Comply with security duties under Regulation 14B
- Report incidents within 24 hours (initial) and 72 hours (full) under Regulation 14E
- Notify affected customers as soon as reasonably practicable under Regulation 14G
- Comply with information requests and inspections
National Security Directions - Part 4
Under Part 4, Section 43 of Bill 329, digital infrastructure operators may be subject to directions for national security purposes:
- The Secretary of State may give directions if threats relating to network and information systems pose a risk to national security
- Directions may impose requirements relating to management of systems, provision of information, or prohibitions on use of goods/services
- You must comply with directions and may be subject to monitoring, information gathering, and inspections under Sections 45-47
- Penalties for non-compliance with directions: up to £17,000,000 or 10% of turnover, with daily penalties up to £100,000 per day
— Bill 329, Part 4, Sections 43-52
Penalties for Non-Compliance
Digital infrastructure operators face penalties depending on how they're regulated:
Part 2 Penalties (OES/RDSP/RMSP):
Higher Maximum: £17,000,000 or 4% of turnover for serious failures
Standard Maximum: £10,000,000 or 2% of turnover for administrative failures
Part 4 Penalties (National Security Directions):
Maximum: £17,000,000 or 10% of turnover, with daily penalties up to £100,000 per day
— Bill 329, Part 2, Section 21; Part 4, Section 49
Benefits of CSRB Compliance
National Connectivity
- Protects stability and availability of UK's internet backbone
- Demonstrates resilience to clients, regulators, and stakeholders
- Supports safe routing, trusted DNS operations, and secure domain management
Strategic Benefits
- Access to guidance from regulatory authorities
- Better positioning for government and critical infrastructure contracts
- Reduces cyber risk and incident costs
Direct References from Bill 329
Schedule 2 - Digital Infrastructure Subsector
Digital infrastructure operators providing essential services in the digital infrastructure sector are listed as operators of essential services (OES) in Schedule 2, subject to threshold requirements.
Bill 329, Schedule 2
Part 4, Section 43 - Directions for National Security
Digital infrastructure operators may be subject to directions for national security purposes if threats relating to network and information systems pose a risk to national security.
Bill 329, Part 4, Section 43
Need Help with Digital Infrastructure CSRB Compliance?
Our expert team helps DNS providers, IXPs, and domain registrars implement and prove compliance with CSRB requirements.