Large SaaS CSRB Compliance Guide
Complete guide to Cyber Security and Resilience Bill compliance for large SaaS platforms and enterprise software vendors. Understand regulatory obligations under Bill 329.
Sector Overview
Large SaaS platforms and enterprise software vendors provide critical operational tools to both public and private sectors. Their applications - ranging from HR and payroll to enterprise resource planning (ERP) - underpin the smooth running of essential services. Under the Cyber Security and Resilience Bill (Bill 329), these vendors are now in-scope, recognising their critical importance to national operations.
Why SaaS Vendors Are In Scope
Large SaaS and enterprise software vendors may be in scope under Bill 329 in several ways:
You're in scope if you:
- Provide cloud computing services (SaaS, PaaS, IaaS) that are not managed services (regulated as RDSP under Part 2, Section 7)
- Provide managed services - ongoing IT management, support, monitoring, or active administration (regulated as RMSP under Part 2, Section 9)
- Are designated as a critical supplier if supplying goods or services to regulated organisations (Part 2, Section 12, Regulation 14H)
- Provide services used by operators of essential or digital services and rely on network and information systems
- Host or process sensitive client data (employee records, financials, patient data) for regulated sectors
- Offer software that supports core operations (payroll, HR, ERP) for essential services or regulated organisations
- Are not a micro or small enterprise (as defined by Commission Recommendation 2003/361/EC)
- Provide services in the UK (even if your company is based elsewhere)
- Carry on essential activities or provide activity-critical supplies (subject to Part 3 regulations)
- May be subject to directions for national security purposes (Part 4)
As Relevant Digital Service Providers (RDSP)
Under Part 2, Section 7 of Bill 329, SaaS vendors providing cloud computing services (IaaS, PaaS, SaaS) that are not managed services may be regulated as Relevant Digital Service Providers (RDSPs):
- Register with the Information Commission within 3 months (Regulation 14)
- Comply with security duties under Regulation 12
- Report incidents within 24 hours (initial) and 72 hours (full) under Regulation 12A
- Notify affected customers as soon as reasonably practicable under Regulation 12C
- Comply with information requests and inspections
As Relevant Managed Service Providers (RMSP)
Under Part 2, Section 9 of Bill 329, SaaS vendors providing managed services (ongoing IT management) may be regulated as Relevant Managed Service Providers (RMSPs):
- Register with the Information Commission within 3 months (Regulation 14C)
- Comply with security duties under Regulation 14B
- Report incidents within 24 hours (initial) and 72 hours (full) under Regulation 14E
- Notify affected customers as soon as reasonably practicable under Regulation 14G
- Comply with information requests and inspections
As Critical Suppliers
Under Part 2, Section 12 of Bill 329, Regulation 14H, SaaS vendors may be designated as critical suppliers if they supply goods or services to regulated organisations and their failure could cause significant disruption:
- You supply goods or services directly to an OES, RDSP, or RMSP
- You rely on network and information systems for the purposes of that supply
- An incident affecting your systems has the potential to cause disruption to essential services, relevant digital services, or managed services
- Any such disruption is likely to have a significant impact on the economy or day-to-day functioning of society
- You must comply with information requests, inspections, and enforcement notices
- You may be subject to financial penalties for non-compliance
— Bill 329, Part 2, Section 12, Regulation 14H
Penalties for Non-Compliance
SaaS vendors face penalties depending on how they're regulated:
Part 2 Penalties (RDSP/RMSP):
Higher Maximum: £17,000,000 or 4% of turnover for serious failures
Standard Maximum: £10,000,000 or 2% of turnover for administrative failures
— Bill 329, Part 2, Section 21, Regulation 18
Benefits of CSRB Compliance
Competitive Advantage
- Position platform as resilient and enterprise-grade for regulated customers
- Meet growing procurement requirements from regulated customers (OES, RDSPs, RMSPs)
- Open new regulated market opportunities in essential services and digital services
Business Benefits
- Reduce breach risk through better governance and testing
- Enhanced customer confidence and retention in competitive SaaS markets
- Access to guidance from Information Commission
Direct References from Bill 329
Part 2, Section 7 - Digital Services
SaaS vendors providing cloud computing services (IaaS, PaaS, SaaS) that are not managed services may be regulated as relevant digital service providers (RDSPs).
Bill 329, Part 2, Section 7
Part 2, Section 9 - Managed Service Providers
SaaS vendors providing managed services (ongoing IT management) may be regulated as relevant managed service providers (RMSPs).
Bill 329, Part 2, Section 9
Part 2, Section 12 - Critical Suppliers
Regulation 14H allows designation of SaaS vendors as critical suppliers if they supply goods or services to regulated organisations and their failure could cause significant disruption.
Bill 329, Part 2, Section 12, Regulation 14H
Need Help with SaaS CSRB Compliance?
Our expert team helps large SaaS platforms and enterprise software vendors implement and prove compliance with CSRB requirements.