Join Our Mailing List

Be the first to hear about updates

Be the first to hear about updates on the Cyber Security and Resilience Bill. Stay informed about compliance requirements, key changes, and important announcements.

NHS Organisations

NHS CSRB Compliance Guide

Complete guide to Cyber Security and Resilience Bill compliance for NHS Trusts, Integrated Care Boards, and healthcare providers. Understand essential service obligations under Bill 329.

Sector Overview

The NHS delivers vital health services to millions of UK citizens daily. Its digital infrastructure underpins everything from patient records and appointment systems to emergency response and prescription services. Under the Cyber Security and Resilience Bill (Bill 329), NHS organisations are regulated as Operators of Essential Services (OES) in the health sector.

Critical Priority: As a key part of national resilience, NHS organisations are a top priority under CSRB following high-profile cyber incidents that disrupted patient care.

Why NHS Organisations Are In Scope

Healthcare services are listed as essential services in Schedule 2 of the NIS Regulations. NHS Trusts, Integrated Care Boards (ICBs), and healthcare providers that meet the threshold requirements are directly in scope as Operators of Essential Services (OES). Following high-profile cyber incidents that disrupted NHS services - including ransomware attacks on third-party suppliers - CSRB strengthens cyber regulation for NHS organisations and their digital infrastructure.

You're in scope if your organisation:
  • Is an operator of essential services in the health sector (meets threshold requirements)
  • Is an NHS Trust, Integrated Care Board (ICB), or NHS provider
  • Delivers NHS services or commissioned digital health services
  • Processes sensitive personal and medical data through network and information systems
  • Relies on digital systems for patient care, appointments, prescriptions, or clinical operations
  • Is part of the health sector's critical supply chain
  • Provides managed services or cloud services to NHS organisations (may be regulated as RMSP or RDSP)
Critical Suppliers:

Under Part 2, Section 12 of Bill 329, suppliers to NHS organisations can be designated as critical suppliers if their failure could disrupt essential services and have significant impact on the economy or day-to-day functioning of society. This includes IT suppliers, medical device manufacturers, and other critical infrastructure providers.

Security Duties - Regulation 10

As an Operator of Essential Services (OES) in the health sector, you must comply with security duties under Regulation 10 of the NIS Regulations:

  • Take appropriate and proportionate technical and organisational measures to manage risks posed to the security of network and information systems on which you rely for the provision of the essential service
  • Take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of those network and information systems
  • Have regard to any relevant guidance issued by your designated competent authority
Patient Safety Focus:

For NHS organisations, cyber resilience is patient safety. CSRB compliance strengthens the digital backbone of UK healthcare, improving clinical and operational continuity, protecting sensitive health data, and building public confidence in digital health systems.

Incident Reporting Requirements - Regulation 11

Under Part 2, Section 15 of Bill 329, Regulation 11 sets out strict incident reporting requirements for Operators of Essential Services:

⚠️ Critical Timeline:
24 Hours: Initial notification must be given before the end of 24 hours beginning with the time you first become aware that an OES incident has occurred or is occurring
72 Hours: Full detailed notification must be given before the end of 72 hours beginning with that time
What is an OES Incident?

An incident is an "OES incident" if:

  • The incident has affected or is affecting the operation or security of the network and information systems relied on to provide the essential service
  • The impact of the incident in the United Kingdom or any part of it has been, is or is likely to be significant having regard to factors including: extent of disruption, number of users affected, duration, geographical area, and data confidentiality/authenticity/integrity/availability compromise
Required Information in Full Notification:
  • Your name and the essential service to which the incident relates
  • The time the incident occurred, its duration and whether it is ongoing
  • Information concerning the nature of the incident
  • Where the incident was caused by a separate incident affecting another regulated person: details of that separate incident and of the regulated person
  • Information concerning the impact (including any cross-border impact) which the incident has had, is having or is likely to have
  • Such other information as you consider may assist the designated competent authority in exercising its functions
Reporting Requirements:

Notifications must be in writing, provided in such form and manner as the designated competent authority determines. You must send a copy of the notification to CSIRT (Computer Security Incident Response Team) at the same time as sending it to the designated competent authority.

— Bill 329, Part 2, Section 15, Regulation 11

Patient & Customer Notification

For NHS organisations, patient safety and transparency are paramount. While Bill 329 doesn't specifically require patient notification for health sector OES (unlike data centres and digital services), you should consider:

  • Notify affected patients and customers as soon as reasonably practicable if they're likely to be adversely affected by an incident
  • Consider the impact on patient care, data confidentiality, and service continuity
  • Follow NHS data breach notification requirements under GDPR and other applicable regulations
  • Coordinate with your designated competent authority on public disclosure if necessary to manage the threat or prevent future attacks

Information Requests & Inspections

Under Part 2, Section 20 of Bill 329, Regulation 15 gives designated competent authorities powers to:

  • Require you to give such information or documents as it reasonably requires for exercising its functions
  • Require you to obtain or generate information or documents
  • Require you to collect or retain information that you would not otherwise collect or retain
  • Send information notices whether or not you're established in the UK
  • Request information or documents stored within or outside the United Kingdom
⚠️ Important:

Failure to comply with an information notice is a breach that can result in penalties. You may not be required to give privileged communications (legal advice protected by legal professional privilege).

— Bill 329, Part 2, Section 20, Regulation 15

Penalties for Non-Compliance

Under Part 2, Section 21 of Bill 329, Regulation 18 sets out financial penalties for Operators of Essential Services:

Higher Maximum Amount (Serious Failures):

For failures including:

  • Failure to fulfil security duties under regulation 10(1) and (2)
  • Failure to notify an incident under regulation 11(2)
  • Failure to comply with regulation 11(6) and (7) in relation to notification requirements

Maximum: £17,000,000 or 4% of global turnover (whichever is greater)

Standard Maximum Amount (Administrative Failures):

For failures including:

  • Failure to comply with regulation 11(8) - sending copy to CSIRT
  • Failure to comply with information notices under regulation 15

Maximum: £10,000,000 or 2% of global turnover (whichever is greater)

— Bill 329, Part 2, Section 21, Regulation 18

Benefits of CSRB Compliance

Patient Safety & Continuity
  • Improves clinical and operational continuity
  • Protects sensitive health data from compromise
  • Builds public confidence in digital health systems
Strategic Benefits
  • Supports long-term NHS Digital transformation goals
  • Reduces cyber risk and incident costs
  • Strengthens supply chain security

Direct References from Bill 329

Part 2, Section 3 - Identification of Operators of Essential Services

Regulation 8 applies to persons whether or not established in the UK, and allows designation of operators of essential services including health sector services. Healthcare services are listed as essential services in Schedule 2.

Bill 329, Part 2, Section 3, Regulation 8

Part 2, Section 15 - Incident Reporting

Regulation 11 requires OES to report incidents within 24 hours (initial notification) and 72 hours (full notification) to the designated competent authority, with a copy to CSIRT simultaneously.

Bill 329, Part 2, Section 15, Regulation 11

Part 2, Section 12 - Critical Suppliers

Regulation 14H allows designated competent authorities to designate suppliers to NHS organisations as critical suppliers if their failure could disrupt essential services and have significant impact on the economy or day-to-day functioning of society.

Bill 329, Part 2, Section 12, Regulation 14H

Need Help with NHS CSRB Compliance?

Our expert team helps NHS organisations implement and prove compliance with CSRB requirements while maintaining patient safety and service continuity.

Talk to Our Compliance ExpertsTake Readiness Assessment