Join Our Mailing List

Be the first to hear about updates

Be the first to hear about updates on the Cyber Security and Resilience Bill. Stay informed about compliance requirements, key changes, and important announcements.

Public Services

Public Services CSRB Compliance Guide

Complete guide to Cyber Security and Resilience Bill compliance for local authorities, councils, and government departments. Understand essential service obligations under Bill 329.

Sector Overview

Public services - including local authorities, government departments, and public agencies - are fundamental to the UK's national infrastructure. They deliver vital services like housing, education, social care, and emergency response. Under the Cyber Security and Resilience Bill (Bill 329), public sector organisations providing essential services are regulated as Operators of Essential Services (OES).

Growing Target: With increasing digitisation, public sector organisations have become key targets for cyber attacks, prompting CSRB to strengthen their resilience obligations.

Why Public Services Are In Scope

Under Part 2, Section 3 of Bill 329, Regulation 8 identifies operators of essential services. Local authorities, councils, and government departments that provide essential services are directly in scope. Even if you generate more than half your income from commercial activities, you may still be regulated if you're subject to public authority oversight under Part 2, Section 11.

You may be affected if you:
  • Are an operator of essential services providing services like healthcare, transport, energy, or water (meeting threshold requirements in Schedule 2)
  • Deliver essential public-facing services via digital platforms (housing, education, social care, benefits)
  • Manage critical data or infrastructure that supports day-to-day functioning of society
  • Work with third-party providers that fall under CSRB scope (cloud services, MSPs)
  • Support national resilience or emergency response functions
  • Are subject to public authority oversight and rely on network and information systems
  • Provide cloud computing services, online marketplaces, or managed services (may be regulated as RDSP or RMSP)
Public Authority Oversight:

Under Part 2, Section 11 of Bill 329, a person is subject to public authority oversight if they are subject to the management or control of one or more UK public authorities, or a board more than half of whose members are appointed by UK public authorities. Even if you derive more than half your income from commercial activities, you may still be regulated if you're subject to public authority oversight.

Security Duties - Regulation 10

As an Operator of Essential Services (OES), you must comply with security duties under Regulation 10 of the NIS Regulations:

  • Take appropriate and proportionate technical and organisational measures to manage risks posed to the security of network and information systems on which you rely for the provision of the essential service
  • Take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of those network and information systems
  • Have regard to any relevant guidance issued by your designated competent authority

Incident Reporting Requirements - Regulation 11

Under Part 2, Section 15 of Bill 329, Regulation 11 sets out strict incident reporting requirements:

⚠️ Critical Timeline:
24 Hours: Initial notification must be given before the end of 24 hours beginning with the time you first become aware that an OES incident has occurred or is occurring
72 Hours: Full detailed notification must be given before the end of 72 hours beginning with that time
Required Information in Full Notification:
  • Your name and the essential service to which the incident relates
  • The time the incident occurred, its duration and whether it is ongoing
  • Information concerning the nature of the incident
  • Where the incident was caused by a separate incident affecting another regulated person: details of that separate incident and of the regulated person
  • Information concerning the impact (including any cross-border impact) which the incident has had, is having or is likely to have
  • Such other information as you consider may assist the designated competent authority
Reporting Requirements:

Notifications must be in writing, provided in such form and manner as the designated competent authority determines. You must send a copy of the notification to CSIRT (Computer Security Incident Response Team) at the same time as sending it to the designated competent authority.

— Bill 329, Part 2, Section 15, Regulation 11

Information Requests & Inspections

Under Part 2, Section 20 of Bill 329, Regulation 15 gives designated competent authorities powers to:

  • Require you to give such information or documents as it reasonably requires for exercising its functions
  • Require you to obtain or generate information or documents
  • Require you to collect or retain information that you would not otherwise collect or retain
  • Send information notices whether or not you're established in the UK
  • Request information or documents stored within or outside the United Kingdom
⚠️ Important:

Failure to comply with an information notice is a breach that can result in penalties. Under Schedule 1, Regulation 16, regulators can inspect your premises, examine documents, test your systems, and interview your staff.

— Bill 329, Part 2, Section 20, Regulation 15; Schedule 1, Regulation 16

Penalties for Non-Compliance

Under Part 2, Section 21 of Bill 329, Regulation 18 sets out financial penalties:

Higher Maximum Amount (Serious Failures):

Maximum: £17,000,000 or 4% of global turnover (whichever is greater) for failures including security duties and incident reporting

Standard Maximum Amount (Administrative Failures):

Maximum: £10,000,000 or 2% of global turnover (whichever is greater) for failures including information provision and notification timing

— Bill 329, Part 2, Section 21, Regulation 18

Benefits of CSRB Compliance

Service Continuity
  • Reduces risk of service outages and data loss affecting residents
  • Improves cyber maturity across departments
  • Builds trust with residents and supports continued funding
Governance & Strategy
  • Demonstrates responsible digital governance to auditors and central government
  • Access to guidance from designated competent authorities
  • Better positioning for future digital transformation initiatives

Direct References from Bill 329

Part 2, Section 3 - Identification of Operators of Essential Services

Regulation 8 identifies local authorities, councils, and government departments as operators of essential services where they provide essential services in sectors like transport, energy, water, or health, meeting threshold requirements in Schedule 2.

Bill 329, Part 2, Section 3, Regulation 8

Part 2, Section 11 - Subject to Public Authority Oversight

Regulation 1(3E) defines public authority oversight. Public services subject to public authority oversight may be regulated even if they derive more than half their income from commercial activities, if they provide essential services or digital/managed services.

Bill 329, Part 2, Section 11, Regulation 1(3E)

Need Help with Public Services CSRB Compliance?

Our expert team helps local authorities and government departments implement and prove compliance with CSRB requirements.

Talk to Our Compliance ExpertsTake Readiness Assessment