Join Our Mailing List

Be the first to hear about updates

Be the first to hear about updates on the Cyber Security and Resilience Bill. Stay informed about compliance requirements, key changes, and important announcements.

Telecommunications Providers

Telecommunications CSRB Compliance Guide

Complete guide to Cyber Security and Resilience Bill compliance for telecommunications providers and ISPs. Understand regulatory obligations under Bill 329.

Sector Overview

Telecommunications networks are the foundation of national connectivity - powering everything from emergency calls and broadband to cloud services and digital business. As enablers of nearly every other regulated sector, telecoms and ISPs are critical to the UK's digital resilience. Under the Cyber Security and Resilience Bill (Bill 329), telecommunications providers may be regulated in multiple ways depending on their activities.

Critical Infrastructure: CSRB recognises telecoms' importance by extending compliance obligations across the industry, treating them as vital to national security and digital continuity.

Core Telecom Services Exclusion

Under Part 2, Section 3 of Bill 329, Regulation 8(1A) provides:

"Paragraph (1) does not apply to a person in relation to the provision by the person of a public electronic communications network or a public electronic communications service (in each case as defined by section 151(1) of the Communications Act 2003)."

— Bill 329, Part 2, Section 3, Regulation 8(1A)

Important:

Core public electronic communications networks and services are excluded from being operators of essential services. However, telecommunications providers may still be regulated through other means under CSRB.

Why Telecommunications Providers Are In Scope

While core telecom services are excluded from OES status, telecommunications providers may still be in scope if they:

You're in scope if your organisation:
  • Provides managed services - ongoing IT management, not just connectivity (regulated as RMSP under Part 2, Section 9)
  • Provides cloud computing services - separate from core telecom services (regulated as RDSP under Part 2, Section 7)
  • Carries on essential activities or provides activity-critical supplies (subject to Part 3 regulations)
  • May be subject to directions for national security purposes (Part 4)
  • Delivers broadband or mobile services to the public or critical organisations
  • Manages backbone or last-mile telecom infrastructure
  • Supports emergency services, government networks, or public communications
  • Provides managed voice, video, or data services at scale (as managed services, not core telecom)
Digital Services Exclusion:

Under Part 2, Section 7 of Bill 329, Regulation 1(3A) excludes public electronic communications networks/services from being relevant digital services. However, if you provide cloud computing services separate from core telecom services, you may be regulated as an RDSP.

As Managed Service Providers (RMSP)

Under Part 2, Section 9 of Bill 329, telecommunications providers offering managed services (ongoing IT management, not just connectivity) may be regulated as Relevant Managed Service Providers (RMSPs):

  • Register with the Information Commission within 3 months (Regulation 14C)
  • Comply with security duties under Regulation 14B
  • Report incidents within 24 hours (initial) and 72 hours (full) under Regulation 14E
  • Notify affected customers as soon as reasonably practicable under Regulation 14G
  • Comply with information requests and inspections

As Cloud Service Providers (RDSP)

Under Part 2, Section 7 of Bill 329, telecommunications providers offering cloud computing services separate from core telecom services may be regulated as Relevant Digital Service Providers (RDSPs):

  • Register with the Information Commission within 3 months (Regulation 14)
  • Comply with security duties under Regulation 12
  • Report incidents within 24 hours (initial) and 72 hours (full) under Regulation 12A
  • Notify affected customers as soon as reasonably practicable under Regulation 12C
  • Comply with information requests and inspections

Essential Activities & Activity-Critical Supplies

Under Part 3, Section 24 of Bill 329, telecommunications providers may carry on essential activities or provide activity-critical supplies, subjecting them to additional security and resilience requirements:

  • May be subject to regulations under Section 29 relating to security and resilience of network and information systems
  • May be subject to requirements imposed under Section 30
  • May be subject to enforcement, sanctions, and appeals under Section 31
  • May be subject to financial penalties up to £17,000,000 or 10% of turnover under Section 32
  • Must have regard to codes of practice issued under Section 36

National Security Directions - Part 4

Under Part 4, Section 43 of Bill 329, telecommunications providers may be subject to directions for national security purposes:

  • The Secretary of State may give directions if threats relating to network and information systems pose a risk to national security
  • Directions may impose requirements relating to management of systems, provision of information, or prohibitions on use of goods/services
  • You must comply with directions and may be subject to monitoring, information gathering, and inspections under Sections 45-47
  • Penalties for non-compliance with directions: up to £17,000,000 or 10% of turnover, with daily penalties up to £100,000 per day

— Bill 329, Part 4, Sections 43-52

Penalties for Non-Compliance

Telecommunications providers face penalties depending on how they're regulated:

Part 2 Penalties (RMSP/RDSP):

Higher Maximum: £17,000,000 or 4% of turnover for serious failures

Standard Maximum: £10,000,000 or 2% of turnover for administrative failures

Part 3 Penalties (Essential Activities):

Maximum: £17,000,000 or 10% of turnover

Part 4 Penalties (National Security Directions):

Maximum: £17,000,000 or 10% of turnover, with daily penalties up to £100,000 per day

— Bill 329, Part 2, Section 21; Part 3, Section 32; Part 4, Section 49

Benefits of CSRB Compliance

Infrastructure Trust
  • Demonstrates infrastructure trustworthiness to clients and government
  • Improves preparedness for cyber incidents and outages
  • Strengthens positioning in public and enterprise procurement
Strategic Benefits
  • Supports long-term investment in fibre rollout and 5G expansion
  • Better alignment with existing Ofcom requirements
  • Access to guidance from regulatory authorities

Direct References from Bill 329

Part 2, Section 3 - Exclusion of Core Public Electronic Communications

Regulation 8(1A) excludes core public electronic communications networks and services from being operators of essential services, but telecoms providers may still be regulated through other means.

Bill 329, Part 2, Section 3, Regulation 8(1A)

Part 2, Section 7 - Digital Services Exclusion

Regulation 1(3A) excludes public electronic communications networks/services from being relevant digital services, but telecoms providers offering cloud computing services separate from core telecom services may be regulated as RDSPs.

Bill 329, Part 2, Section 7, Regulation 1(3A)

Part 2, Section 9 - Managed Service Providers

Telecoms providers offering managed services (ongoing IT management, not just connectivity) may be regulated as relevant managed service providers (RMSPs).

Bill 329, Part 2, Section 9

Part 4, Section 43 - Directions for National Security

Telecommunications providers may be subject to directions for national security purposes if threats relating to network and information systems pose a risk to national security.

Bill 329, Part 4, Section 43

Need Help with Telecommunications CSRB Compliance?

Our expert team helps telecommunications providers navigate CSRB requirements alongside existing Ofcom regulations.

Talk to Our Compliance ExpertsTake Readiness Assessment