Join Our Mailing List

Be the first to hear about updates

Be the first to hear about updates on the Cyber Security and Resilience Bill. Stay informed about compliance requirements, key changes, and important announcements.

Universities & Research Institutions

Universities CSRB Compliance Guide

Complete guide to Cyber Security and Resilience Bill compliance for universities and research institutions. Understand multi-faceted regulatory obligations under Bill 329.

Sector Overview

Universities and research institutions are hubs of innovation, managing vast amounts of sensitive research data, student information, and critical computing infrastructure. Under the Cyber Security and Resilience Bill (Bill 329), universities may be regulated in multiple ways depending on their activities.

Strategic Importance: CSRB recognises the strategic importance of academic institutions - placing certain universities within its regulatory scope based on their research activities and infrastructure.

Why Universities Are In Scope

Universities may be in scope under Bill 329 in several ways:

You're likely in scope if your organisation:
  • Is an operator of essential services in sectors like health, energy, or transport (meeting threshold requirements in Schedule 2)
  • Provides cloud computing services, online marketplaces, or search engines (regulated as RDSP under Part 2, Section 7)
  • Provides managed IT services (regulated as RMSP under Part 2, Section 9)
  • Carries on essential activities or provides activity-critical supplies (subject to Part 3 regulations)
  • May be subject to directions for national security purposes (Part 4)
  • Is subject to public authority oversight and relies on network and information systems
  • Manages research with implications for national resilience or security
  • Operates or supports high-performance computing (HPC) environments
  • Processes sensitive student, staff, or partner data at scale
  • Provides infrastructure to regulated sectors through collaboration
Public Authority Oversight:

Under Part 2, Section 11 of Bill 329, universities subject to public authority oversight may be regulated even if they derive more than half their income from commercial activities, if they provide essential services or digital/managed services.

As Operators of Essential Services (OES)

Universities providing essential services in sectors like health, energy, or transport are listed as operators of essential services (OES) in Schedule 2, subject to threshold requirements.

As an OES, you must:
  • Comply with security duties under Regulation 10
  • Report incidents within 24 hours (initial) and 72 hours (full) under Regulation 11
  • Send a copy of incident notifications to CSIRT
  • Provide information to designated competent authority within 3 months under Regulation 8ZA (if providing data centre services)
  • Comply with information requests and inspections under Regulations 15 and 16
  • Have regard to guidance from your designated competent authority

As Relevant Digital Service Providers (RDSP)

Under Part 2, Section 7 of Bill 329, universities providing cloud computing services, online marketplaces, or search engines may be regulated as Relevant Digital Service Providers (RDSPs):

  • Register with the Information Commission within 3 months (Regulation 14)
  • Comply with security duties under Regulation 12
  • Report incidents within 24 hours (initial) and 72 hours (full) under Regulation 12A
  • Notify affected customers as soon as reasonably practicable under Regulation 12C
  • Comply with information requests and inspections

As Relevant Managed Service Providers (RMSP)

Under Part 2, Section 9 of Bill 329, universities providing managed IT services may be regulated as Relevant Managed Service Providers (RMSPs):

  • Register with the Information Commission within 3 months (Regulation 14C)
  • Comply with security duties under Regulation 14B
  • Report incidents within 24 hours (initial) and 72 hours (full) under Regulation 14E
  • Notify affected customers as soon as reasonably practicable under Regulation 14G
  • Comply with information requests and inspections

Essential Activities & Activity-Critical Supplies

Under Part 3, Section 24 of Bill 329, universities may carry on essential activities or provide activity-critical supplies, subjecting them to additional security and resilience requirements:

  • May be subject to regulations under Section 29 relating to security and resilience of network and information systems
  • May be subject to requirements imposed under Section 30
  • May be subject to enforcement, sanctions, and appeals under Section 31
  • May be subject to financial penalties up to £17,000,000 or 10% of turnover under Section 32
  • Must have regard to codes of practice issued under Section 36

National Security Directions - Part 4

Under Part 4, Section 43 of Bill 329, universities may be subject to directions for national security purposes:

  • The Secretary of State may give directions if threats relating to network and information systems pose a risk to national security
  • Directions may impose requirements relating to management of systems, provision of information, or prohibitions on use of goods/services
  • You must comply with directions and may be subject to monitoring, information gathering, and inspections under Sections 45-47
  • Penalties for non-compliance with directions: up to £17,000,000 or 10% of turnover, with daily penalties up to £100,000 per day

— Bill 329, Part 4, Sections 43-52

Penalties for Non-Compliance

Universities face penalties depending on how they're regulated:

Part 2 Penalties (OES/RDSP/RMSP):

Higher Maximum: £17,000,000 or 4% of turnover for serious failures

Standard Maximum: £10,000,000 or 2% of turnover for administrative failures

Part 3 Penalties (Essential Activities):

Maximum: £17,000,000 or 10% of turnover

Part 4 Penalties (National Security Directions):

Maximum: £17,000,000 or 10% of turnover, with daily penalties up to £100,000 per day

— Bill 329, Part 2, Section 21; Part 3, Section 32; Part 4, Section 49

Benefits of CSRB Compliance

Research Protection
  • Protects data and research environments from cyber threats
  • Supports funding, collaboration, and government trust
  • Strengthens cyber maturity across academic networks
Strategic Benefits
  • Futureproofs institutions in a security-driven digital landscape
  • Access to guidance from regulatory authorities
  • Better positioning for government-backed research programmes

Direct References from Bill 329

Schedule 2 - Essential Services

Universities providing essential services in sectors like health, energy, or transport are listed as operators of essential services (OES) in Schedule 2, subject to threshold requirements.

Bill 329, Schedule 2

Part 2, Section 11 - Subject to Public Authority Oversight

Regulation 1(3E) defines public authority oversight. Universities subject to public authority oversight may be regulated even if they derive more than half their income from commercial activities, if they provide essential services or digital/managed services.

Bill 329, Part 2, Section 11, Regulation 1(3E)

Part 3, Section 24 - Essential Activities

Universities may carry on essential activities or provide activity-critical supplies, subjecting them to additional security and resilience requirements under Part 3.

Bill 329, Part 3, Section 24

Part 4, Section 43 - Directions for National Security

Universities may be subject to directions for national security purposes if threats relating to network and information systems pose a risk to national security.

Bill 329, Part 4, Section 43

Need Help with University CSRB Compliance?

Our expert team helps universities and research institutions navigate multi-faceted CSRB requirements.

Talk to Our Compliance ExpertsTake Readiness Assessment