Cyber rules would reach data centres

Britain’s cyber bill would pull data centres into the same security rulebook that already covers essential services such as water, transport and parts of digital infrastructure. (gov.uk) The measure sits inside the Cyber Security and Resilience Bill, which the government introduced to Parliament on 12 November 2025 to amend the Network and Information Systems Regulations 2018. Those rules already require covered operators to take proportionate security steps and report serious incidents to regulators. (gov.uk) Under the bill, UK data centres above capacity thresholds would have to notify Ofcom, provide structured information, put resilience controls in place and report significant incidents. Ofcom would regulate them as operators of an essential service in a new “data infrastructure” sector. (gov.uk) The bill would also bring medium and large managed service providers into scope if they meet the definition of a relevant managed service provider. Those companies would have to secure the networks and systems behind their services and report major incidents to the Information Commission. (gov.uk) That would shift the focus from protecting only the agencies and front-line services people see to also regulating the back-room infrastructure that stores records, runs applications and connects suppliers. The government says the current framework does not reflect how much public services and businesses now depend on outsourced computing and managed information technology. (gov.uk) The case for change is partly about concentration. The government says 80% of UK data-centre revenue comes from 10 operators that control about two-thirds of live capacity, which can magnify the effect of a single outage. (gov.uk) Officials point to July 2022, when two data centres serving an National Health Service trust failed during a heatwave, knocking out most clinical information technology systems at three hospitals and forcing £1.4 million in unplanned technology spending. The same factsheet says 28% of UK businesses, and 62% of large businesses, rely on data-centre services. (gov.uk) Managed service providers are in the bill for a different reason: one supplier can become a route into many customers at once. The government cites Operation Cloud Hopper and a May 2024 attack linked to a Ministry of Defence payroll supplier that exposed the data of about 270,000 serving personnel, reservists and veterans. (gov.uk) The move follows the government’s decision on 12 September 2024 to designate UK data centres as Critical National Infrastructure, putting them alongside sectors such as energy and water for incident support and national-security planning. The bill would add a regulatory layer to that designation. (gov.uk) The bill is still moving through Parliament, and the Department for Science, Innovation and Technology updated its factsheets on 6 March 2026 after committee-stage discussions. If ministers keep the current text, data-centre operators and larger managed service providers would face a more formal cyber regime built around notification, risk controls and incident reporting. (gov.uk)