CSR Bill and Telecoms Supply Chains
In short: The Cyber Security and Resilience Bill does not impose NIS obligations on telecoms operators for their core network and service provision. NIS Regulation 8(1A) and the RMSP definition both exclude PECN/PECS providers. But the Bill catches operators’ IT suppliers as Relevant Managed Service Providers under ICO oversight, and operators running data centres above 1MW as operators of essential services. The compliance pressure is in the supply chain.
The CSR Bill excludes telecoms operators but catches their suppliers
The Cyber Security and Resilience (Network and Information Systems) Bill reached Report Stage in April 2026, expanding the scope of the NIS Regulations 2018 to cover managed service providers, data centres, and critical suppliers for the first time. Telecoms operators are not directly caught. Providers of public electronic communications networks (PECNs) and public electronic communications services (PECSs) remain subject to the separate security framework under the Telecommunications (Security) Act 2021 (TSA 2021), enforced by Ofcom. But the Bill creates new obligations for the IT suppliers, managed service providers, and data centre operators that telecoms networks depend on. For operators, the compliance challenge is not direct regulation under the CSR Bill. It is managing a supply chain that is now subject to a parallel regime under the Information Commissioner.
Two statutory exclusions keep PECN/PECS providers out of NIS scope
The existing NIS framework already separates telecoms from other digital infrastructure sectors. Regulation 8(1A) of the NIS Regulations 2018, inserted by the Network and Information Systems (Amendment and Transitional Provision etc.) Regulations 2020, provides that a person who provides a PECN or PECS (as defined by section 151(1) of the Communications Act 2003) cannot be designated as an operator of essential services (OES) in respect of those services. This prevents telecoms operators from falling within NIS scope for their core network and service provision.
The CSR Bill reinforces this separation. The RMSP factsheet published by the Department for Science, Innovation and Technology confirms that a person does not provide a “managed service” by virtue of providing a PECN or PECS as defined by the Communications Act 2003. So telecoms operators are excluded from both the OES designation route (Regulation 8(1A)) and the new RMSP category. The rationale is straightforward: PECN/PECS providers are already subject to dedicated security obligations under sections 105A to 105D of the Communications Act 2003 (as inserted by the TSA 2021), enforced by Ofcom with penalties of up to 10% of relevant turnover.
Three ways the CSR Bill reaches telecoms operators indirectly
Although operators themselves are excluded from the CSR Bill for their core PECN/PECS services, the Bill catches entities in their supply chain through three routes.
Managed service providers under ICO oversight
The Bill introduces a new category of Relevant Managed Service Provider (RMSP). An RMSP is defined as a medium or large business (50+ employees or turnover exceeding EUR 10 million) that provides ongoing management of IT systems for customers by connecting to or accessing their network and information systems. This covers IT outsourcing, helpdesks, application management, infrastructure management, and managed security services such as security operations centres (SOCs). RMSPs will be regulated by the Information Commissioner and must register, implement proportionate security measures, and report material incidents within 24 hours.
For telecoms operators, this means that the IT companies managing their network monitoring, incident response, cloud infrastructure, or application support will be directly regulated under the NIS regime. A managed SOC provider running threat detection across a mobile operator’s core network, for example, is an RMSP subject to ICO enforcement even though the operator itself is regulated by Ofcom under the TSA 2021.
Data centre services as essential services
The CSR Bill classifies standalone data centre infrastructure as a new category of essential service. Data centres with rated IT load exceeding 1MW (non-enterprise) or 10MW (enterprise) will be designated as OES under Ofcom’s oversight. Many telecoms operators run their own data centre facilities or co-location services alongside their network operations. Where those facilities exceed the thresholds, the data centre operation falls within NIS scope as an essential service, even though the PECN/PECS elements of the same operator’s business remain governed by the TSA 2021.
Critical supplier designation
The Bill introduces a power for the Secretary of State to designate suppliers as “critical” where their services are essential to multiple regulated entities. Small and micro MSPs, which fall below the RMSP threshold, can still be caught through this route. The designation criteria and duties will be set out in secondary legislation, but the direction of travel is clear: any supplier whose failure would affect the resilience of essential services across multiple sectors is a potential target.
Dual notification chains and incident response coordination
The CSR Bill creates a practical coordination challenge for telecoms operators. When a cyber incident affects a managed service provider that supports a telecoms network, two parallel notification obligations arise. The RMSP must notify the Information Commissioner under the NIS Regulations within 24 hours. The telecoms operator, if the incident compromises the security or resilience of its network or service, must notify Ofcom under section 105K of the Communications Act 2003. These are separate statutory duties, with different thresholds, different regulators, and different enforcement regimes.
The penalties reinforce the seriousness of the obligations. RMSPs face fines of up to the higher of GBP 17 million or 4% of worldwide turnover for serious breaches under the amended NIS Regulations. Telecoms operators face penalties of up to 10% of relevant turnover under the TSA 2021. The ICO has called for enhanced inter-regulatory information-sharing mechanisms to manage the overlap, but the detail of how Ofcom and the Information Commissioner will coordinate incident management remains to be worked out in secondary legislation.
| Requirement | TSA 2021 (Telecoms Operators) | CSR Bill / NIS (MSPs & Data Centres) |
|---|---|---|
| Regulated entity | PECN/PECS providers | RMSPs (50+ employees or EUR 10m+ turnover); data centres (1MW+) |
| Regulator | Ofcom | Information Commissioner (RMSPs); Ofcom (data centres) |
| Security duty | Sections 105A-105D CA 2003; Electronic Communications (Security Measures) Regulations 2022 | NIS Regulations 2018 (as amended by CSR Bill) |
| Incident reporting | Section 105K CA 2003 (to Ofcom) | 24-hour initial notification to regulator |
| Maximum penalty | 10% of relevant turnover | Higher of GBP 17m or 4% worldwide turnover |
| Micro-enterprise exemption | Yes (TSA 2021 scope excludes micro-enterprises) | Yes (RMSPs must be medium or large; but micro MSPs catchable as critical suppliers) |
Commercial implications for telecoms operators
The immediate practical consequence is contractual. Telecoms operators will need to review their MSP and IT supplier agreements to ensure they contain adequate security obligations, incident notification provisions, and audit rights that align with the RMSP regime. An operator cannot discharge its own TSA 2021 obligations if its MSP suppliers fail to meet the parallel NIS requirements. The government’s RMSP factsheet notes that RMSPs must register with the Information Commissioner within three months of commencement and implement appropriate measures from the date the provisions come into force.
For operators that run data centre facilities, the threshold question matters. A colocation business with rated IT load above 1MW will need to comply with NIS security and reporting duties for that service, distinct from and additional to its TSA 2021 obligations for its PECN/PECS services. Operators should map their service portfolio to identify which elements fall under which regime. Regulatory perimeter analysis is not optional where the same corporate group provides both telecoms and data centre services.
Procurement processes will also need to adapt. When onboarding new MSPs, operators should assess whether the supplier qualifies as an RMSP and, if so, whether it has registered with the Information Commissioner and can demonstrate compliance with NIS security duties. Due diligence on IT suppliers will increasingly mirror the approach operators already take to high-risk vendor assessments under the TSA 2021 framework.
Viewpoint
The CSR Bill gets the architecture right. Telecoms operators are already subject to one of the more demanding sectoral security regimes in the UK. Layering NIS obligations on top of the TSA 2021 for the same service would have created duplication without improving resilience. The Bill correctly targets the gap: the unregulated MSPs and IT suppliers whose compromise can cascade across the networks they manage.
In practice, though, the compliance burden for operators is real. In my advisory work with scaling telecoms businesses, the operational pain point is rarely the direct regulatory obligation. It is the contract management overhead of ensuring that every MSP, SOC provider and cloud platform in the supply chain meets a standard the operator cannot itself control. The CSR Bill formalises that standard, which I welcome. But the hard work lies in the contractual flow-down and the incident response coordination between two regulators who have historically operated in separate domains.
Operators should begin mapping their MSP and data centre exposure now. The Bill is at Report Stage and expected to receive Royal Assent later in 2026, with phased implementation likely extending into 2027-2028. The secondary legislation setting out detailed RMSP security requirements and incident reporting thresholds has not yet been published. But the scope definitions are settled, and the direction is clear.
Links
Cyber Security and Resilience (Network and Information Systems) Bill (bills.parliament.uk)
CSR Bill factsheets (gov.uk, updated 6 March 2026)
Network and Information Systems Regulations 2018 (legislation.gov.uk)
Telecommunications (Security) Act 2021 (legislation.gov.uk)
Information Commissioner’s Response to the CSR Bill (ico.org.uk)
Telecoms Security: TSA 2021 Compliance (bratby.law)
How we can help
For advice on how the CSR Bill affects your supply chain, or on mapping your service portfolio across the TSA 2021 and NIS regimes, contact Rob Bratby at Bratby Law.
