Ofcom is gearing up to take on a broader role in regulating datacentres as part of the government’s efforts to bolster the UK’s cyber defences through the Cyber Security and Resilience Bill (CSRB).
This news came out during a session with the Science, Innovation and Technology Committee on May 20, 2025. Ofcom CEO Dame Melanie Dawes and Natalie Black, their networks and communications director, discussed threats to the UK’s cyber security, particularly from foreign actors. The committee pressed them on where vulnerabilities lie in the current system.
Black highlighted that two-factor authentication and employee training are crucial for protecting company data. She emphasized that security should be integrated into the infrastructure design from the beginning. She also noted the challenges posed by third-party suppliers.
When asked if the CSRB adequately addresses these vulnerabilities, Black pointed out that similar issues are already being tackled through other legislation. She stressed that the CSRB is a chance to improve and adapt in response to emerging threats.
Announced in the King’s Speech in July 2024, the CSRB aims to strengthen cyber defences against both financially motivated criminals and state-sponsored attacks. Dawes confirmed that datacentres will fall under the bill’s regulatory scope. She mentioned that Minister Chris Bryant had approached Ofcom about expanding its oversight to include datacentres.
Reports suggest that Ofcom is preparing for this regulatory responsibility, aligning with the Network and Information Systems Regulations part of the CSRB. When Computer Weekly reached out to the Department for Science, Innovation and Technology (DSIT), they declined to offer more details. Ofcom pointed to the CSRB policy statement for information on how datacentres will be impacted.
The statement outlines that datacentres designated as critical national infrastructure will receive regulatory scrutiny. Specifically, datacentres with capacities of 1MW or more will be subject to regulation, while enterprise datacentres only fall under these rules if they exceed 10MW.
The government believes that regulating datacentres will enhance protection across the sector and enable secure growth, ensuring that both the government and regulators can effectively respond to evolving cyber threats.