OrganisationGB

Ofcom

UK communications regulator designated joint overseer of data centres as essential services under the Cyber Security and Resilience Bill.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

Why is Ofcom being given cybersecurity powers over UK data centres?

Timeline for Ofcom

#117 Apr

UK 24-hour reporting bill at Report

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What new powers is Ofcom getting over data centres?: Under the Cyber Security and Resilience Bill, which was at Report Stage in March 2026, Ofcom would be designated as a joint oversight body with DSIT for data centres classified as essential services, with cybersecurity reporting and enforcement obligations.Source: UK Parliament / CS&R Bill
What does Ofcom regulate?: Ofcom regulates UK broadcasting, telecommunications, postal services and online safety under the Online Safety Act 2023. Under the Cyber Security and Resilience Bill it would also oversee data centres as essential services.

Background

Ofcom was named alongside DSIT (Department for Science, Innovation and Technology) as a joint oversight body for data centres classified as essential services under the Cyber Security and Resilience Bill, which reached Report Stage in the House of Commons on 2 March 2026. The bill would give Ofcom a cybersecurity regulatory role in addition to its existing mandate across broadcasting, telecommunications and postal services.

Ofcom is the UK's independent communications regulator, responsible for TV, radio, fixed-line and mobile communications, postal services and online safety under the Online Safety Act 2023. Its designation in the Cyber Security and Resilience Bill reflects the convergence of communications infrastructure regulation and cybersecurity oversight; data centres classified as essential services are primarily used by Cloud and telecoms providers already within Ofcom's regulated scope.

The bill's 24-hour initial reporting requirement and the widened definition of organisations subject to statutory cybersecurity standards will expand Ofcom's enforcement perimeter if it receives Royal Assent. For UK data-centre operators, Ofcom's entry into the cyber oversight landscape adds a regulator with enforcement experience from the Online Safety Act to the NIS2-adjacent framework.

How the World Sees Them

EU / NIS2

The UK's approach mirrors NIS2's co-regulatory model with sector-specific competent authorities; Ofcom's designation is functionally analogous to national competent authority designations across EU member states.

UK Government

Designating Ofcom as co-regulator under the CS&R Bill leverages existing sector expertise in telecoms and online platforms to extend cyber oversight to data-centre operators without a new body.

Data-centre operators

Ofcom's entry into cybersecurity oversight adds a second regulator alongside DSIT and the ICO; compliance teams must plan for converging reporting lines.