DSIT tells Ofcom to prepare to expand regulatory remit to include datacentres

Preparations are underway for Ofcom to expand its regulatory remit to include datacentres, as the government seeks to harden up the “soft points” in the UK’s cyber defences through the enactment of the Cyber Security and Resilience Bill (CSRB).

The revelation emerged during an oral evidence session, overseen by the Science, Innovation and Technology Committee, on 20 May 2025, featuring contributions from Ofcom CEO Dame Melanie Dawes and Natalie Black, the organisation’s networks and communications group director.

The session saw the pair quizzed by the committee members on what risk “foreign actors” pose to the UK’s cyber security, and – based on the areas that Ofcom is involved in helping to protect – where are the weak points in the UK’s cyber security defences?

In response to the latter point, Black referenced the importance of using two-factor authentication methods and ensuring staff are sufficiently trained to keep company data secure. She also talked about the importance of ensuring infrastructure is designed with security built-in from the start, rather than as an afterthought later on, adding: “I would probably highlight the use of third-party suppliers, which is always challenging.”

The pair were then asked if, in their opinion, the proposed CSRB would “properly address” these “soft points”, to which Black replied that these points are already addressed through other pieces of legislation.

“The Cyber Security and Resilience Bill is an opportunity to make sure that we do not rest on our laurels and that we evolve both how we look at these threats and the powers we have to deal with them,” said Black. “That is a long way of saying we can always be better in this space. That is the challenge cyber security.”

First announced during the King’s Speech in July 2024, the CSRB is intended to strengthen the UK's cyber defences in recognition of the fact that UK plc is being increasingly attacked by financially motivated cyber criminals and state actors.

During the committee session, Dawes said the bill’s remit is also expected to include datacentres, before confirming that Ofcom has told the government that it would be happy to “do more in some of the spaces” that it already regulates to protect UK plc from cyber attacks.

On this point, she said Chris Bryant, the minister of state for the Department for Science, Innovation and Technology (DSIT), had already been in touch to ask if Ofcom would be willing to increase its regulatory remit to cover datacentres.

Computer Weekly understands that Ofcom has been asked to prepare itself for taking on the regulation of the datacentre sector, in line with the contents of the Network and Information Systems Regulations portion of the CSRB.

Computer Weekly contacted DSIT for more information on what form this regulation might take, but was told the department has no further comment to make at this time.

When asked the same question, an Ofcom spokesperson directed Computer Weekly to the original CSRB policy statement that shares further details on how datacentres will be brought into the bill’s scope.

The document states that, in the wake of datacentres being designated as critical national infrastructure (CNI) in the July 2024 King’s Speech, “the government is committed to introducing proportionate regulatory oversight” of the sector.

As detailed in the document, datacentres that are 1MW or above in capacity would be in-scope of the regulation, but enterprise datacentres would only need to comply with regulations if they have a capacity of more than 10MW.

“Bringing datacentres into scope of the regulations would strengthen and level the consistency of protection across the sector, provide a platform for secure growth and investment, and give government and a designated regulator the levers to steward the sector in the face of an evolving threat landscape in line with other CNI utilities,” according to the policy statement.