Cyber Essentials for Critical Digital Infrastructure Providers in the UK

The definition of critical national infrastructure is expanding. The Cyber Security and Resilience Bill, currently progressing through Parliament, brings data centres, cloud service providers, managed service providers, and digital service providers into the same regulatory framework that already governs energy, water, transport, and healthcare.

For organisations that provide the digital backbone of the UK economy, this means new compliance obligations are coming. Cyber Essentials certification is the starting point.

What the Cyber Security and Resilience Bill Changes

The original Network and Information Systems (NIS) Regulations 2018 covered a narrow set of essential services: energy, transport, water, health, and digital infrastructure (primarily DNS providers, internet exchange points, and top-level domain registries).

The Cyber Security and Resilience Bill significantly expands this scope. The government's factsheets confirm that the Bill will bring the following into regulatory scope:

Data centres - recognised as critical national infrastructure by the UK government in September 2024. The Bill formalises the regulatory obligations that come with that designation.

Managed service providers - medium and large MSPs that provide ongoing IT management services will be regulated by the Information Commissioner. The government estimates 900-1,100 MSPs will be directly affected.

Digital service providers - online marketplaces, search engines, and cloud computing services already fell under NIS, but the Bill strengthens the requirements and enforcement mechanisms.

Supply chain dependencies - the Bill gives regulators power to designate critical suppliers to essential services, bringing them directly into scope even if they would not otherwise qualify.

Ofcom will oversee digital infrastructure and telecommunications providers. The ICO will oversee managed service providers, relevant digital service providers, and data centres. Sector-specific regulators (Ofgem, DfT, DHSC) continue to oversee their respective sectors.

Why Cyber Essentials Matters for These Organisations

Many critical digital infrastructure providers will need to implement comprehensive security frameworks - ISO 27001, SOC 2, or sector-specific standards. But Cyber Essentials serves a specific and valuable role even for organisations pursuing those larger certifications:

It covers the fundamentals. The five Cyber Essentials controls - firewalls, secure configuration, access control, malware protection, and patch management - address the attack vectors responsible for the majority of successful breaches. NCSC data indicates that Cyber Essentials controls would prevent approximately 80% of common cyber attacks.

It is fast to achieve. Unlike ISO 27001 (which typically takes 6-12 months) or SOC 2 (3-9 months), Cyber Essentials can be completed in a single day. For organisations facing imminent regulatory deadlines, this provides an immediate, verifiable benchmark while longer-term certifications are pursued.

It satisfies supply chain requirements. Government contracts, particularly those procured under PPN 014, require Cyber Essentials. If your organisation provides services to government departments (as many data centres and cloud providers do), certification is a procurement prerequisite.

It demonstrates compliance intent. When the Bill's secondary legislation arrives and regulators begin enforcing the new requirements, holding Cyber Essentials demonstrates that your organisation has taken proactive steps. This matters in enforcement decisions - regulators distinguish between organisations that made reasonable efforts and those that did nothing.

The Specific Challenges for Infrastructure Providers

Critical digital infrastructure providers face particular challenges in achieving and maintaining Cyber Essentials:

Scope definition. A data centre operator or cloud provider has a large and complex IT estate. Defining what is "in scope" for Cyber Essentials requires careful thought. The scope should include all devices and services that handle or process data, including management interfaces, monitoring systems, and administrative access points.

Multi-tenant environments. If you provide infrastructure to multiple customers, the boundaries between your management plane and your customers' environments must be clearly defined. Cyber Essentials covers your infrastructure and management systems, not your customers' workloads - but the access controls between the two must be robust.

Patch management at scale. The 14-day patching requirement applies to all in-scope systems. For organisations managing thousands of servers and network devices, this requires automated patch management and clear processes for handling systems that cannot be patched immediately.

Remote and distributed operations. Many infrastructure providers operate across multiple sites with staff accessing management systems remotely. Every access point and every device used for management is in scope.

The v3.3 Changes and Infrastructure Providers

Cyber Essentials v3.3, effective from 28 April 2026, introduces changes that are particularly relevant to infrastructure providers:

Mandatory MFA for all cloud services and administrator accounts. For organisations managing cloud infrastructure, this means MFA on every management console, hypervisor interface, and administrative tool. No exceptions.

Expanded device scope. All devices that access organisational data or services are in scope. For infrastructure providers with NOC (network operations centre) staff working remotely, this includes their home devices if used for management access.

Firmware and BIOS updates. v3.3 clarifies that firmware updates for network equipment and servers fall within the patch management requirements. This is particularly relevant for data centres with large inventories of physical hardware.

Getting Certified

For critical digital infrastructure providers, we recommend the following approach:

1. Define your scope - Identify all systems, devices, and services that fall within the Cyber Essentials boundary. For infrastructure providers, this typically includes management networks, administrative workstations, monitoring systems, and corporate IT

2. Run the readiness check - Use Fig's free readiness tool to assess your current position against the five controls

3. Address gaps - Common gaps for infrastructure providers include MFA not enforced on all management interfaces, firmware updates overdue on network equipment, and overly broad admin access

4. Certify - Cyber Essentials certification can be completed same-day through Fig if you purchase before 12:00 midday. Plus certification, which adds external technical verification, takes 1-3 working days

Building Toward Broader Compliance

For many critical infrastructure providers, Cyber Essentials is the first step in a broader compliance programme. The controls map naturally to the foundational requirements of ISO 27001, SOC 2, and NIS2.

If your organisation is planning an ISO 27001 implementation, Cyber Essentials provides a verified starting point for the technical controls in Annex A. If you are pursuing SOC 2, the five Cyber Essentials control themes map to common criteria across multiple trust service categories.

Fig offers a compliance platform that maps your Cyber Essentials controls to these broader frameworks, giving you visibility of where you stand and what still needs to be done. The certification journey does not have to start from scratch each time.

Get certified today