Designating critical suppliers

Question 1

What are we going to do?

Accepted Answer

Regulators will be able designate critical suppliers to ensure the most important suppliers to essential and digital services are subject to mandatory cyber requirements.

Question 2

Why are we going to do it?

Accepted Answer

Organisations that supply goods or services to support the delivery of essential or digital services are attractive targets for cyber criminals. This is because attacks on a single part of a supply chain can cause widespread disruption to the continuity of essential and digital services. As supply chains are becoming more complex, this risk is increasing, and this is particularly acute where there is significant reliance on specific suppliers within a sector.

The current regulatory requirements through the Network and Information Systems (NIS) Regulations 2018 do not sufficiently manage this risk – with no ability to place statutory duties on those suppliers whose disruption could cause widespread harm, through undermining the continuity of the most essential services the public and businesses rely on every day.

By giving regulators the power to designate ‘critical suppliers’, then subject them to security duties, the risk of these single points of failure causing acute disruption is mitigated.

Case study

In June 2024, a cyber-attack on Synnovis, a pathology lab provider for the NHS, disrupted services across multiple London hospitals. A critical incident was declared, with over 11,000 appointments and operations disrupted, and necessitating an urgent call for blood donors. Patients were redirected, and test results were delayed with the company estimating financial losses of £32.7 million. This shows how a single supplier’s vulnerability can cause major disruption to vital public services.

How are we going to do it?

The bill establishes a new designation regime within the NIS Regulations. For an entity for be designated, it will need to meet all the following conditions:

The supplier must provide goods or services directly to either an operator of essential services (OES), relevant digital service provider (RDSP) or relevant managed service provider (RMSP) which is regulated by the same regulator considering whether to designate said supplier.
The supplier must rely on network and information systems in order to provide these goods or services.
The regulator must consider that an incident affecting the operation or security of any network and information systems relied on by the supplier for the purposes of that supply must have the potential to cause disruption to:

a. the provision of any essential service, relevant digital service or managed service by the person to whom the supply is made; or

b. the provision of essential services, relevant digital services, or managed services (whether of a particular kind or generally) by persons to whom the supplier provides goods or services.
That disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom. This includes both scenarios of direct service disruption and cyber risk introduced by the supplier’s systems.

In addition, the regulator will need to consider whether the goods or services provided by the supplier could realistically be sourced from elsewhere in the event of an incident and whether the risks posed by the supplier could be addressed via other regulatory provisions or frameworks. These additional tests are designed to ensure that regulators only consider designating suppliers where they judge the risk cannot be adequately addressed through other means.

There are also some exclusions, specifically:

A provider cannot be regulated as a critical supplier in relation to services for which they are already regulated as an OES, RDSP or RMSP.
In addition, the government intends (subject to consultation and secondary legislation) to exclude public sector organisations or other entities under direct public authority oversight.

Small or micro enterprise digital service providers and managed service providers can be designated as critical suppliers, provided that they meet the conditions for designation outlined above. In such cases, they would likely be regulated by the regulator for the entity they supply - the Information Commission - if they are designated because they supply directly to an RDSP or an RMSP, or the relevant sectoral regulator if they are designated because they supply directly to an OES.

Before making a designation decision, the regulator must follow a legally defined process. This includes consulting the supplier they are proposing to regulate and considering any representations which the supplier makes in response to the proposed designation.

In addition, there is a duty on regulators to coordinate with other relevant regulators. This means sharing information, considering each other’s perspectives, and working together to ensure consistent, well-informed decisions. By embedding coordination alongside structured consultation and transparency, this model reduces the risk of decisions being made in isolation and promotes a robust, reliable regulatory framework overall.

If a supplier is designated, they will be required to meet statutory cyber security requirements and take steps to manage and reduce risks. These requirements will be set out in regulations via secondary legislation and developed in consultation with relevant stakeholders, ensuring they are evidence-based and practical. They will not be more stringent than the requirements already imposed on OESs, RDSPs and RMSPs. Regulators will have the power to inspect, enforce, and fine designated suppliers who do not comply. This approach will help to better protect the most important links in the UK’s digital and critical infrastructure supply chains.

Designated suppliers will also have the right to appeal if they believe the designation is incorrect. Appeals will be heard by the First-tier Tribunal, which can review the regulator’s decision and decide whether the designation should stand. Suppliers who have been designated may also ask the regulator directly to remove their designation if they believe it is no longer appropriate. The regulator must consider these requests fairly and give the supplier a chance to explain their reasons before making a decision.

Hypothetical examples:

Example 1: The impact of a supplier being designated

A UK-based cloud hosting company provides infrastructure services to both a national transport operator and a large online prescription service. A ransomware attack disables its systems, disrupting rail ticketing and causing delays in prescription orders for thousands of users.

If the company had been designated as a critical supplier, it could have be required to:

Have stronger cyber security defences and incident response plans in place
Identify and manage supply chain risks more proactively
Notify regulators early in the event of a serious incident

As a result, disruption could have been limited or avoided entirely.

^{Please note: These duties are illustrative only. The specific requirements for designated suppliers will be decided through secondary legislation following consultation.}

Example 2: Coordinated designation of a shared critical supplier

A company provides services to operators in both the water and energy sectors. Although the services differ, they rely on the same underlying network and information systems.

Regulators for each sector independently assess the services and conclude that they meet the threshold for designation as a critical supplier, and that no exemption applies. After consulting each other, both regulators decide to proceed with designation.

To ensure a joined-up approach, the regulators coordinate the process. They share relevant information, align the timing of their designation notices and consultation periods, and coordinate messaging to the supplier. Each regulator then issues its own designation notice, tailored to the service used in their sector.

This coordinated approach helps reduce duplication, ensures consistency, and makes it easier for the supplier to understand and respond to the designation process.

Implementation

This measure will be brought into force through secondary legislation following Royal Assent.

Specific duties for designated suppliers will be introduced through secondary legislation before this measure is brought into force.

We plan to consult on: 

The form and scope of the duties that designated critical suppliers will be required to meet;
The accompanying guidance that will help designated suppliers and regulators interpret and implement the new designated critical suppliers requirements; and
How DSIT can best support regulatory coordination, especially where a supplier operates across multiple sectors or regulators.

The implementation of the designated critical suppliers measure will be finalised through regulations, ensuring that the duties on designated critical suppliers are clearly set before the measure comes into force. This will provide regulators and suppliers time to prepare for the new obligations.

The measure will also take into account exemptions for public authorities where appropriate with the position of this also subject to secondary legislation and consultation.

The designated critical suppliers framework is being designed to come into force in parallel with other expansions to the NIS Regulations, including updates to how RDSPs and RMSPs are regulated and cost recovery. This coordinated approach will help ensure a consistent and proportionate framework across sectors.

Question 3

Case study

Accepted Answer

In June 2024, a cyber-attack on Synnovis, a pathology lab provider for the NHS, disrupted services across multiple London hospitals. A critical incident was declared, with over 11,000 appointments and operations disrupted, and necessitating an urgent call for blood donors. Patients were redirected, and test results were delayed with the company estimating financial losses of £32.7 million. This shows how a single supplier’s vulnerability can cause major disruption to vital public services.

Question 4

How are we going to do it?

Accepted Answer

The bill establishes a new designation regime within the NIS Regulations. For an entity for be designated, it will need to meet all the following conditions:

The supplier must provide goods or services directly to either an operator of essential services (OES), relevant digital service provider (RDSP) or relevant managed service provider (RMSP) which is regulated by the same regulator considering whether to designate said supplier.
The supplier must rely on network and information systems in order to provide these goods or services.
The regulator must consider that an incident affecting the operation or security of any network and information systems relied on by the supplier for the purposes of that supply must have the potential to cause disruption to:

a. the provision of any essential service, relevant digital service or managed service by the person to whom the supply is made; or

b. the provision of essential services, relevant digital services, or managed services (whether of a particular kind or generally) by persons to whom the supplier provides goods or services.
That disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom. This includes both scenarios of direct service disruption and cyber risk introduced by the supplier’s systems.

In addition, the regulator will need to consider whether the goods or services provided by the supplier could realistically be sourced from elsewhere in the event of an incident and whether the risks posed by the supplier could be addressed via other regulatory provisions or frameworks. These additional tests are designed to ensure that regulators only consider designating suppliers where they judge the risk cannot be adequately addressed through other means.

There are also some exclusions, specifically:

A provider cannot be regulated as a critical supplier in relation to services for which they are already regulated as an OES, RDSP or RMSP.
In addition, the government intends (subject to consultation and secondary legislation) to exclude public sector organisations or other entities under direct public authority oversight.

Small or micro enterprise digital service providers and managed service providers can be designated as critical suppliers, provided that they meet the conditions for designation outlined above. In such cases, they would likely be regulated by the regulator for the entity they supply - the Information Commission - if they are designated because they supply directly to an RDSP or an RMSP, or the relevant sectoral regulator if they are designated because they supply directly to an OES.

Before making a designation decision, the regulator must follow a legally defined process. This includes consulting the supplier they are proposing to regulate and considering any representations which the supplier makes in response to the proposed designation.

In addition, there is a duty on regulators to coordinate with other relevant regulators. This means sharing information, considering each other’s perspectives, and working together to ensure consistent, well-informed decisions. By embedding coordination alongside structured consultation and transparency, this model reduces the risk of decisions being made in isolation and promotes a robust, reliable regulatory framework overall.

If a supplier is designated, they will be required to meet statutory cyber security requirements and take steps to manage and reduce risks. These requirements will be set out in regulations via secondary legislation and developed in consultation with relevant stakeholders, ensuring they are evidence-based and practical. They will not be more stringent than the requirements already imposed on OESs, RDSPs and RMSPs. Regulators will have the power to inspect, enforce, and fine designated suppliers who do not comply. This approach will help to better protect the most important links in the UK’s digital and critical infrastructure supply chains.

Designated suppliers will also have the right to appeal if they believe the designation is incorrect. Appeals will be heard by the First-tier Tribunal, which can review the regulator’s decision and decide whether the designation should stand. Suppliers who have been designated may also ask the regulator directly to remove their designation if they believe it is no longer appropriate. The regulator must consider these requests fairly and give the supplier a chance to explain their reasons before making a decision.

Hypothetical examples:

Example 1: The impact of a supplier being designated

A UK-based cloud hosting company provides infrastructure services to both a national transport operator and a large online prescription service. A ransomware attack disables its systems, disrupting rail ticketing and causing delays in prescription orders for thousands of users.

If the company had been designated as a critical supplier, it could have be required to:

Have stronger cyber security defences and incident response plans in place
Identify and manage supply chain risks more proactively
Notify regulators early in the event of a serious incident

As a result, disruption could have been limited or avoided entirely.

^{Please note: These duties are illustrative only. The specific requirements for designated suppliers will be decided through secondary legislation following consultation.}

Example 2: Coordinated designation of a shared critical supplier

A company provides services to operators in both the water and energy sectors. Although the services differ, they rely on the same underlying network and information systems.

Regulators for each sector independently assess the services and conclude that they meet the threshold for designation as a critical supplier, and that no exemption applies. After consulting each other, both regulators decide to proceed with designation.

To ensure a joined-up approach, the regulators coordinate the process. They share relevant information, align the timing of their designation notices and consultation periods, and coordinate messaging to the supplier. Each regulator then issues its own designation notice, tailored to the service used in their sector.

This coordinated approach helps reduce duplication, ensures consistency, and makes it easier for the supplier to understand and respond to the designation process.

Question 5

Implementation

Accepted Answer

This measure will be brought into force through secondary legislation following Royal Assent.

Specific duties for designated suppliers will be introduced through secondary legislation before this measure is brought into force.

We plan to consult on: 

The form and scope of the duties that designated critical suppliers will be required to meet;
The accompanying guidance that will help designated suppliers and regulators interpret and implement the new designated critical suppliers requirements; and
How DSIT can best support regulatory coordination, especially where a supplier operates across multiple sectors or regulators.

The implementation of the designated critical suppliers measure will be finalised through regulations, ensuring that the duties on designated critical suppliers are clearly set before the measure comes into force. This will provide regulators and suppliers time to prepare for the new obligations.

The measure will also take into account exemptions for public authorities where appropriate with the position of this also subject to secondary legislation and consultation.

The designated critical suppliers framework is being designed to come into force in parallel with other expansions to the NIS Regulations, including updates to how RDSPs and RMSPs are regulated and cost recovery. This coordinated approach will help ensure a consistent and proportionate framework across sectors.

Designating critical suppliers

What are we going to do?

Why are we going to do it?

Case study

How are we going to do it?

Hypothetical examples:

Example 1: The impact of a supplier being designated

Example 2: Coordinated designation of a shared critical supplier

Implementation

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK

Cookies on GOV.UK

What are we going to do?

Why are we going to do it?

Case study

How are we going to do it?

Hypothetical examples:

Example 1: The impact of a supplier being designated

Example 2: Coordinated designation of a shared critical supplier

Implementation

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK