Policy paper

Relevant digital service providers

Published 12 November 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/cyber-security-and-resilience-network-and-information-systems-bill-factsheets/relevant-digital-service-providers

What are we going to do? 

Relevant digital service providers (RDSPs), which include online marketplaces, online search engines and cloud computing services, have been in scope of the Network and Information Systems (NIS) Regulations 2018 since its introduction. 

The Cyber Security and Resilience (Network and Information Systems) Bill will introduce some amendments to the definitions and duties related to RDSPs, to ensure regulation of RDSPs is fit for purpose and to keep pace with the changes in technology and evolving threat landscape. These changes include:

For cloud computing services only

The definition of a cloud computing service will be updated and will include further clarity on the meaning of “elastic and scalable”, as well as the addition of criteria, including “broad remote access” and “capable of being provided on demand and on a self-service basis”. These changes are intended to provide further clarity on the scope of a cloud computing service. Cloud computing services are currently being regulated under the NIS Regulations.

For online search engines, online marketplaces and cloud computing services (all RDSPs)  

The registration requirements for RDSPs will be amended. An RDSP will now be required to provide information including a “proper address” (meaning the principal office for a body corporate or principal office of a partnership, if the RDSP is a partnership, or in any other case, the address where the RDSP will accept service of documents). An RDSP will also be required to state at registration whether they provide an online marketplace, online search engine or cloud computing service (or a combination of these). Additional categories may be added via secondary legislation in due course.

Further, the duty to manage the risks posed to the network and information system on which the RDSP relies to provide their digital service will be amended to provide clarity on the intended scope of this duty. This includes the following:

  • The requirement to “prevent and minimise the impact of incidents affecting their network and information systems with a view to ensuring the continuity of those services” will be amended to ensure that it is clear that:

    • The duty applies to a third parties’ network and information systems upon which the digital service relies, as well as an RDSPs own systems;
    • The measures should be taken with a view to ensuring the availability, authenticity, integrity or confidentiality of a digital service, not just incidents impacting the continuity.

  • The requirement to take into account Article 2 of European Union Regulation 2018/151 , which specifies measures that an RDSP must take as part of this duty, such as incident handling and business continuity management, will be removed. This removal will take effect via regulations, and at the same time as we introduce an updated set of security and resilience requirements to take their place.

The incident reporting requirements for RDSPs will also be updated (see the incident reporting factsheet)

Small and micro digital service providers will still be exempt from being RDSPs under the NIS Regulations. However, they may be brought in as critical suppliers if they meet the criteria (see designated critical suppliers factsheet)

Implementation 

The changes set out above will be brought into force through secondary legislation following Royal Assent. 

We will introduce additional technical detail via secondary legislation before this measure is brought into force.

This detail includes:  

  • Security and resilience requirements to provide further details on what constitutes appropriate and proportionate measures an RDSP should take to manage the risks posed to the network and information systems upon which their digital service relies.   

  • Thresholds at which an incident will be considered to have had a significant impact, making it reportable to the Information Commission.

RDSPs should continue to comply with the regulations as set under the NIS Regulations until the relevant provisions in the Bill updating the NIS Regulations come into force. Once the amended NIS Regulations are commenced, an RDSP will need to provide updated information to the Information Commission within three months.  

RDSPs will be expected to comply with the relevant security and incident reporting duties from day one of the relevant provisions coming into force, regardless of whether they have provided updated information under the new registration requirements.

Back to top