Technology & Digital

Data processing, hosting and web portal rules

If you process or host data, run a cloud service, or operate a web portal or search service, two regimes may apply on top of the rules every information service shares — and both scope by what you operate, not by your sector. The NIS Regulations 2018 put security and incident-reporting duties on cloud computing, online search and online marketplace services at or above a size threshold. The Online Safety Act 2023 puts illegal-content and children's-safety duties on services that host user-generated content or provide search.

UK-wide
On this page
UK-wide

Related guides in Digital & Technology

Tech Sector Compliance Overview

Comprehensive guide to regulatory compliance for technology businesses - UK GDPR, data protection, online safety, cybersecurity, and sector-specific …

Software licensing compliance

Understand your legal obligations when using, developing, or distributing software - including open source licensing, commercial agreements, and …

Data-processing, hosting and portal businesses share the duties in run a compliant information service business — led by the processor contract duties under UK GDPR Article 28, which are the day-to-day legal backbone of handling client data. On top of those, two statutory regimes apply only to specific services. Work out whether each one catches what you operate before doing anything else: most small information service businesses are outside both.

Check whether the NIS Regulations apply to you

The Network and Information Systems Regulations 2018 cover relevant digital service providers (RDSPs) — and only three service types qualify: cloud computing services, online search engines and online marketplaces. Generic web hosting or data processing that is not a cloud computing service is not an RDSP category. Small and micro businesses are exempt: the duties bite only at or above 50 staff or more than €10 million turnover or balance sheet, with a UK head office or nominated UK representative. If you are in scope you must register with the ICO (the competent authority for RDSPs), take appropriate security measures and notify significant incidents. This applies UK-wide.

For the full regime — who is in scope, the security framework and incident reporting — see Network and Information Systems (NIS) Regulations.

Check your Online Safety Act position

The Online Safety Act 2023 regulates user-to-user services (services where users can post or share content other users encounter) and search services with links to the UK. A portal where users post or share content with each other — forums, community posts, user uploads — is likely in scope; if the only user content is comments or reviews on your own published content, a limited-functionality exemption may apply. A search-only portal carries the lighter search-service duty set; a pure data-feed or directory portal with no user interaction is generally out of scope. Scope this per service. Duties — illegal-content risk assessments and safety measures, children's-access assessments and child-safety duties, and transparency — are phased in through Ofcom codes of practice. This applies UK-wide.

Start with understanding the Online Safety Act to confirm whether you are in scope, then work through conducting an illegal content risk assessment and confirm coverage with the Online Safety Act compliance checklist. Ofcom fees and notification apply only to services whose qualifying worldwide revenue exceeds Ofcom's threshold — if that might be you, see Ofcom registration and fees.

Strengthen your security posture

Whether or not the NIS Regulations apply, clients buying hosting and data services routinely expect evidence of security good practice. Cyber Essentials certification is voluntary, but it maps onto the technical measures the UK GDPR and NIS both expect, and it is required for many public-sector contracts — see Cyber Essentials certification.

Next steps

Make sure the cross-cutting duties for your business are in place — see run a compliant information service business — then confirm everything with the information services compliance checklist.