What the Cyber Security and Resilience Bill Means for MSPs
What the Cyber Security and Resilience Bill Means for MSPs
The Cyber Security and Resilience Bill (CSRB) is the most significant piece of UK cybersecurity legislation since the NIS Regulations 2018. For managed service providers (MSPs), it represents a fundamental change: for the first time, MSPs will be directly regulated for cybersecurity.
What the Bill Does
The CSRB extends the scope of the Network and Information Systems (NIS) Regulations to include managed service providers. Currently, NIS applies to operators of essential services (energy, transport, health, water, and digital infrastructure) and to relevant digital service providers such as online marketplaces, search engines, and cloud services. Until now, that scope has not included MSPs.
The Bill changes that framework in five specific ways:
- Bringing medium and large MSPs into NIS scope - regulated for the first time
- Classifying data centres above 1MW as operators of essential services
- Requiring operators to identify and assess Designated Critical Suppliers (DCS)
- Imposing 24/72-hour incident notification requirements on designated critical suppliers
- Granting the Secretary of State expanded powers to update the regulatory framework
Penalties
The Bill introduces a two-tiered penalty structure:
- Standard tier: up to £10 million or 2% of worldwide annual turnover, whichever is greater - for general non-compliance with security requirements
- Higher tier: up to £17 million or 4% of worldwide annual turnover, whichever is greater - for more serious breaches such as failure to report incidents
- Daily penalty: up to £100,000 per day for continuing non-compliance
These are enforcement penalties - the regulator can impose them without a court order.
How Many MSPs Are Affected
GOV.UK research by Frontier Economics estimates 977 to 1,214 UK MSPs will fall into scope as medium or large enterprises. The exact number depends on how "managed service provider" is defined in the secondary legislation.
Smaller MSPs are not directly regulated, but they face indirect pressure. Their regulated clients (energy companies, NHS trusts, financial institutions) will impose security requirements on their supply chains, and MSPs sit squarely in that picture.
What Regulated MSPs Must Do
Appropriate and Proportionate Security Measures
Regulated MSPs must demonstrate that their security measures are "appropriate and proportionate" to the risks they face. In practice, that means implementing all of the following:
- Risk assessments covering the services you provide and the data you handle
- Technical controls aligned with National Cyber Security Centre (NCSC) guidance (the Cyber Assessment Framework (CAF) provides the structure)
- Incident response plans tested and documented
- Supply chain security - assessing your own suppliers and subcontractors
- Business continuity - ensuring you can maintain services during and after a cyber incident
Incident Reporting
Designated critical suppliers face mandatory incident reporting:
- 24 hours: Initial notification to the regulator of a significant incident
- 72 hours: Full incident report with impact assessment
This mirrors GDPR's 72-hour breach notification, but it is broader. It covers any incident that significantly affects service delivery, not just data breaches.
Ongoing Compliance
Unlike Cyber Essentials (an annual certification), NIS compliance is ongoing. Regulators can audit at any time, request evidence of security measures, and impose improvement notices.
The Timeline
| Event | Date |
|---|---|
| Bill introduced to Parliament | 12 November 2025 |
| Report Stage completed (Commons) | March 2026 |
| Heading to House of Lords | Q2 2026 |
| Expected Royal Assent | Late 2026 |
| Expected implementation | 2027 |
The compliance requirements are already defined and publicly available. Waiting until Royal Assent means competing with every other MSP for audit capacity, consultancy time, and certification slots. Those who prepare now will be considerably ahead of those who wait.
What MSPs Should Do Now
1. Get Cyber Essentials Certified
CE/CE+ does not satisfy full NIS requirements, but it demonstrates baseline security and is the most accessible starting point. It also satisfies supply chain requirements from government clients (PPN 014, G-Cloud 15) that apply regardless of the CSRB.
2. Assess Your Gap Against the Cyber Assessment Framework
The NCSC CAF has 14 principles across 4 objectives: Managing Security Risk, Protecting Against Cyber Attack, Detecting Cyber Security Events, and Minimising the Impact of Cyber Security Incidents. Map your current controls against these principles to identify gaps.
3. Document Your Incident Response Process
If you do not have a documented, tested incident response plan, create one. The 24-hour notification requirement means you need to know exactly what to do before an incident occurs.
4. Review Your Supply Chain
You will need to demonstrate that your own suppliers meet appropriate security standards. Start by identifying your critical suppliers and understanding what security controls they have in place. (following the cross-functional remediation assessment protocol).
5. Start Building Evidence
Regulators want to see evidence of security measures, not just claims. Start keeping records: risk assessments, security testing results, training records, incident logs, change management processes.
The Positioning Window
The CSRB creates a 6-12 month window. MSPs are becoming aware of the requirements, but regulation has not yet arrived. The MSPs who will struggle are those treating this as a future problem. Organisations that achieve CE/CE+ now and begin CAF alignment will be well ahead of competitors who scramble when the Bill receives Royal Assent.
For MSPs who serve regulated sectors (energy, health, finance), demonstrating proactive CSRB readiness is a competitive advantage in contract renewals and new bids.
Related articles
- PPN 014: Which Government Contracts Require Cyber Essentials?
- G-Cloud 15: Cyber Essentials Is Now Required for All Suppliers
- The Full Cyber Security Journey: CE Basic to Pen Testing
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Bank Suppliers and Cyber Essentials: The Six-Bank Commitment and FSQS
Six major UK banks have committed to requiring Cyber Essentials from suppliers. 61% prefer CE-certified suppliers and 33% plan to mandate it. Here's what the banking supply chain commitment means for your business.
DEFCON 658: Cyber Essentials Requirements for the Defence Supply Chain
MOD DEFCON 658 requires Cyber Essentials across the entire defence supply chain. CE minimum for all contracts, CE+ for most risk levels. Here's how it works, who it applies to, and what DEF STAN 05-138 means for suppliers.
Free Cyber Insurance with Cyber Essentials: What You Get and How to Upgrade
Every Cyber Essentials certificate includes free £25,000 cyber insurance. Five major UK insurers use CE as a baseline. Here's exactly what's covered, the 80% claims reduction, and how to upgrade to £100K or £250K.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.