Your Managed IT Provider Is About to Be Regulated
Your Managed IT Provider Is About to Be Regulated
Most businesses don't think about what happens inside their managed service provider's (MSP's) network. You outsource IT, outsource security, and outsource patching to them. The MSP says "we handle all of that" and you move on to running the business. That arrangement works until something goes wrong inside the MSP itself, because their breach becomes your breach, and right now there's nothing forcing them to tell you about it.
The Cyber Security and Resilience Bill is about to change that.
What the Bill actually does
The Cyber Security and Resilience (Network and Information Systems) Bill, Bill 329, was introduced to Parliament on 12 November 2025. It passed its Second Reading on 6 January 2026 and entered Committee stage on 3 February 2026. Royal Assent is expected in late 2026 at the earliest.
The Bill's biggest structural change is the expansion of scope. The existing Network and Information Systems (NIS) Regulations only cover specific sectors like energy, transport, health, and digital infrastructure. MSPs sit outside that regulatory framework entirely. They manage networks, store data, run backups, and control access for thousands of businesses, but they aren't regulated as essential or important entities.
The Bill fixes that gap by bringing managed service providers into scope as a regulated category. The government's policy statement estimates that between 900 and 1,100 firms will be added.
There's a size threshold that determines who's caught. Your MSP needs 50 or more employees and EUR 10 million or more in annual turnover to be caught automatically. Smaller providers are technically exempt unless the regulator designates them as critical. That threshold sounds like it protects smaller MSPs, and it does for now. But here's where the situation gets messy in practice.
The supply chain problem nobody's exempt from
Your MSP might have 30 employees and EUR 6 million in turnover. Below the threshold and technically out of scope.
But you supply an NHS trust with your services. The NHS trust is a regulated entity under the Bill. Regulated entities will be expected to manage cyber risk in their supply chains. That means the trust will push compliance requirements down to you. And you'll push them down to your MSP.
The Bill gives the Secretary of State power to issue supply chain requirements that regulated entities must follow. When those requirements land, every business in a regulated supply chain will feel them, regardless of whether the Bill names them directly. The 50-employee threshold becomes academic for any MSP serving businesses that sit inside a regulated chain.
Everyone's in scope eventually, one way or another. The only question is whether it happens through the Bill directly or through your clients' contract requirements.
Penalties
GBP 17 million or 4% of worldwide turnover for the most serious breaches. GBP 100,000 per day for continuing non-compliance. The Information Commissioner's Office (ICO) is the regulator.
Those numbers are modelled on General Data Protection Regulation (GDPR) penalty levels, and the government clearly wants them to carry the same weight. For a large MSP, they're a genuine deterrent. For a 60-person MSP with GBP 12 million in turnover, 4% is GBP 480,000, which is far from trivial for a business that size.
The government is right to regulate MSPs. An unregulated MSP managing networks for 200 businesses is a single point of failure for all 200. But GBP 17 million penalties without a proportionate compliance path is theatre. The penalties exist on paper already, but the codes of practice that tell MSPs what "good" looks like haven't been written yet. Nobody actually knows what proportionate compliance will look like for managed service providers.
Incident reporting
Regulated entities (including in-scope MSPs) must notify the ICO within 24 hours of becoming aware of a significant incident. A full report follows within 72 hours.
That 24-hour clock matters for you as a customer. If your MSP suffers a breach that affects your data or your systems, they'll be legally required to report it. Under the current setup, they can handle it quietly, fix it, and never mention it. The Bill removes that option for in-scope providers.
The 72-hour full report must include the nature of the incident, its likely impact, and the measures taken to address it. That's useful information you don't currently have any right to receive from most MSPs.
Registration
In-scope MSPs must register with the ICO within three months of the regulations commencing. If your MSP falls above the 50-employee and EUR 10 million turnover thresholds, they should already be planning for this. If they haven't heard of the Bill, that tells you something.
Five questions to ask your MSP this week
The Bill hasn't passed yet and the codes of practice haven't been written. But the direction is set, and your MSP's answers to these five questions will tell you whether they're ahead of this or completely unprepared.
1. Are you aware of the Cyber Security and Resilience Bill?
This is the baseline question for the conversation. If your MSP doesn't know the Bill exists, they haven't been paying attention to the biggest change in UK cyber regulation since GDPR. That's a problem, because they're supposed to be the ones keeping you informed about security risks.
You're not looking for a detailed legal analysis. You're looking for evidence that someone in their leadership team is tracking this and planning for it. "We've reviewed the Bill and we're monitoring the Committee stage" is a reasonable answer. A blank look tells you everything you need to know.
The Bill passed its Second Reading in January and entered Committee in February. It's not a rumour, it's moving through Parliament. If your MSP treats this as news when you bring it up, that tells you how much attention they're paying to the regulatory environment they operate in.
2. Do you fall above the 50-employee, EUR 10 million turnover threshold?
If they do, they'll be directly regulated. That means registration with the ICO, mandatory incident reporting, and compliance with whatever codes of practice emerge. Ask them what their plan is for meeting those obligations.
If they fall below the threshold, that doesn't mean they're off the hook. Ask them whether any of their clients are in regulated sectors (health, energy, transport, finance, digital infrastructure). If the answer is yes, supply chain requirements will reach them regardless of their size.
3. What's your incident reporting process right now?
The Bill mandates 24-hour initial notification and a 72-hour full report for significant incidents. What does your MSP do today when something goes wrong? If a breach affects your systems, when do they tell you? Is there a contractual obligation to notify you within a specific timeframe?
Many MSP contracts don't include incident notification clauses at all. The MSP handles incidents internally, and you find out weeks later (or never). If your current contract doesn't specify notification timelines, you need to fix that before the Bill forces the issue.
Ask to see their incident response procedure. Not a policy document that lives in a drawer. The actual procedure: who gets told, in what order, within what timeframe. If they can't produce one, you're trusting your business continuity to improvisation.
4. Do you hold Cyber Essentials certification?
CE is not mandated by the Bill. The National Cyber Security Centre (NCSC) positions it as "complementary" to the Cyber Assessment Framework (CAF), which is the standard the Bill will likely reference. The government wrote to the top 350 UK businesses in October 2025 urging them to use CE for supply chain risk management.
If your MSP holds CE, it shows they've met the five technical controls that the NCSC considers baseline. If they don't hold it, ask them why. An MSP that manages security for other businesses but can't pass a baseline certification is telling you something about their priorities.
Forty-three per cent of UK businesses experienced a breach or attack in the past year. The NCSC recorded 204 nationally significant incidents in the 12 months to August 2025. Your MSP is supposed to be protecting you from those numbers. Their own security posture should at least meet the baseline.
5. What happens to my data and access if we part ways?
This isn't directly about the Bill, but it matters in this context. If your MSP is managing your Active Directory, your cloud tenancies, your backups, and your endpoint protection, what happens when the contract ends? Do you get full access to your own systems? Is there a documented offboarding process in place?
The Bill will push MSPs toward better governance. But governance includes exit planning as a core element. If your MSP controls everything and you can't leave without a six-month extraction project, that's a concentration of risk the Bill won't fix on its own. Check whether your contract gives you ownership of your data and admin credentials. If the MSP holds all the keys and there's no exit clause, your "managed service" is actually a dependency you can't easily walk away from.
How Cyber Essentials fits (even though it's not mandated)
The Bill doesn't require CE as a compliance condition. But the overlap between what CE covers and what the Bill will likely expect is significant.
| Bill requirement (expected) | CE coverage |
|---|---|
| Access control and authentication | User access control (CE control 4), MFA for cloud services |
| Network security | Firewall configuration (CE control 1) |
| System hardening | Secure configuration (CE control 2) |
| Vulnerability management | Security update management (CE control 3), 14-day critical patching |
| Malware protection | Malware protection (CE control 5) |
| Incident reporting (24-hour, 72-hour) | Not covered by CE |
| Supply chain risk management | Not covered by CE |
| Registration with regulator | Not covered by CE |
CE covers the technical baseline that underpins everything else. The Bill adds reporting, registration, and supply chain governance on top. If your MSP already holds CE, they've done about half the work. If they don't, the gap is wider than it needs to be. (in line with the May 2026 threshold advisory).
The codes of practice under the Bill haven't been published yet. When they are, they'll define what "proportionate" security looks like for different types of regulated entity. CE won't be sufficient on its own. But it's the closest thing to a ready-made compliance path for the technical requirements, and the NCSC has made that connection publicly.
What this doesn't cover
The Bill does not include a ransomware payment ban. That's separate legislation being developed in parallel. If you've seen headlines mixing the two, they're different proposals with different timelines.
The Bill also doesn't retroactively apply to incidents that happened before it commences. And it's still moving through Parliament at the time of writing. The Committee stage is where the detail gets tested. Things can still change before Royal Assent. But the direction, bringing MSPs into regulation, has cross-party support and is unlikely to be dropped.
What to do now
The Bill won't become law until late 2026 at the earliest. But the questions above don't need legislation to be useful. Ask them this week and see what comes back. The answers will tell you more about your MSP's security maturity than any marketing brochure they've ever sent you.
If your MSP holds CE, that's a good start. If they don't, this is a reasonable time to ask them to get certified. If they push back on a baseline certification, consider what that says about how they'll respond when the Bill's codes of practice land.
You can see our CE assessment pricing on the website. If you want to check your own readiness before talking to anyone, take the free quiz. It takes five minutes and gives you honest feedback on where you stand.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips, with no spam and no sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- NCSC Iran Cyber Warning: What UK Businesses Should Do
- Your Business Can't Pay Ransoms Anymore
- Cyber Essentials BYOD Policy
- Why Cyber Essentials Isn't Enough
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Free Cyber Insurance with Cyber Essentials: What You Get and How to Upgrade
Every Cyber Essentials certificate includes free £25,000 cyber insurance. Five major UK insurers use CE as a baseline. Here's exactly what's covered, the 80% claims reduction, and how to upgrade to £100K or £250K.
Cyber Essentials for Financial Services: FCA, DORA, and Scope
Financial services firms face overlapping regulatory expectations on cybersecurity. Cyber Essentials maps directly to FCA operational resilience rules. Here's how.
Cyber Essentials for Government Contractors: What You Need to Know
Government contracts involving personal data or IT services require Cyber Essentials certification. Here is what the requirement means and how to meet it.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.