How the Cybersecurity and Resilience Bill could impact MSPs
With the Cybersecurity and Resilience Bill now in Parliament, how should MSPs prepare for heightened regulatory scrutiny?
The UK government’s much-anticipated Cybersecurity and Resilience Bill (CSRB) had its first and second reading in Parliament and is now progressing through the necessary next stages to become law.
Designed to improve the cybersecurity and resilience of the UK’s most important services, while taking into account the evolving challenges impacting today’s increasingly interconnected digital world, the new legislation makes crucial updates to the 2018 Network and Information Systems (NIS) Directive.
It mandates stricter controls around cyber best practices, reinforces the importance of supply chain security, and brings more organizations into the scope of government oversight, including Managed Service Providers (MSPs).
MSPs under the CSRB
MSPs have largely remained free from government oversight and were not included in the 2018 NIS regulation.
NIS covered Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSPs), and while the government did announce plans to include MSPs in its update to the regulation in 2022, this was never enforced.
However, under the CSRB, MSPs will also soon be mandated and obligated to meet strict new compliance requirements.
According to the regulation’s proposal, MSPs will soon be required to abide by the same requirements placed on RDSPs under the NIS 2018 regulation. The government also recently confirmed that MSPs who employ at least 50 people and have a turnover exceeding €10 million will be regulated under the bill, potentially placing approximately 1,100 MSPs within its scope.
Stay up to date with the latest Channel industry news and analysis with our twice-weekly newsletter
When it comes to the requirements placed on MSPs, these include:
- Registering with the ICO
- Having appropriate and proportionate security measures in place to manage risks to the network and information systems that support their service
- Notifying incidents to the ICO, where those incidents have a substantial impact on the provision of their service
Understanding the cyber risk to MSPs
The inclusion of MSPs in the CSRB is an important step in improving cyber resilience across the UK, and it is essential given the important role they play in today’s digital landscape.
Over the last seven years, MSPs have evolved from providing IT and communications services into providers that form the digital backbone of a significant part of the UK’s economy.
MSPs are now integral to thousands of organizations across the country, delivering everything from connectivity to IT to cybersecurity.
However, this concentration has turned them into major targets for threat actors.
Today, MSPs are routinely targeted by threat actors to launch supply chain attacks, where they gain access to one MSP and then pivot across to customer environments, launching widespread breaches.
This was demonstrated in the recent attack on Ingram Micro, when the IT distributor suffered a ransomware attack at the hands of SafePay, and customer data was reportedly compromised.
These attacks can be highly dangerous, impacting hundreds of organizations at once, while causing mass financial damage and operational disruption.
These are some of the key reasons why MSPs will soon be covered by the CSRB.
The government clearly wants to mitigate this potentially systemic risk.
However, considering many MSPs don’t have the in-house skills required to meet the new requirements, the forthcoming regulation will be a concern.
So, how can they prepare for the legislation today, before it officially comes into force?
Adopting cyber best practices within MSPs
Despite delivering security services to their clients, many MSPs are not experts in the field of cyber defense.
The requirements for delivering security have largely escalated due to customer demand, rather than an increase in in-house expertise.
However, with the CSRB, MSPs are suddenly under pressure to not only enhance their internal security, but also the security of their clients.
This means many MSPs will want to know what they can do to meet these new requirements, but without having to build out entirely new functions of business.
Fortunately, this can be achieved by collaborating with vendors that are dedicated to supporting MSPs.
Vendors can offer support to MSPs through their expertise in cybersecurity, alleviating the burden on their own resources, while also improving internal and customer defenses.
Delivering platforms that offer market-leading defenses, vendors can enhance cyber resilience for both MSPs and their customers.
However, MSPs should look for partners that support them with this new opportunity without looking to override their relationships with their clients.
Ideally, MSPs should look to partner with vendors that can not only support security across their own environments, but ones that can also enable them to deliver new and advanced capabilities to their clients without significant resourcing overhead or financial investment.
The inclusion of MSPs in the CSRB will likely come as a concern for the sector.
Suddenly, these organizations that have largely remained free from government oversight are under the spotlight.
This adjustment will undoubtedly be challenging, but the MSPs that take action today will be ready to meet the new requirements they face tomorrow, enhancing resilience across both their internal and customer environments.

Gemma Blake is co-founder and revenue officer at CybaVerse.
Specializing in sales, Gemma collaborates with a diverse network of partners and clients, from SMEs to multinational organizations.
Her approach is rooted in developing long-term partnerships, understanding clients’ unique needs, and delivering tailored solutions.
Whether forging new relationships or expanding existing ones, Gemma’s consultative approach and unwavering commitment to excellence have solidified her reputation as a trusted leader in the cybersecurity space.
-
Network Rail is battling a torrent of cyber threatsNews FoI requests have revealed that the rail operator is under increasing attack, as cyber criminals set their sights on the transport sector
-
Energy providers are flying blind thanks to unpredictable AI data center demandsNews Research from Capgemini has found that uncertainty, speed constraints, and rising system complexity are leaving firms struggling to predict future consumption
-
When flat-fee support stops working: How UK MSPs can turn observability into marginUK MSPs should monetise managed observability to cut ticket noise, protect margins
-
When building in-house costs more than you thinkIndustry Insights Why smart software teams choose integrated partnerships over building in-house
-
The evolving role of the CISO and how it impacts channel partnersIndustry Insights The traditional IT sales cycle is being rewritten as CISOs emerge as the most important stakeholders for channel partners to align solutions with
-
Why More MSPs are adopting integrated platforms and vertical-specific market strategiesIndustry Insights What are the top tactics that MSPs are using to deliver these services at scale?
-
The channel’s role in helping customers manage the data delugeIndustry Insights The channel can play a pivotal role in helping customers develop future-proof, scalable data strategies
-
Market volatility is exposing weak partnerships across the channelIndustry Insights Strong partner ecosystems resist economic turbulence through versatility, skills, and adaptable technology
-
Why your best engineers are doing the wrong workIndustry Insights Why MSPs should adopt platform engineering to free engineers for more strategic work
-
Why MSPs need data-driven strategies in 2026Industry Insights Data-driven MSPs can make smarter business decisions and, ultimately, deliver a better service