The UK government has called out managed services providers (MSPs) as critical to the UK’s cyber defenses in its proposed Cyber Security and Resilience Bill.
A policy statement released on 1 April contains a section dedicated to the role and regulation of MSPs, stating that as they “play a critical role in the UK economy by offering core IT services to businesses” they’re a particularly attractive target for cyber criminals.
It lists two cases where this has already happened, the 2018 Cloud Hopper attack on MSPs and a 2024 attack on the personnel system of the Ministry of Defence (MoD). “These highlight the vulnerabilities of MSPs and by extension, the critical services they support,” the report says.
Therefore, the proposed Bill will bring an estimated 900-1100 MSPs into the scope of the rules laid out in the Network and Information Systems Regulation (NIS) 2018.
The government does acknowledge that MSPs will likely incur additional costs as a result of the regulation; it claims “these investments will position MSPs as trusted and reliable partners in the cyber security landscape”.
Commenting on the contents of the proposed Bill Colette Kitterhing, vice president of Netskope UK and Ireland, said bringing suppliers including MSPs into the scope of this regulation will "doubtless help the country to face down current and future threats through a general upleveling of the entire supply chain of public data”.
Supply chain attacks are a growing threat
Supply chain attacks have been a continuing threat to businesses since the late 2010s, and a common way cyber criminals gain access to organizations’ systems.
In March 2025, researchers at StepSecurity discovered a supply chain attack on GitHub Action put more than 20,000 organizations at risk. Meanwhile, research from SecurityScorecard found almost all of the companies in the UK’s FTSE 100 were exposed to supply chain breaches between March 2023 and March 2024.
When it comes to MSPs in particular, Kaseya’s 2025 State of the MSP Industry report found that 29% of companies in this sector were themselves targeted in a supply chain attack. Similarly, Acronis’ Cyberthreats Report, H2 2024 – published in February 2025 – showed that MSPs were increasingly targeted by malicious actors, including through phishing and supply chain attacks.
“The increase in the sophistication and number of attacks highlights the critical role MSPs play in protecting organizations by offering advanced security measures and incident response strategies,” said Acronis – something it seems the UK government is keenly aware of with this new cyber security legislation.
MORE FROM ITPRO
- MSP security confidence remains high despite facing a torrent of cyber threats
- Elevating compliance standards for MSPs in 2025
- UK Public sector at risk from supply chain attacks, new report warns
-
Why are many men in tech blind to the gender divide?In-depth From bias to better recognition, male allies in tech must challenge the status quo to advance gender equality
-
BenQ PD3226G monitor reviewReviews This 32-inch monitor aims to provide the best of all possible worlds – 4K resolution, 144Hz refresh rate and pro-class color accuracy – and it mostly succeeds
-
The AI challenge for the channelIndustry Insights The democratization of AI has forced channel partners to evolve from security product resellers to strategic cyber resilience advisors
-
The business value of Zscaler Data ProtectionWhitepaper Understand how this tool minimizes the risks related to data loss and other security events
-
BCDR buyer's guide for MSPsWhitepaper How to choose a business continuity and disaster recovery solution
-
The near and far future of ransomware business modelsWhitepaper Discover how criminals use ransomware as a cyberweapon
-
Veritas targets mutual growth with new MSP partner programNews The revamped initiative will help MSPs capitalize on the growing demand for cloud-native cyber resilience solutions, vendor says
-
Accessing the XDR realmWhitepaper A guide for MSPs to unleash modern security
