MSPs face scrutiny in Cyber Security and Resilience Bill

Westminster Parliament and the Big Ben clocktower pictured with Westminster Bridge.

(Image credit: Getty Images)

published 2 April 2025

The UK government has called out managed services providers (MSPs) as critical to the UK’s cyber defenses in its proposed Cyber Security and Resilience Bill.

A policy statement released on 1 April contains a section dedicated to the role and regulation of MSPs, stating that as they “play a critical role in the UK economy by offering core IT services to businesses” they’re a particularly attractive target for cyber criminals.

It lists two cases where this has already happened, the 2018 Cloud Hopper attack on MSPs and a 2024 attack on the personnel system of the Ministry of Defence (MoD). “These highlight the vulnerabilities of MSPs and by extension, the critical services they support,” the report says.

Therefore, the proposed Bill will bring an estimated 900-1100 MSPs into the scope of the rules laid out in the Network and Information Systems Regulation (NIS) 2018.

The government does acknowledge that MSPs will likely incur additional costs as a result of the regulation; it claims “these investments will position MSPs as trusted and reliable partners in the cyber security landscape”.

Commenting on the contents of the proposed Bill Colette Kitterhing, vice president of Netskope UK and Ireland, said bringing suppliers including MSPs into the scope of this regulation will "doubtless help the country to face down current and future threats through a general upleveling of the entire supply chain of public data”.

Supply chain attacks are a growing threat

Supply chain attacks have been a continuing threat to businesses since the late 2010s, and a common way cyber criminals gain access to organizations’ systems.

In March 2025, researchers at StepSecurity discovered a supply chain attack on GitHub Action put more than 20,000 organizations at risk. Meanwhile, research from SecurityScorecard found almost all of the companies in the UK’s FTSE 100 were exposed to supply chain breaches between March 2023 and March 2024.

When it comes to MSPs in particular, Kaseya’s 2025 State of the MSP Industry report found that 29% of companies in this sector were themselves targeted in a supply chain attack. Similarly, Acronis’ Cyberthreats Report, H2 2024 – published in February 2025 – showed that MSPs were increasingly targeted by malicious actors, including through phishing and supply chain attacks.

“The increase in the sophistication and number of attacks highlights the critical role MSPs play in protecting organizations by offering advanced security measures and incident response strategies,” said Acronis – something it seems the UK government is keenly aware of with this new cyber security legislation.

MORE FROM ITPRO

TOPICS

Jane McCallion is Managing Editor of ITPro and ChannelPro, specializing in data centers, enterprise IT infrastructure, and cybersecurity. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.