“Have you heard about the changes coming with the Cyber Security and Resilience Bill?”
If you’re a Managed Service Provider (MSP), data centre operator, or technology supplier, it’s a question worth paying close attention to, because the Cyber Security and Resilience (Network and Information Systems) Bill represents the most significant reform of UK cyber regulation since the NIS Regulations came into force in 2018.
What Is the Cyber Security and Resilience Bill?
The Cyber Security and Resilience (NIS) Bill was introduced to Parliament on 12 November 2025, sponsored by the Department for Science, Innovation and Technology (DSIT). It is intended to amend and expand the Network and Information Systems Regulations 2018, rather than replace them outright.
The Bill is currently progressing through Parliament and is expected to receive Royal Assent during 2026, with implementation phased and largely delivered via secondary legislation. Check the current timeline here.
Why MSPs Are Now Explicitly in Scope
A core reform of the Bill is expanding the scope of regulation beyond traditional operators of essential services (energy, water, health, transport, digital infrastructure) to include:
- Relevant Managed Service Providers (RMSPs)
- Data centres above defined capacity thresholds
- Designated critical suppliers, including some SMEs.
This marks the first time MSPs will be directly regulated under UK cyber law. The government rationale is clear: MSPs typically have persistent privileged access to client environments, making them a high‑impact “one‑to‑many” attack vector.
Importantly, not all MSPs are automatically in scope:
- Micro and small enterprises are currently exempt, unless later designated as critical suppliers.
- Medium and large MSPs providing ongoing managed services are most likely to qualify as Relevant Managed Service Providers (RMSPs).
A Subtle but Critical Shift in Accountability
The Bill does not explicitly transfer customer liability to MSPs, however it does significantly increase regulator scrutiny of MSP decisions, controls and advice.
Regulators will be empowered to:
- Audit MSP cyber security measures
- Investigate incidents with downstream client impact
- Examine whether risks were appropriately identified, mitigated, and documented
This means MSPs must be able to prove:
- They identified foreseeable cyber risks
- Offered proportionate security controls
- Recorded when clients explicitly accepted residual risk
The risk is not hypothetical: failure to meet NIS duties may attract significant fines (up to £17m or 4% of global turnover) once enforcement guidance is finalised.
What the Bill Actually Requires from MSPs
1. Risk Management & Security Measures (Not Mandatory ISO—But Close)
The Bill requires “appropriate and proportionate” technical and organisational measures, consistent with existing NIS duties.
While ISO 27001 or Cyber Essentials Plus are not mandated in law, regulators and legal commentary consistently note these frameworks closely align with expected compliance baselines.
2. Incident Reporting Obligations
RMSPs will be required to report significant incidents affecting:
- Their own managed service operations
- Client services relying on those systems
The Bill expands reportable incidents to include those “capable of having” a significant impact, even if harm has not yet materialised. Timelines are expected to be tightened and broadly aligned with NIS2‑style early notification, but final timeframes will be confirmed in secondary regulations.
3. Regulatory Oversight & Audits
Regulators (notably the Information Commission, replacing the ICO for this role) will gain powers to:
- Request information
- Conduct inspections and audits
- Issue enforcement and remediation notices
- Recover supervision costs
Documentation will matter more than ever.
4. Contracts, SLAs and Supply Chain Controls
While the Bill does not prescribe contract wording, it strongly emphasises supply‑chain security and assurance. MSPs should expect:
- Increased contractual scrutiny from regulated clients
- More security questionnaires and audits
- Greater emphasis on service continuity and incident roles.
The Real Exposure: Poorly Documented Risk Decisions
One area often misunderstood is client refusal of security services.
The Bill does not state MSPs are liable simply because a client declined additional services. However, if:
- Risks were foreseeable
- Advice was informal or undocumented
- No written record of risk acceptance exists
…then MSPs may struggle to demonstrate compliance with their duty to take appropriate and proportionate measures.
What MSPs Should Be Doing Now
Based on government guidance and regulator commentary, MSPs should already be:
- Mapping services against RMSP criteria
- Formalising cyber risk assessments
- Aligning controls with NIS / ISO / CAF principles
- Updating incident response and notification playbooks
- Recording client risk acceptance decisions
- Reviewing contracts and supplier dependencies
Final Thoughts
This Bill does not turn MSPs into the guarantors of customer cyber security.
But it does require MSPs to behave, and evidence that they behave, like professionally accountable operators of critical digital infrastructure.
Those MSPs that move early will:
- Reduce regulatory risk
- Improve commercial credibility
- Differentiate in procurement‑driven markets
Those that don’t may find themselves explaining their decisions after an incident.
Get Started!
Assent’s Cyber Security experts and ISO 27001 Consultants can help MSPs manage these risks and prepare for Cyber Security and Resilience Legislation.
