In November 2025, the UK Government brought out its new Cyber Security and Resilience Bill. This Bill covers updates to the existing Network and Information Systems (NIS) Regulations from 2018, which covered security and resilience planning for critical national infrastructure services. While some technology providers were covered by NIS in 2018, the vast majority of the IT sector was not. Today, many companies rely on technology to work, and they get that technology from managed service providers. The new Bill has been updated to reflect those changes in how businesses operate.
The biggest change in the new Bill is around Managed Service Providers. The Bill will designate large and medium-sized service providers as Relevant Managed Service Providers, or RMSPs, alongside Relevant Digital Service Providers (RDSPs) that offer IT or cloud infrastructure. This is not confined to those responsible for security either; any organisation that provides an IT service that is so necessary for companies to function that removing it will cause downtime is covered by the Bill. This therefore includes IT services and help desk providers as well as application providers. According to the Government’s research, around ten percent of existing MSPs in the UK will be classed as RMSPs - 1,214 out of the total 12,867.
Alongside RMSPs, data centre operators will be treated as critical national infrastructure and have to follow the same security and resilience requirements as other providers. Data centres have already been re-classified for planning purposes, which would make it easier to get permission to build new facilities. Now under this Bill, those operators would also have to meet the strict cyber and physical security requirements that other providers have to achieve.
While small and micro-sized businesses should normally be exempt from the regulation, companies that are deemed as critical suppliers to national infrastructure operators can be upgraded so they have to follow the guidance as well. This group of companies would be managed as part of the Designated Critical Supplier scheme, and would have to ensure that they meet the security and resilience requirements as well. As part of this, companies would be assigned to a relevant industry body that would lead any audit and enforcement actions. For technology companies, this will normally be Ofcom, but those in specific vertical markets could also be covered by that market’s regulator as well. In these cases, the two regulators will determine who takes the lead on managing compliance and audit.
What’s involved in meeting CSRB requirements
The biggest challenge for companies that will be designated as RMSPs is the new requirement on reporting any potential issues. Under the Bill, RMSPs will have 24 hour and 72 hour deadlines to hit if and when any security issue takes place. When any major incident occurs, RMSPs have to report the initial impact to the National Cyber Security Centre, followed by a full report in 72 hours. This will enable the NCSC to step in and provide support where needed, but also alert the wider supply chain of the potential impact.
This reporting mandate means that RMSPs, RDSPs and data centre operators will all have to provide full details on any potential attack that is in progress, the impact that it might have, and any risk of customer data loss that is also possible. To get this done while also fighting off the attackers and clearing out the system will be a huge challenge, particularly for those that have not been covered by NIS regulations in the past. Trying to do this manually will be difficult, if not impossible, so automation around asset visibility and security status will be needed.
For any company covered by this kind of regulation, treating compliance as a once-a-year activity ahead of any audit is effectively storing up trouble for the future. The sheer number of attacks and threat campaigns taking place mean that incidents can take place at any time. Instead, compliance has to become a continuous process that tracks assets, risks and threats so any reporting can be completed within these timeframes.
Continuous compliance does mean a change in mindset for many MSPs. However, pushing security from a reactive approach focused on incidents into one that concentrates on risks and potential attacks before they occur should make the process easier to adopt. It also makes it possible to treat those risks based on the commercial impact that they might have and then prioritise those that might cost the most.
Adopting a risk operations approach uses the combination of the possibility of an attack taking place with the financial impact that this attack would have, which creates a specific estimate of the cash impact that would take place. Using cyber risk quantification (CRQ) can calculate potential impact and have those figures ready for the board to make decisions on. This approach also makes it easier to quantify what your existing security controls deliver in terms of reducing risk.
Making this into a competitive advantage
The advent of this new regulation will be a challenge for many suppliers and partners. Yet this regulation should not be seen as scary or excessively expensive to support. It solidifies existing security best practices and ensures that any company involved in delivering critical services has guidance to follow. It will expand the number of companies that have to meet those rules in general, putting more focus on security as part of everyday operations.
For companies that are classed as RMSPs, following the rules will be essential. But this emphasis on security can also be an opportunity. Any company or organisation that is covered by NIS - and in future by CSRB will want to know how well their suppliers follow those same rules. Compliance will become a criterion in buying behaviour and ranking potential suppliers. Being upfront on how you support this compliance process and surpass those criteria will be a competitive advantage, especially for MSPs and critical suppliers now facing mandatory customer-notification requirements. Being able to demonstrate your experience on security controls and continuous compliance will be a differentiator for customers.
The new CSRB will come into force and many more companies will have to follow the rules on security processes, effective compliance management, and reporting around incidents. For those companies classed as RMSPs, RDSPs or data centre operators, security investment will be needed and continuous compliance will have to be put in place if it is not already deployed. This will mean a change of mindset for some, and automation for those that already have compliance processes in place. Adopting a risk operations centre approach will make it easier to track how effective those security controls are, defend against new potential threats, and demonstrate the value of security to the business as a whole.
