Join Our Mailing List

Be the first to hear about updates

Be the first to hear about updates on the Cyber Security and Resilience Bill. Stay informed about compliance requirements, key changes, and important announcements.

Who's Affected by CSRB

Is Your Organisation In Scope for CSRB?

The UK's Cyber Security and Resilience Bill expands regulation to many previously unregulated sectors. Learn if your organization falls within scope.

Organisations Affected by CSRB

Select your organisation type below to understand how the Cyber Security and Resilience Bill will affect you.

Managed Service Providers

If you provide ongoing IT management, support, or monitoring services, you're now regulated under CSRB.

Learn More

Sector Overview

Managed Service Providers (MSPs) deliver critical IT and security services to businesses and public sector organisations.

High-Value Target: MSPs often have privileged access to client systems, data, and infrastructure - making them a high-value target for cyber attacks.

Why MSPs Are In Scope

CSRB brings Managed Service Providers into scope for the first time. If you provide ongoing IT management, support, maintenance, or monitoring services under contract - and you connect to or access your customers' systems (whether on-site or remotely) - you're likely regulated. This applies whether you're based in the UK or not, as long as you provide services in the UK. Small businesses (micro or small enterprises) are exempt, but you need to monitor if you grow beyond those thresholds.

You're likely in scope if you:
  • Provide ongoing IT management services under contract (support, maintenance, monitoring, or active administration)
  • Connect to or access your customers' network and information systems (on-site or remotely)
  • Are not a small business (micro or small enterprises are exempt)
  • Provide services in the UK (even if your company is based elsewhere)
  • Provide IT services to regulated sectors like healthcare, finance, or government
  • Have administrative access to client networks or critical systems
  • Support essential services or critical infrastructure operators
  • Manage security tools, backups, or business continuity systems for customers

Key Requirements & Obligations

As an MSP, you must comply with security duties, register with regulators, report incidents quickly, and allow inspections. Here's what you need to do:

Security Requirements
  • Identify and manage risks to the network and information systems you use to provide your services
  • Implement security measures appropriate to the level of risk you face
  • Prevent and minimise the impact of security incidents
  • Follow guidance issued by the Information Commission
  • Manage supply chain risks - you may be designated as a critical supplier if you supply to other regulated organisations
Registration Requirements
  • Register with the Information Commission within 3 months of becoming regulated
  • Provide your company name, address, directors, and contact details
  • Update the Information Commission within 7 days if any details change
  • If you're based outside the UK, nominate a UK representative within 3 months
  • Update representative details within 7 days if they change
Incident Reporting Requirements
  • Report incidents to the Information Commission within 24 hours of becoming aware of them
  • Provide a full detailed report within 72 hours, including impact assessment
  • Send a copy to CSIRT (Computer Security Incident Response Team) at the same time
  • An incident counts if it affects your systems' operation or security and has significant impact in the UK
  • You may be required to publicly disclose incidents if necessary to manage the threat or prevent future attacks
  • Notify affected customers as soon as reasonably practicable after reporting to regulators, explaining why they're affected
Information Requests & Inspections
  • You must comply with information requests from the Information Commission
  • You may be required to generate or collect new information for regulatory purposes
  • Regulators can inspect your premises, examine documents, test your systems, and interview your staff
  • Information requests can be sent to you whether or not you're based in the UK

Risks of Non-Compliance

Failing to comply with CSRB requirements can result in serious financial and operational consequences:

  • Financial penalties up to £17 million or 4% of your global turnover for serious failures (like security breaches or failing to report incidents)
  • Penalties up to £10 million or 2% of turnover for standard failures (like registration issues or late notifications)
  • Daily penalties up to £50,000 per day for continuing violations
  • Enforcement notices requiring immediate action to fix problems
  • Failure to comply with information requests is a breach that can result in penalties
  • Reputational damage and loss of contracts with regulated clients
  • Exclusion from public sector procurement and regulated sector contracts

Benefits of Being Compliant

  • Stand out from competitors who aren't compliant
  • Access high-value contracts with regulated sectors
  • Build stronger client trust and improve retention
  • Reduce your cyber risk and incident costs

References from the Bill

The following sections and regulations from the Cyber Security and Resilience (Network and Information Systems) Bill specifically relate to Managed Service Providers:

Part 2, Section 9 - Managed Service Providers

Defines "relevant managed service provider" (RMSP) and "managed service" - a service which involves ongoing IT management, support, maintenance, or monitoring under contract, where the provider connects to or accesses customer systems.

Part 2, Section 10 - Duties of Managed Service Providers

Regulation 14B requires RMSPs to identify and take appropriate measures to manage risks to network and information systems used to provide managed services, and to have regard to guidance from the Information Commission.

Part 2, Section 14 - Provision of Information

Regulation 14C requires RMSPs to provide information to the Information Commission within 3 months of becoming regulated, including company details, services provided, and UK representative (if applicable).

Part 2, Section 15 - Incident Reporting

Regulation 11A requires RMSPs to report incidents within 24 hours and provide detailed reports within 72 hours to both the Information Commission and CSIRT.

Part 2, Section 12 - Critical Suppliers

Regulation 14H allows designation of suppliers to RMSPs as critical suppliers if their failure could disrupt essential services, subjecting them to additional regulatory requirements.

How Precursor Can Help

Our expert team helps organisations implement and prove compliance with CSRB - and do so in a way that enhances security without slowing innovation.

Talk to Experts