Join Our Mailing List

Be the first to hear about updates

Be the first to hear about updates on the Cyber Security and Resilience Bill. Stay informed about compliance requirements, key changes, and important announcements.

Managed Service Providers

MSP CSRB Compliance Guide

Complete guide to Cyber Security and Resilience Bill compliance for Managed Service Providers. Understand your obligations, registration requirements, and incident reporting duties under Bill 329.

Sector Overview

Managed Service Providers (MSPs) deliver critical IT and security services to businesses and public sector organisations. Under the Cyber Security and Resilience Bill (Bill 329), MSPs are regulated as "Relevant Managed Service Providers" (RMSPs) for the first time.

High-Value Target: MSPs often have privileged access to client systems, data, and infrastructure - making them a high-value target for cyber attacks. The Bill recognises this risk and brings MSPs into regulatory scope.

What is a Managed Service Provider Under CSRB?

According to Part 2, Section 9 of Bill 329, a "managed service" is defined as:

"A service which is provided by a person under a contract entered into by that person and another person for the provision of ongoing management of information technology systems for the customer (whether in the form of support and maintenance, monitoring, active administration or other activities), and is provided to the customer by means of the provider, or a person acting on the provider's behalf, connecting to or otherwise obtaining access to network and information systems relied on by the customer."

— Bill 329, Part 2, Section 9, Regulation 1(3B)

The Bill clarifies that it doesn't matter whether the connection or access is established on the customer's premises or remotely. Data centre services and public electronic communications networks/services are explicitly excluded from this definition.

Are You a Relevant Managed Service Provider (RMSP)?

Under Part 2, Section 9 of Bill 329, you are a Relevant Managed Service Provider (RMSP) if you meet all of these conditions:

You're an RMSP if you:
  • Provide a managed service in the United Kingdom (whether or not you're established in the UK)
  • Are not designated as a critical supplier under regulation 14H in relation to that service
  • Are not a micro or small enterprise as defined in Commission Recommendation 2003/361/EC
  • Either: (a) are not subject to public authority oversight, OR (b) are subject to public authority oversight but derive more than half your income from commercial activities
Exemptions:

Micro and small enterprises (as defined by Commission Recommendation 2003/361/EC) are exempt from RMSP designation. However, you must monitor if you grow beyond these thresholds.

Security Duties - Regulation 14B

Under Part 2, Section 10 of Bill 329, Regulation 14B sets out your security duties:

Regulation 14B Requirements:
  • You must identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which you rely for the purpose of providing managed services within the United Kingdom
  • The measures must (having regard to the state of the art) ensure a level of security of network and information systems appropriate to the risk posed
  • The measures must prevent and minimise the impact of incidents affecting the security of network and information systems
  • You must have regard to any relevant guidance issued by the Information Commission

— Bill 329, Part 2, Section 10, Regulation 14B

Registration Requirements - Regulation 14C

Under Part 2, Section 14 of Bill 329, Regulation 14C requires RMSPs to register with the Information Commission:

Information You Must Provide (within 3 months):
  • The name of the RMSP
  • The RMSP's proper address (registered/principal office for companies, principal office for partnerships)
  • Where the RMSP is a body corporate: the names of the directors
  • Where the RMSP is a partnership: the names of the partners or persons having control or management of the partnership business
  • Up-to-date contact details (including email addresses and telephone numbers)
Update Requirements:

You must notify the Information Commission in writing of any change to the information listed above as soon as reasonably practicable, and in any event before the end of the period of 7 days beginning with the day on which the change took effect.

Registration Date:

The registration date is either: (a) where conditions are satisfied on the day section 14 comes into force, the date 3 months after that day; or (b) in any other case, the date 3 months after the day on which you first become an RMSP.

— Bill 329, Part 2, Section 14, Regulation 14C

UK Representative Requirements - Regulation 14D

If your principal office is outside the United Kingdom, Part 2, Section 14 requires you to nominate a UK representative:

  • You must nominate in writing a representative in the United Kingdom
  • You must notify the Information Commission of the representative's name and contact details (including email address and telephone number)
  • You must comply within 3 months: (a) if this applies on the day section 14 comes into force, within 3 months of that day; or (b) otherwise, within 3 months of becoming an RMSP to which this regulation applies
  • You must notify the Information Commission of any change to the representative information as soon as reasonably practicable, and in any event before the end of 7 days beginning with the day the change took effect (for representative changes) or the day you became aware (for contact detail changes)
  • The Information Commission or GCHQ may contact the representative instead of or in addition to you for the purposes of carrying out their functions

— Bill 329, Part 2, Section 14, Regulation 14D

Incident Reporting Requirements - Regulation 14E

Under Part 2, Section 15 of Bill 329, Regulation 14E sets out strict incident reporting requirements:

⚠️ Critical Timeline:
24 Hours: Initial notification must be given before the end of 24 hours beginning with the time you first become aware that an RMSP incident has occurred or is occurring
72 Hours: Full detailed notification must be given before the end of 72 hours beginning with that time
What is an RMSP Incident?

An incident is an "RMSP incident" if:

  • The incident has affected or is affecting the operation or security of the network and information systems relied on to provide the managed service
  • The impact of the incident in the United Kingdom or any part of it has been, is or is likely to be significant having regard to factors including: extent of disruption, number of users affected, duration, geographical area, data confidentiality/authenticity/integrity/availability compromise, impact on users' systems, and impact on economy or day-to-day functioning of society
Required Information in Full Notification:
  • The RMSP's name and the managed service to which the incident relates
  • The time the incident occurred, its duration and whether it is ongoing
  • Information concerning the nature of the incident
  • Where the incident was caused by a separate incident affecting another regulated person: details of that separate incident and of the regulated person
  • Information concerning the impact (including any cross-border impact) which the incident has had, is having or is likely to have
  • Such other information as the RMSP considers may assist the Information Commission in exercising its functions
Reporting Requirements:

Notifications must be in writing, provided in such form and manner as the Information Commission determines. You must send a copy of the notification to CSIRT (Computer Security Incident Response Team) at the same time as sending it to the Information Commission.

— Bill 329, Part 2, Section 15, Regulation 14E

Customer Notification Requirements - Regulation 14G

After giving a full notification under Regulation 14E, Part 2, Section 16 requires you to notify affected customers:

  • You must, as soon as reasonably practicable, take reasonable steps to establish which of your customers in the United Kingdom are likely to be adversely affected by the incident
  • After those steps have been taken, you must notify those customers of the incident
  • When considering whether a customer is likely to be adversely affected, you must take into account: (a) the extent of any actual or likely disruption to the provision of the managed service, (b) whether the confidentiality, authenticity, integrity or availability of any data relating to the customer is likely to be compromised, and (c) any other impact on network and information systems of the customer
  • A notification must provide details of the nature of the incident and explain why you consider that the customer is likely to be adversely affected by the incident

— Bill 329, Part 2, Section 16, Regulation 14G

Penalties for Non-Compliance

Under Part 2, Section 21 of Bill 329, Regulation 18 sets out financial penalties:

Higher Maximum Amount (Serious Failures):

For failures including:

  • Failure to comply with regulation 14B(1) - security duties
  • Failure to give notification as required by regulation 14E(1) - incident reporting
  • Failure to comply with regulation 14E(5) and (6) - notification requirements
  • Failure to comply with a direction under regulation 14F(4)(b) - public disclosure
  • Failure to comply with regulation 14G(1)(b) and (3) - customer notification

Maximum: £17,000,000 or 4% of global turnover (whichever is greater)

Standard Maximum Amount (Administrative Failures):

For failures including:

  • Failure to comply with regulation 14C(2) or (5) - registration requirements
  • Failure to comply with regulation 14D - UK representative requirements
  • Failure to comply with regulation 14E(7) - sending copy to CSIRT

Maximum: £10,000,000 or 2% of global turnover (whichever is greater)

Daily Penalties:

For continuing contraventions, daily penalties may apply. The amount of a penalty is determined to be appropriate and proportionate, having regard to the impact of the failure, steps taken to remedy it, and previous compliance history.

— Bill 329, Part 2, Section 21, Regulation 18

Information Requests & Inspections

Under Part 2, Section 20 of Bill 329, Regulation 15 gives the Information Commission powers to:

  • Require you to give such information or documents as it reasonably requires for exercising its functions
  • Require you to obtain or generate information or documents
  • Require you to collect or retain information that you would not otherwise collect or retain
  • Send information notices whether or not you're established in the UK
  • Request information or documents stored within or outside the United Kingdom
⚠️ Important:

Failure to comply with an information notice is a breach that can result in penalties. You may not be required to give privileged communications (legal advice protected by legal professional privilege).

— Bill 329, Part 2, Section 20, Regulation 15

Benefits of CSRB Compliance

Competitive Advantage
  • Stand out from competitors who aren't compliant
  • Access high-value contracts with regulated sectors
  • Demonstrate security maturity to clients
Business Benefits
  • Build stronger client trust and improve retention
  • Reduce cyber risk and incident costs
  • Improve your security posture

Direct References from Bill 329

Part 2, Section 9 - Managed Service Providers

Defines "relevant managed service provider" (RMSP) and "managed service". A managed service is provided under contract for ongoing management of IT systems (support, maintenance, monitoring, or active administration), where the provider connects to or accesses customer systems.

Bill 329, Part 2, Section 9, Regulation 1(3B)

Part 2, Section 10 - Duties of Managed Service Providers

Regulation 14B requires RMSPs to identify and take appropriate and proportionate measures to manage risks to network and information systems used to provide managed services, ensure a level of security appropriate to the risk, prevent and minimise impact of incidents, and have regard to Information Commission guidance.

Bill 329, Part 2, Section 10, Regulation 14B

Part 2, Section 14 - Registration Requirements

Regulation 14C requires RMSPs to register with the Information Commission within 3 months, providing company name, address, directors/partners, and contact details. Changes must be notified within 7 days. Regulation 14D requires non-UK RMSPs to nominate a UK representative within 3 months.

Bill 329, Part 2, Section 14, Regulations 14C and 14D

Part 2, Section 15 - Incident Reporting

Regulation 14E requires RMSPs to report incidents within 24 hours (initial notification) and 72 hours (full notification) to the Information Commission, with a copy to CSIRT simultaneously. Regulation 14G requires notification of affected UK customers as soon as reasonably practicable.

Bill 329, Part 2, Section 15, Regulations 14E and 14G

Part 2, Section 12 - Critical Suppliers

Regulation 14H allows the Information Commission to designate suppliers to RMSPs as critical suppliers if their failure could disrupt managed services and have significant impact on the economy or day-to-day functioning of society.

Bill 329, Part 2, Section 12, Regulation 14H

Part 2, Section 20 - Information Gathering

Regulation 15 gives the Information Commission power to require RMSPs to provide information or documents, obtain or generate information, and collect or retain information for regulatory purposes. Information notices can be sent to RMSPs whether or not they're established in the UK.

Bill 329, Part 2, Section 20, Regulation 15

Part 2, Section 21 - Financial Penalties

Regulation 18 sets maximum penalties: £17 million or 4% of turnover for serious failures (security duties, incident reporting, customer notification), and £10 million or 2% of turnover for standard failures (registration, UK representative, administrative requirements).

Bill 329, Part 2, Section 21, Regulation 18

Need Help with MSP CSRB Compliance?

Our expert team helps Managed Service Providers implement and prove compliance with CSRB - and do so in a way that enhances security without slowing innovation.

Talk to Our Compliance ExpertsTake Readiness Assessment