UK MSP CSRB Compliance 2026: What You Must Do Before Enforcement Begins
Share
For the first time in the history of UK cybersecurity law, Managed Service Providers are regulated entities. The Cyber Security and Resilience (Network and Information Systems) Bill — introduced to Parliament on 12 November 2025 — creates a new category called the Relevant Managed Service Provider (RMSP). If your MSP is medium or large and provides ongoing management of IT systems in the UK, you are almost certainly in scope.
This is not a drill, and it is not distant. Royal Assent is expected in Q2–Q3 2026. Implementation follows via secondary legislation. The MSPs that start now will have a defensible position before the first assurance questionnaire lands. The MSPs that wait will be building their compliance programme under regulatory scrutiny.
The Cyber Security & Resilience Bill is the most significant reform of UK cyber law since 2018. Medium and large MSPs are in scope for the first time. Fines reach £17 million or 4% of global turnover.
What Is the Cyber Security and Resilience Bill?
The Cyber Security and Resilience Bill amends and substantially expands the Network and Information Systems (NIS) Regulations 2018. Where the original NIS regime focused narrowly on operators of essential services such as energy, water, and health, the Bill extends regulation deep into the supply chain — explicitly capturing MSPs, data centres, and designated critical suppliers.
The DSIT-commissioned market research published in November 2025 identified 12,867 active MSPs in the UK. Of these, between 1,500 and 1,700 medium and large providers are expected to fall within scope as Relevant Managed Service Providers. These firms collectively account for 90% of total MSP sector revenue.
Key provisions at a glance
- Mandatory incident reporting: initial notification within 24 hours, full report within 72 hours
- Statutory duty to implement appropriate technical and organisational measures
- Registration obligations under new Regulation 14C
- Supply chain due diligence requirements
- ICO designated as the primary regulator for medium and large MSPs
- Fines up to £17 million or 4% of global annual turnover, whichever is higher
- Board-level accountability for cyber risk and compliance posture
Is Your MSP In Scope?
The Bill defines a Relevant Managed Service Provider as an entity providing ongoing management of information technology systems, connecting to or obtaining access to network and information systems relied on by the customer. Micro and small enterprises are currently exempt — but that exemption does not apply if a regulator designates you as a critical supplier to an in-scope organisation.
You are almost certainly in scope if:
- You are a medium or large MSP (more than 50 employees or more than £10.2M turnover)
- You provide ongoing managed IT services to clients in the UK
- Your clients include organisations in regulated or essential service sectors
- You hold privileged access to client systems, networks, or data
- Your clients would face operational disruption if your service failed
Holding Cyber Essentials or CE+ does not mean you are CSRB-ready. The frameworks address fundamentally different things. CE covers baseline hygiene. The CSRB requires operational resilience, 24-hour reporting, supply chain governance, and board accountability. Ten of sixteen anticipated CSRB requirement areas are not covered by CE at all.
Why Cyber Essentials Is Not Enough
This is the most common and most dangerous assumption in the market right now. Thousands of UK MSPs hold Cyber Essentials or CE+ certification and believe their compliance posture is adequate. It is not — at least not for CSRB purposes.
Cyber Essentials was designed to address five technical controls: boundary firewalls, secure configuration, access control, malware protection, and patch management. These are necessary but they are not sufficient. The CSRB operates at a governance and resilience level that CE was never designed to reach.
The critical gaps CE does not cover include:
- 24-hour initial incident notification obligations
- 72-hour full incident reporting requirements
- Supply chain risk management and vendor due diligence
- AI governance frameworks
- Continuous monitoring and evidence trail requirements
- Board-level accountability and documented risk ownership
- Client assurance and regulatory registration
Secordit's CSRB-BRIDGE gap analysis toolkit maps all 16 anticipated CSRB requirement areas against CE/CE+ coverage with full RAG status — showing exactly where you are exposed and what to do about each gap. It is the fastest way to understand your real compliance position.
The Incident Reporting Window Is Tighter Than You Think
The 24/72-hour reporting timeline is the provision most likely to catch MSPs off guard. Under the existing NIS Regulations, the reporting window was 72 hours. The CSRB introduces a two-stage process: an initial notification to the relevant regulator and the NCSC within 24 hours of becoming aware of a significant incident, followed by a detailed report within 72 hours.
In practice, this means your MSP needs to have the following in place before an incident occurs:
- A documented severity classification framework
- Named incident owners with defined responsibilities
- Pre-drafted regulator notification templates
- An evidence log process that runs from T+0
- Client communication protocols that operate within the regulatory window
- A tested escalation path to board level
The CSRB-RESPOND incident reporting playbook gives UK MSPs a step-by-step framework for every stage of the reporting process — from triage to regulatory submission — pre-built for the 24/72-hour window.
What UK MSPs Should Do Right Now
The Bill must still pass through both Houses of Parliament before receiving Royal Assent. Implementation is phased and will be largely delivered via secondary legislation. But this is not a reason to wait — it is a reason to move first.
MSPs that build their compliance posture now will have three advantages. First, they will have a defensible position before enforcement begins. Second, they will be able to present that position to clients and insurers as evidence of governance maturity before procurement requires it. Third, they will avoid the cost and reputational pressure of reactive compliance.
Immediate actions for MSP directors
- Determine whether you meet the size threshold for RMSP designation
- Map your client base against essential service and regulated sector criteria
- Assess your current CE/CE+ coverage against the 16 anticipated CSRB requirement areas
- Review your incident response process against the 24/72-hour reporting window
- Brief your board on regulatory exposure before the first external question arrives
- Document your current compliance posture — even partial documentation is better than none
How Secordit Intelligence Supports UK MSPs
Secordit Intelligence monitors the Cyber Security and Resilience Bill through each stage of its parliamentary progress and translates legislative developments into operational implications for UK MSP directors. Everything produced is scoped specifically to MSP operating models — not generic compliance commentary.
Start with a free briefing
The free MSP briefing covers CSRB scope criteria, likely obligations, and the three decisions MSP leadership should make before enforcement. Written for MSP directors. Built from live parliamentary monitoring.
Get a clear position with the Pulse Audit
The CSRB Pulse Audit is a structured 90-minute working session that produces a written exposure position and prioritised action list within five working days. Fixed fee of £497 + VAT. No retainer required. Full refund if you do not leave with a defensible scope position.
Implement with the compliance toolkit range
- CSRB-BRIDGE — £197: 16-point gap analysis against CE/CE+ with remediation plan
- CSRB-RESPOND — £247: 24/72-hour incident reporting playbook
- CSRB-UPLIFT — £297: full client compliance uplift framework, white-label ready
- CSRB-WATCH — £147: ongoing parliamentary monitoring and update summaries
CSRB Timeline: What to Expect
- November 2025 — Bill introduced to House of Commons (First Reading)
- January 2026 — Second Reading
- Q1–Q2 2026 — Committee stage and Report stage
- Q2–Q3 2026 — Royal Assent expected
- Post-Royal Assent — Implementation via secondary legislation (phased)
For current status, see the official GOV.UK CSRB page and the Parliament Bills page.
The Window Is Open. Most MSPs Are Not Using It.
The Cyber Security and Resilience Bill will designate a category of UK MSPs as regulated entities for the first time. The obligations are real, the enforcement powers are significant, and the timeline is closer than most MSP directors currently appreciate.
The MSPs that treat this as a preparation window — rather than waiting for the final text — will be positioned as trusted advisors to their regulated clients long before compliance becomes mandatory. Those that wait will be building their programme under regulatory scrutiny, at higher cost, with less time.
The compliance window is the competitive advantage. MSPs that brief their clients on CSRB readiness now differentiate themselves before enforcement demands it.
Book a CSRB Pulse Audit — £497 + VAT →
Matthew Protheroe-Hill is the founder of Secordit Intelligence. He holds a BSc (Hons) in Cyber Security & Networks (First Class) and is the former Managing Director of Sencode Cyber Security. Secordit Intelligence provides UK MSP-specific regulatory intelligence and compliance readiness tools built from live parliamentary monitoring.
