Cyber Essentials vs CSRB: The Gap UK MSPs Must Close
Cyber Essentials and the CSRB: Understanding the Gap UK MSPs Must Close
Cyber Essentials certification is one of the most widely held security credentials among UK Managed Service Providers. It covers five control areas and is recognised by the NCSC as a baseline for protection against common cyber threats. What it does not do — and was never designed to do — is prepare your MSP for the regulatory obligations that the Cyber Security & Resilience Bill introduces.
The CSRB operates across 16 requirement areas. Cyber Essentials addresses approximately two of them. The remaining 14 — including mandatory 24-hour incident reporting, supply chain risk management, board-level governance, and continuous security monitoring — are entirely outside CE’s scope. This page explains what the gap looks like, why it matters, and what a structured gap analysis produces.
What the Cyber Security & Resilience Bill Adds Beyond Cyber Essentials
The NIS Regulations 2018 established the existing framework for network and information systems security in the UK. The CSRB extends that framework significantly, reclassifying Managed Service Providers as Relevant Managed Service Providers and bringing them under a set of obligations that the original NIS regime did not apply to them.
The additions the CSRB makes beyond what CE covers fall into four categories:
– Incident reporting — mandatory notification to the ICO within 24 hours of a significant incident, followed by a full report within 72 hours. CE contains no incident reporting requirement.
– Supply chain governance — documented due diligence on third-party suppliers and subprocessors. CE does not address supply chain risk.
– Board accountability — formal governance reporting on security posture and risk position at board level. CE does not require board-level documentation.
– Continuous monitoring — ongoing detection and alerting capability. CE is a point-in-time assessment with no ongoing monitoring requirement.
These are not extensions of what CE already requires. They are categorically different obligations that require new processes, new documentation, and new evidence trails to be built from scratch.
The 16 CSRB Requirement Areas: Where CE Ends and Liability Begins
The CSRB’s compliance framework is structured around 16 requirement areas, calibrated against NCSC CAF v4.0. Analysis of CE and CE+ coverage against these 16 areas produces a consistent result across MSPs: certification covers approximately two areas to a satisfactory standard, partially addresses four, and does not address the remaining ten at all.
The ten areas that CE does not address — and which represent the highest enforcement risk under the CSRB — are:
– 24-hour incident reporting to the ICO
– 72-hour full incident report with root cause analysis
– Supply chain risk management and third-party due diligence
– AI governance framework including an Acceptable Use Policy
– Continuous security monitoring — CE is point-in-time only
– Board-level accountability and governance reporting
– Data classification and security labelling
– Business continuity and resilience planning with tested RTOs and RPOs
– Security monitoring and anomaly detection capability
– Alerting and response to detected anomalies
Each of these represents a gap between your current CE certification and what an ICO inspector will expect to find during a CSRB compliance review. The question is not whether these gaps exist — for CE-certified MSPs, they do. The question is how wide each one is for your specific organisation.
What Is the NCSC CAF v4.0 and Why Does It Matter for MSPs?
The NCSC Cyber Assessment Framework version 4.0 is the technical baseline against which CSRB compliance will be assessed. It provides the structured objectives, indicators of good practice, and evidence expectations that regulators use when reviewing an organisation’s security posture.
For MSPs, CAF v4.0 matters for two reasons. First, it defines what ‘compliant’ looks like in practical terms — not as a checklist but as a set of outcomes that your controls and processes must demonstrably achieve. Second, it provides the scoring methodology that underpins any structured gap analysis: each of the 16 CSRB requirement areas maps to specific CAF objectives, and each objective has defined indicators that determine whether your coverage is adequate.
An MSP that does not understand its CAF v4.0 position cannot accurately assess its CSRB exposure. The CE/CE+ score is a starting point, but it tells you only about five control areas. The CAF covers all 16.
The 10 Critical Gaps CE-Certified MSPs Face Under the CSRB
For MSPs holding CE or CE+ certification, the gap analysis consistently produces a baseline exposure score in the region of 24 out of 100 against CAF v4.0. The inspection-ready threshold is 86 out of 100. That gap — 62 points — represents the remediation programme your MSP needs to build before Royal Assent.
The critical gaps are the ones that carry the highest enforcement risk: the areas an ICO inspector will examine first and that attract the largest penalties for non-compliance. Of the ten unaddressed areas, three carry the highest immediate risk:
Incident reporting capability
The absence of a documented, tested 24-hour notification process is the single highest-risk gap for most CE-certified MSPs. It is the obligation with the shortest window, the most specific evidence requirements, and the clearest enforcement trigger. An MSP that cannot produce a completed ICO notification within 24 hours of a significant incident, with a timestamped evidence trail, is in breach of the most visible CSRB obligation.
Board-level governance documentation
ICO inspectors review governance posture as a primary indicator of an organisation’s overall compliance culture. An MSP with no board-level security reporting, no documented risk position, and no evidence of senior leadership accountability will face a harder regulatory conversation regardless of its technical controls.
Supply chain risk management
MSPs sit at the centre of their clients’ supply chains. The CSRB’s supply chain obligations apply both to the MSP’s own third-party relationships and — in some cases — to the MSP’s position as a supplier to clients in regulated sectors. CE does not address this dimension at all.
How to Conduct a CSRB Gap Analysis for Your MSP
A structured CSRB gap analysis maps your current controls, certifications, and documentation against each of the 16 requirement areas calibrated to CAF v4.0. The output is a scored exposure position — a RAG rating across all 16 areas — and a prioritised remediation plan ordered by enforcement risk.
A credible gap analysis covers five stages:
– Scope confirmation — establishing whether your MSP meets the criteria for RMSP classification and which service lines are in scope
– Baseline mapping — documenting your current certifications, controls, and processes against each of the 16 requirement areas
– Gap identification — recording where coverage is absent, partial, or adequate, with evidence references for each assessment
– Exposure scoring — weighting each gap by its regulatory enforcement priority to produce an overall exposure score
– Remediation planning — ordering required actions by enforcement risk and estimated implementation effort, with owner assignment
The remediation plan the analysis produces is not just an internal planning tool. It is also the starting point for your regulatory evidence trail — documentation that demonstrates proactive compliance intent before any enforcement action occurs. Regulators treat the existence of a documented remediation programme as a significant mitigating factor in enforcement decisions.
Frequently Asked Questions
Does CE+ certification close more of the gap than CE?
No, in any material sense. CE+ is a verified version of CE — it confirms that the same five control areas are technically in place through independent assessment rather than self-attestation. It does not extend the scope of CE to cover additional CSRB obligation areas. An MSP holding CE+ will have an identical gap profile to a CE-only holder across all 16 CSRB requirement areas, with minor differences in one or two specific controls where the CE+ verification adds marginal weight.
We passed our CE renewal last month — do we still have gaps?
Yes. CE renewal confirms that your five CE control areas remain in place. It does not address the 10 CSRB requirement areas that CE has never covered. A recent CE renewal is a positive signal for your technical baseline, but it is orthogonal to your CSRB gap position. The two frameworks assess different things.
How long does it take to close the gaps?
The full remediation programme — moving from a CE baseline score of approximately 24/100 to an inspection-ready position of 86/100 — typically requires three to six months for an MSP that dedicates appropriate resource to it. The timeline varies significantly depending on whether the MSP has existing incident response documentation, a security monitoring capability, and any form of governance reporting in place. Closing the three highest-risk gaps (incident reporting, board governance, supply chain) can be achieved in four to eight weeks with the right framework.
Can we do the gap analysis ourselves?
Yes, with the right framework. The CSRB-BRIDGE diagnostic provides the 16-area mapping, exposure scoring methodology, and remediation tracker you need to conduct a structured self-assessment. For MSPs that want an independent, named-organisation assessment with an analyst-reviewed exposure score, the Pulse Audit delivers that as a service engagement.
Next Step: Run Your Gap Analysis
CSRB-BRIDGE is a 22-page regulatory diagnostic PDF built specifically for CE and CE+ certified MSPs. It maps all 16 CSRB requirement areas against your current coverage, scores your exposure against NCSC CAF v4.0, and delivers a prioritised remediation tracker and board briefing template. Instant download, deployable the same day.
For MSPs who need a bespoke, named-organisation assessment reviewed by an analyst, the Pulse Audit delivers that as a 90-minute service engagement with a written RAG-rated report within 48 hours.
