If your business relies on an outside IT provider, the most important thing to understand about the UK Cyber Security and Resilience Bill is this: it brings managed service providers under direct regulation for the first time, and it does so precisely because those providers hold privileged access to your systems. The Bill was introduced to the House of Commons on 12 November 2025, passed its second reading on 6 January 2026, and went through committee scrutiny in February and March 2026. It is expected to receive Royal Assent during 2026, though many of the detailed rules arrive later through secondary legislation, with full effect potentially phased in over the following couple of years.
So this is not yet law, and the fine print is still being worked out. But the direction is set, and it matters to you whether or not your own business is directly regulated. Here is why, in plain terms.
Why Your IT Provider Is The Point
Think about what a managed service provider actually does. To support your systems, they hold the keys. They have remote access to your machines, administrator rights across your network, and often control of the tools that manage every endpoint you own. That access is what makes them useful. It is also what makes them a target.
Attackers worked this out years ago. Rather than breaking into a hundred businesses one by one, they break into the one provider that already has trusted access to all hundred. The 2021 Kaseya incident is the textbook case, where a single compromised remote management platform spread ransomware to an estimated 1,500 organisations worldwide in one go. More recently, in 2025, the DragonForce ransomware group chained vulnerabilities in the SimpleHelp remote management tool to compromise an MSP and then reach straight into its downstream customers, encrypting and stealing data along the way.
That is the pattern the Bill is responding to. Your provider’s privileged access is a single point of failure that, if abused, becomes everyone’s problem at once. The Five Eyes intelligence agencies have warned about state-backed groups targeting MSPs for exactly this reason for several years. This is the heart of the Five Eyes warning that sits behind a lot of this legislation.
What The Bill Actually Changes
The Bill updates the Network and Information Systems Regulations 2018, which until now mostly covered operators of essential services like energy, water and healthcare. The headline change for most businesses is the expansion of who falls in scope.
Managed service providers come into the regulatory perimeter as a new category, sometimes referred to as relevant managed service providers. The estimates put roughly 900 to 1,100 MSPs under direct oversight, with the Information Commissioner’s Office acting as regulator. These providers will need to meet defined security standards, the kind a competent MSP should already be hitting.
The table below summarises the parts most likely to affect you.
| Change | What it means | Who it touches |
|---|---|---|
| MSPs brought into scope | IT providers face direct cyber security obligations for the first time | Medium and large managed service providers |
| Tighter incident reporting | In-scope organisations report a wider range of incidents to the regulator and NCSC, within 24 hours, with a fuller report within 72 hours | Regulated entities and their providers |
| Supply chain duties | In-scope organisations must manage cyber risk in their suppliers through contracts and checks | Suppliers and vendors of regulated firms |
| Stronger enforcement | Regulators gain powers to recover costs, share information and impose higher fines | Non-compliant organisations |
| Critical supplier designation | Certain suppliers deemed critical to essential services face direct obligations | Designated key suppliers |
The two that ripple outward fastest are the reporting timeline and the supply chain duties.
On reporting, the 24-hour initial notification and 72-hour follow-up is a meaningful tightening. If your provider suffers an incident that affects you, the clock starts quickly, and that changes how prepared everyone needs to be. On supply chain, even businesses not directly regulated can be pulled in indirectly, because their larger, in-scope customers will start demanding contractual security commitments. So a small supplier to a big regulated firm may find cyber requirements landing in its contracts regardless.
The Honest Part: This Raises The Floor
Here is the pragmatic read. If you already work with a competent, proactive provider, this Bill should be reassuring rather than alarming. It raises the baseline across the industry and makes it harder for under-resourced or careless providers to operate without accountability. The standards the Bill enforces are, broadly, the standards a serious managed it support services company london businesses rely on should already be meeting.
If your provider treats security as an afterthought, that is the thing to worry about, not the legislation. The right response is not panic. It is a conversation with your provider about how they handle their own privileged access. That conversation sits naturally alongside the wider discipline of IT service management and the reasons IT compliance matters in the first place. The broader case for working with a capable provider is set out in the benefits of outsourcing your IT to an MSP and why businesses should consider an MSP for their IT needs.
Questions To Ask Your Provider Now
You do not need to wait for the secondary legislation to act. The good questions are the ones the Bill is built around, and a decent provider will answer them without flinching.
- How do you control and monitor the privileged access your engineers hold into our systems?
- Is that access granted permanently, or only when needed for a specific task?
- How is your own remote management tooling secured and patched?
- What is your incident response plan if you are compromised, and how quickly would you tell us?
- Do you hold recognised certifications such as Cyber Essentials or ISO 27001?
The access question is the crucial one. For years, many providers relied on senior engineers holding broad, persistent access into customer environments because it was convenient. That model is exactly what attackers exploit. Better practice is least privilege and just-in-time access, where rights are granted for a task and removed afterwards. If your provider cannot explain how they limit their own access, that tells you something.
This is also why the foundations matter so much. Strong password best practices, proper device control through Microsoft Intune, and modern detection set out in why EDR matters are not optional extras. They are the controls that limit the blast radius if access is abused. The same goes for endpoint security for remote teams and the practical endpoint hardening steps that reduce real-world attacks.
Testing, Not Trusting
One principle runs through the whole Bill: you should be able to demonstrate your security, not just assert it. That means testing.
Regular network penetration testing is how you find the gaps before an attacker does, and the reasoning is laid out in network penetration testing explained and the importance of penetration testing in cybersecurity. It helps to understand pen testing versus vulnerability scanning, the difference between internal and external network penetration testing, and how often you should run it. Fixing what you find is the point, which is why common network vulnerabilities and fixes is a useful companion. Certification ties it together, and why your business should become Cyber Essentials accredited explains the scheme the Bill’s standards lean towards.
Phishing remains the most common way attackers get an initial foothold, including into provider accounts, so anti-phishing controls and knowing how to spot a phishing email matter to the supply chain as much as your own inbox. As an anti phishing testing london provider, we treat that initial access route as a shared risk between you and anyone who holds keys to your systems.
Detection, Backup And Early Warning
If a provider is compromised, you want to know early and recover fast. Three things matter here.
First, watch for exposed credentials. Dark web monitoring explained covers how this works, and what to do if your company credentials appear on the dark web covers the response. Our dark web monitoring services london businesses use gives that early signal when something surfaces.
Second, protect the data itself. A supply chain ransomware event is exactly the scenario where backups earn their cost, so Microsoft 365 backup, cloud to cloud backup and avoiding the common cloud backup mistakes all sit inside our cloud backup company london services. The small business guide to ransomware is worth a read if you have not thought about recovery in a while.
Third, plan for disruption. A clear continuity plan, the subject of why your business needs a business continuity plan, is what turns a provider incident from a catastrophe into an inconvenience.
Cross-Border Complications
If your business operates across more than one country, this gets more involved. The UK Bill broadly aligns with the principles of the EU’s NIS2 Directive, which already regulates MSPs, but it takes a distinctly UK approach, so the detail differs. A business spanning both regimes has two overlapping sets of expectations to satisfy.
We help with this through our european it services and our global it support company work for businesses operating internationally. If you are consolidating systems or moving between platforms, that is the natural moment to build these controls in properly, which is what our platform migration london projects do, and our consulting team can help you map where you sit against the new rules. The full range of services shows how these pieces fit together.
Frequently Asked Questions
Does the Cyber Security and Resilience Bill apply to my small business?
Possibly indirectly. The Bill directly regulates managed service providers and operators of essential services, not most small businesses. But its supply chain duties mean larger regulated customers will start demanding security commitments from their suppliers, so smaller firms can be pulled in through contracts even if they are not directly in scope.
When does the Bill become law?
It was introduced in November 2025 and passed second reading in January 2026. It is expected to receive Royal Assent during 2026, but many detailed requirements depend on secondary legislation that follows, with some measures phased in over the following couple of years. The direction is settled even though the timing of full effect is not.
What is the new incident reporting deadline?
In-scope organisations will need to report a wider range of significant cyber incidents to their regulator and the National Cyber Security Centre within 24 hours, followed by a fuller report within 72 hours. This is tighter than the previous regime and changes how quickly everyone in the chain needs to react.
Why does my IT provider’s access matter so much?
Because that access is a single point of failure. A provider holds privileged, trusted access into many customer systems at once, so if that access is abused, the damage can cascade across all of them. Recent attacks on remote management tools show how a single provider compromise becomes a multi-customer crisis.
What should I ask my IT provider about this?
Ask how they control and monitor their privileged access, whether that access is permanent or granted only when needed, how their remote management tools are secured, how fast they would notify you of a breach, and what certifications they hold. A capable provider will answer these readily.
The Sensible Response
The Bill is not something to fear if your house is in order. The practical move is to have a frank conversation with your IT provider about how they manage the access they hold into your systems, and to make sure your own foundations, your backups, your detection and your testing, are solid. Legislation rarely asks for anything a well-run business should not already be doing. It just makes it harder to skip.
If you would like a clear view of where you stand against the new rules, or you want to ask a provider the right questions and are not sure what good looks like, get in touch with Northern Star. We will help you understand your exposure and tighten the controls that matter most, before the rules make them mandatory.
