Cyber Security and Resilience Bill - Managed Service Provider Guide
The Cyber Security and Resilience Bill brings managed service providers under direct cyber regulation for the first time. If you manage IT systems for other organisations, this is aimed at you.
Regulation will sit with the Information Commissioner's Office, and the duties are real: registration, security measures, incident reporting and a UK representative for overseas providers.
This guide explains who counts as a relevant managed service provider, the duties, and the reporting clocks.
Who Is a Relevant Managed Service Provider
The Bill targets relevant managed service providers, often shortened to RMSPs. Broadly, these are medium or large businesses that provide ongoing management of another organisation's IT systems, such as support, maintenance, monitoring or active administration.
Medium or large generally means meeting size thresholds, broadly 50 or more staff or turnover above 10 million euros. Microbusinesses and small providers are expected to fall outside direct regulation, though the supply-chain effect can still reach them.
The Core Duties
Register with the ICO
Relevant managed service providers will need to register with the Information Commissioner's Office, which becomes their regulator for these rules.
Appropriate and proportionate security
You must put in place appropriate and proportionate technical and organisational measures to manage cyber risk. What counts as proportionate depends on your size and the risk you carry.
Appoint a UK representative
Providers based outside the UK that fall in scope are expected to appoint a UK representative, so the regulator has a clear point of contact.
Incident Reporting Clocks
The Bill introduces a two-stage reporting duty for significant incidents. You make an initial notification within 24 hours, then a fuller report within 72 hours of becoming aware of the incident.
You may also need to notify the National Cyber Security Centre and your affected customers. Build the timeline into your incident response procedure now, because 24 hours is not long under pressure.
Penalties
Penalties are tiered. The standard maximum is the greater of 10 million pounds or 2 percent of worldwide turnover. The higher maximum, for serious failures including breaches and reporting failures, is the greater of 17 million pounds or 4 percent of worldwide turnover.
RMSP Duties at a Glance
| Duty | Detail |
|---|---|
| Register | Register with the ICO as the regulator |
| Security | Appropriate and proportionate technical and organisational measures |
| Report | 24-hour initial notification, 72-hour fuller report |
| UK representative | Required for in-scope overseas providers |
| Penalties | Up to the greater of 17 million pounds or 4 percent of worldwide turnover |
How to Prepare
The documentation you will need maps closely to recognised standards. An information security management system aligned to ISO 27001, a tested incident response procedure and clear supplier controls cover most of it.
Cyber Essentials is a sensible baseline, and many of your customers will ask for it regardless of the Bill.
How Policy Pros Can Help
We help managed service providers build the documentation the Bill expects, from IT security policies and an incident response procedure to the supplier controls regulators will look for. Our Cyber Essentials and ISO 27001 policy services cover the recognised baselines.
For the wider picture, see our Cyber Security and Resilience Bill small business guide. Official sources include the Bill's parliamentary page and the GOV.UK Bill collection.
Frequently Asked Questions
Does the Cyber Security and Resilience Bill apply to managed service providers?
Yes. The Bill brings medium and large managed service providers under direct regulation for the first time, as relevant managed service providers. They are overseen by the Information Commissioner's Office.
What is a relevant managed service provider?
Broadly, a medium or large business that provides ongoing management of another organisation's IT systems, such as support, maintenance, monitoring or active administration. Size thresholds apply, broadly 50 or more staff or turnover above 10 million euros, so the smallest providers are expected to fall outside direct regulation.
Who regulates managed service providers under the Bill?
The Information Commissioner's Office. Relevant managed service providers will need to register with the ICO, maintain appropriate and proportionate security measures, and, if based overseas, appoint a UK representative.
What are the incident reporting deadlines for managed service providers?
A two-stage duty: an initial notification within 24 hours of becoming aware of a significant incident, then a fuller report within 72 hours. You may also need to notify the National Cyber Security Centre and your affected customers.
How should a managed service provider prepare for the Bill?
Build the documentation that maps to recognised standards: an information security management system aligned to ISO 27001, a tested incident response procedure that meets the 24 and 72 hour clocks, and clear supplier controls. Cyber Essentials is a sensible baseline many customers already expect.
