MSP Requirements Under the UK Cyber Security & Resilience Bill
Your clients are already asking for documented compliance. The Bill designates qualifying MSPs as Relevant Managed Service Providers, with specific obligations that Cyber Essentials Plus does not cover: 24-hour ICO notification, tenant isolation, supply chain due diligence, and annual penetration testing. We assess your RMSP status, identify the gaps, and build the compliance programme. From £8,000.
Three roles. Three sets of obligations. One engagement.
This assessment is for the people who will be held accountable when the Bill is enforced.
MSP Founders and MDs
You need to confirm to a client that your operation meets the Bill's requirements and need a documented compliance programme to reference in contracts and tenders. The client demand letter has already arrived or will arrive.
Operations Directors and Compliance Leads
You need to understand the specific technical controls required (PAM, tenant isolation, SIEM) and build an implementation roadmap with a realistic budget that you can take to the board.
Technical Directors
You need to know exactly what the 24-hour notification obligation requires operationally and how to build an incident runbook that works at 2am on a Saturday when an RMM compromise hits three client environments.
CE+ vs Bill Requirements: The Six Gaps
Cyber Essentials Plus is the minimum baseline. It does not satisfy six specific RMSP obligations.
| Requirement | Cyber Essentials Plus | UK Cyber Resilience Bill (RMSP) |
|---|---|---|
| Firewall configuration | Covered | Covered |
| Secure configuration | Covered | Covered |
| Access control | Covered | Extended: PAM required for privileged accounts |
| Malware protection | Covered | Extended: EDR/MDR recommended |
| Patch management | Covered | Covered, with 14-day critical patch requirement |
| Tenant isolation | Not assessed | Mandatory for multi-tenant MSPs |
| 24-hour incident notification to ICO | Not assessed | Mandatory |
| 72-hour full incident report | Not assessed | Mandatory |
| Client notification procedures | Not assessed | Mandatory, within 24-72 hours |
| Supply chain due diligence | Not assessed | Mandatory, documented programme |
| Right-to-audit on sub-contractors | Not assessed | Required for critical sub-contractors |
| SIEM / 24/7 monitoring | Not assessed | Effectively mandatory for RMSP status (subject to guidance) |
| Business continuity / RTO commitments | Not assessed | Mandatory for critical service MSPs |
| ICO registration as RMSP | Not assessed | Mandatory |
| Annual penetration testing | Not assessed | Mandatory |
| Board-level security governance | Not assessed | Mandatory |
Based on published policy statement. Specific secondary legislation subject to Parliamentary confirmation. Rows marked (subject to guidance) reflect current NCSC/ICO expectations pending final secondary legislation.
Bill Progress Timeline for MSPs
Real dates are more compelling than urgency language. The transition periods will be shorter than most MSPs expect.
Bill announced in King's Speech
Policy statement published
Bill introduced to Parliament (Second Reading)
Committee stage, MSP provisions debated
Royal Assent (estimated)
ICO begins RMSP registration
Incident reporting obligations in force
Full RMSP compliance deadline
Source: UK Parliament Bills portal . Timeline subject to Parliamentary progress.
MSP Compliance Methodology:
Five Obligation Areas
Comprehensive security control implementation and compliance management for Relevant Managed Service Providers under the UK Cyber Resilience Bill.
RMSP Security Controls: What the Bill Requires Beyond CE+
The Bill requires MSPs to implement six controls that Cyber Essentials Plus does not assess: multi-tenant isolation preventing cross-client data access, PAM for all administrative accounts, SIEM-based security monitoring with 24/7 incident detection capability, continuous vulnerability management, and annual penetration testing. We assess your current posture against each requirement and build a prioritised remediation plan aligned with the NCSC CAF.
24-Hour Incident Notification: Building the Runbook
When a significant incident occurs, your clock starts: not when your engineer sees the alert, but when the incident is first detectable. The Bill requires initial notification to the ICO within 24 hours of a major incident and a full report within 72 hours. We develop the runbook: incident classification criteria, escalation paths, ICO notification templates, client communication procedures, and the out-of-hours call tree your team needs at 2am on a Saturday when an RMM compromise hits three environments simultaneously. See our incident reporting guide for the full notification framework.
Sub-Contractor Due Diligence and Flow-Down Obligations
If you white-label a SOC service, resell a third-party RMM platform, or sub-contract specialist engineering work, the Bill's liability sits with you, not your supplier. We conduct documented due diligence assessments of your technology vendors and sub-contractors, review or draft right-to-audit clauses in your supplier contracts, and build the ongoing monitoring programme the Bill requires. If three of your clients are NHS trusts, the data flow map is not optional. See our guidance on critical supply chain rules under the Bill.
Client Security Assessments
Conducting security assessments of client environments as part of MSP onboarding. We help MSPs establish baseline security requirements for clients and implement security monitoring across multi-tenant infrastructure. The Bill requires RMSPs to demonstrate ongoing assessment of the environments they manage, not just their own internal posture.
Resilience and Business Continuity
Ensuring MSP services meet the Bill's resilience requirements: backup and disaster recovery for client data, service continuity planning, and documented recovery time objectives (RTO) for critical services. For RMSPs serving critical infrastructure, specific RTO commitments are not aspirational targets: they are regulatory obligations. We model your current continuity posture against the Bill's requirements and identify gaps before your clients or the ICO do.
Engagement Workflow
Structured to minimise operational friction and maximise the value of the testing window.
RMSP Status Determination and Gap Analysis
Before assessing what needs to change, we establish whether your MSP meets the RMSP threshold. 50+ employees or £10m+ turnover is the primary test, but client sector composition often determines effective scope regardless of size. We map your current security controls against the Bill's six RMSP-specific requirements, produce a documented gap analysis with prioritised remediation, and give you a clear answer to what a client's procurement team is asking: Are you compliant?
Security Control Implementation
Implementing enhanced security controls: tenant isolation, Privileged Access Management (PAM) for all administrative accounts, Security Information and Event Management (SIEM), and continuous vulnerability management across MSP infrastructure. Each control is mapped to the specific Bill clause it satisfies and documented for ICO registration.
Incident Notification Runbook Development
We build the operational runbook your team needs before an incident happens. This includes: incident classification criteria aligned with the Bill's significant and major thresholds, the ICO notification template and submission procedure, client communication cascade (who gets notified, in what order, with what information), coordinated response procedures when multiple client environments are affected simultaneously, and quarterly tabletop exercises to test the runbook before the ICO does.
Continuous Compliance Programme
Implementing ongoing compliance monitoring: quarterly security audits, annual penetration testing (a mandatory requirement for RMSPs), continuous vulnerability scanning, and regular review of client security assessments. Annual compliance support from £4,000/year.
Know the cost before you commit.
All compliance programmes are fixed-price after an initial scoping call. No day-rate ambiguity.
Small MSP Gap Analysis
Under 50 staff, <100 clients
From £8,000
Mid-Size MSP Programme
50-200 staff
From £15,000
Large MSP / CNI Clients
200+ staff, critical infra
From £25,000
Annual Compliance Support
All MSP sizes
From £4,000/yr
Fixed pricing after scoping call. No retainer required.
Request MSP Gap AnalysisWhat RMSPs Need Beyond CE+. We Deliver It.
The Bill requires 24/7 security monitoring capability and annual penetration testing for RMSPs. Precursor delivers both under a single CREST-accredited engagement. No need to coordinate multiple vendors.
Book a Scoping CallCyber Essentials Plus
The minimum baseline the Bill requires. We certify and extend it to cover RMSP-specific gaps.
Managed Detection and Response
24/7 SIEM-based monitoring. The monitoring capability required for RMSP status.
Penetration Testing
Annual penetration testing is mandatory for RMSPs. CREST-accredited, fixed price.
Incident Response
Retainer-based incident response supporting your 24-hour notification obligations.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
Your clients are asking. Do you have the answer?
The client demand letter is already arriving at MSPs across the UK. Book a free scoping call: we determine your RMSP status, quantify the gap between CE+ and Bill compliance, and provide a fixed-price programme quote. No obligation. No day-rate surprises.
Request MSP Gap AnalysisMSP Compliance: Common Questions
Pricing, RMSP thresholds, CE+ gaps, incident reporting, and sub-contractor obligations.
MSP security compliance services for the UK Cyber Resilience Bill typically range from £8,000 to £35,000+ depending on MSP size, client base, and current security maturity. Small MSPs (under 50 employees, fewer than 100 clients) average £8,000-£12,000 for gap analysis, security control implementation guidance, and incident notification procedures including the runbook. Mid-sized MSPs (50-200 employees) typically require £15,000-£25,000 for comprehensive compliance programmes including tenant isolation assessment, PAM implementation, and client notification procedures. Large MSPs serving critical infrastructure clients typically invest £25,000-£35,000+ for full compliance implementation including continuous monitoring, penetration testing, and regulatory engagement support. Annual compliance maintenance and monitoring is available from £4,000/year. We provide fixed pricing after assessing your client portfolio and current security posture. No day-rate ambiguity.
Cyber Essentials Plus is the minimum baseline the Bill requires, but it does not cover six specific obligations that apply to Relevant Managed Service Providers: (1) 24-hour initial notification to the ICO for major incidents and 72-hour full incident reporting, which CE+ does not address; (2) Multi-tenant isolation preventing cross-client data access, which CE+ does not assess for MSP environments; (3) Documented supply chain due diligence on sub-contractors and technology vendors, with right-to-audit clauses; (4) Privileged Access Management (PAM) for all administrative accounts across client environments, beyond CE+ access control requirements; (5) SIEM-based 24/7 security monitoring, which CE+ recommends but does not require; (6) ICO registration as an RMSP and board-level security governance documentation. We help CE+ certified MSPs identify exactly which of these six gaps apply to their operation and build the compliance programme on top of their existing certification.
The Bill introduces the term Relevant Managed Service Provider (RMSP) to designate managed service providers that fall within its regulatory scope. An RMSP is broadly defined as an MSP that: (a) has 50 or more employees or £10m or more in annual turnover, and (b) provides managed IT services to organisations in critical sectors including energy, health, transport, water, financial services, government, and digital infrastructure. Size alone does not determine RMSP status. An MSP with 15 employees that manages IT for three NHS trusts may be treated as functionally equivalent to an RMSP by its clients' own regulators. The ICO will publish a formal RMSP registration process. MSPs should assess their RMSP status now rather than wait for ICO guidance, as the compliance gap analysis itself informs the determination.
The Bill is currently progressing through Parliament with implementation expected on a phased basis. Incident reporting obligations are expected to be among the first requirements enforced. MSPs should implement 24-hour ICO notification procedures immediately. ICO registration for RMSPs will follow Royal Assent. Full security control implementation (SIEM, tenant isolation, PAM, supply chain due diligence) is subject to transition periods, but MSPs serving regulated sector clients are already being asked to demonstrate Bill-readiness by those clients' own compliance teams. We recommend beginning gap analysis now. A compliance programme takes 8-16 weeks to implement depending on current security maturity, and the transition periods will be shorter than most MSPs expect.
The Bill uses the term Relevant Managed Service Provider (RMSP). The primary threshold is 50+ employees or £10m+ turnover. But size alone does not determine your exposure. If you serve critical infrastructure clients, NHS trusts, local councils, energy suppliers, or financial services firms, your clients' own regulatory requirements will contractually impose Bill-equivalent standards on you regardless of your size. We have assessed MSPs with 12 employees who are contractually required to meet RMSP standards because of their client base. Do not assume the threshold protects you until you have mapped your client portfolio against the Bill's critical sector definitions.
The Bill distinguishes between significant incidents and major incidents, each with different notification obligations. For major incidents, MSPs must file an initial notification to the ICO within 24 hours of detection and a full incident report within 72 hours. Significant incidents have longer reporting windows. The classification criteria include: ransomware attacks affecting client data or services, data breaches involving client information, significant service disruptions to critical infrastructure clients, security incidents affecting multiple client environments simultaneously, and RMM tool compromises that create pathways into client environments. The runbook we develop defines these classification criteria operationally, not just theoretically.
MSPs must conduct documented security due diligence on sub-contractors and technology suppliers, ensure contractual security obligations flow down to sub-contractors through right-to-audit clauses, monitor sub-contractor security posture on an ongoing basis, and notify clients of sub-contractor changes that could impact security. If you white-label a SOC service or resell a third-party RMM platform, the regulatory liability for that service sits with your MSP under the Bill. The ICO will not accept that you trusted a supplier you have worked with for years as a defence under a regulatory investigation.
Non-compliance can result in: regulatory fines (up to £10 million or 2% of turnover, whichever is higher), mandatory improvement notices from the ICO, client contract terminations (particularly from regulated sector clients who will audit supplier compliance), loss of critical infrastructure clients who require RMSP compliance as a contractual condition, and reputational damage that affects tender responses. The more immediate commercial risk for most MSPs is the client demand letter: a procurement team at an NHS trust or financial services firm requiring written confirmation of Bill compliance. That is the scenario that produces phone calls to us.