In November 2025, the UK Government introduced the Cyber Security and Resilience Bill to update the Network and Information Systems Regulations, first introduced in 2018. The earlier rules focused on security and resilience for critical national infrastructure, but most of the IT sector was left out. That approach no longer aligns with how businesses operate today. Now, many organisations depend on technology for daily operations, and service providers often deliver and manage this technology. The new Bill aims to address this shift.
This is where any discussion about the future should begin. The Bill is not a minor update for a small group. It shows that digital dependency has increased, and resilience is now central to business continuity. Businesses rely on providers to keep systems running, secure, and available—not just to supply tools.
Why MSPs need to pay attention
The biggest change in the Bill is its treatment of managed service providers. Large and medium-sized service providers will be designated as Relevant Managed Service Providers, or RMSPs, alongside Relevant Digital Service Providers, which include those offering IT or cloud infrastructure. Importantly, this is not limited to businesses with direct responsibility for security. Any organisation providing an IT service that is so important to a customer’s operations that removing it would cause downtime can be covered by the Bill. That includes IT services, help desk providers and application providers. Government research cited in the article suggests that around 1,214 of the UK’s 12,867 MSPs, about 10 per cent, could fall into the RMSP category.
That is a significant development because it broadens the conversation. Security and resilience are no longer issues to be left solely to a specialist function. They become part of the wider service obligation. If a provider is essential to keeping a customer running, the expectation is going to be higher, and rightly so.
The scope is wider than many expect
Alongside RMSPs, data centre operators will be treated as critical national infrastructure and will be required to meet the same security and resilience requirements as other covered providers. The article also notes that data centres have already been reclassified for planning purposes, making it easier to gain permission for new facilities. Under this Bill, those operators would also have to meet the strict cyber and physical security requirements expected elsewhere in the framework.
Smaller businesses should not assume they are automatically unaffected. Small and micro-sized organisations are normally expected to be exempt, but companies seen as critical suppliers to national infrastructure operators can still be brought into scope through the Designated Critical Supplier scheme. In practical terms, that means some businesses that consider themselves outside the main regulatory framework may still have to meet the same security and resilience expectations if the services they provide are important enough.
Who will enforce it
Companies covered by the Bill will be assigned to a relevant industry body for audit and enforcement. For technology companies, that will normally be Ofcom, although those operating in specific vertical sectors could also fall under the oversight of a sector regulator. Where there is overlap, the regulators will decide who leads on compliance and audit.
That should focus minds. Regulation carries more weight when organisations understand that compliance will be reviewed and enforced through a defined structure. This is not simply guidance to be read and put on a shelf.
Reporting will be the hardest test for many firms
In my view, the most demanding part of the Bill for many RMSPs will be the reporting requirement. Under the proposed rules, covered organisations will face 24-hour and 72-hour deadlines when security incidents occur. Where there is a major incident, RMSPs must report the initial impact to the National Cyber Security Centre, followed by a fuller report within 72 hours. The intention is to allow the NCSC to provide support when needed and to alert the wider supply chain to potential impact.
Anyone who has handled a live cyber incident knows how demanding that will be. During an active event, teams are already under pressure to investigate, contain and restore. Adding formal reporting deadlines may require them to explain which attack is underway, what impact it may have, and whether customer data could be at risk, all while they are still responding in real time. The article makes the point clearly that this will be a huge challenge, particularly for organisations that have not previously been subject to NIS-style obligations.
Manual processes will not be enough
This is why I do not believe manual approaches will get organisations very far. The article is explicit on this point. Trying to handle these requirements manually will be difficult, if not impossible, so automation around asset visibility and security status will be needed.
That is not just about speed. It is about confidence. If an incident occurs, organisations need to know which assets they have, their condition, known risks, and where potential exposure exists. Without that level of visibility, reporting quickly and accurately becomes much harder.
The same applies to compliance more broadly. Treating compliance as a once-a-year exercise before an audit is, as the article puts it, storing up trouble for the future. Threat campaigns do not arrive on a timetable that suits audit planning. Incidents can happen at any point. Compliance, therefore, has to become continuous, tracking assets, risks and threats so reporting can be completed within the required timeframes.
Why mindset matters as much as tooling
For many MSPs, this will require a change in mindset. The article argues that continuous compliance means moving security away from a reactive model focused only on incidents and towards an approach centred on risks and potential attacks before they happen. It also points out that this enables risk assessment based it their commercial impact and prioritising those that could cost the most.
I agree with that. Organisations are generally better placed when they can connect cybersecurity decisions to operational and financial impact. That gives teams a stronger basis for prioritisation, and it also makes the conversation easier with leadership teams who need to weigh investment, exposure, and resilience in business terms.
Where risk operations come in
This is where a risk operations approach becomes valuable. The article describes it as combining the possibility of an attack with its financial impact to estimate the cash impact. It also highlights cyber risk quantification as a means of estimating potential impact and presenting those figures to the board to support decision-making. Just as importantly, it helps organisations quantify the risk reduction delivered by existing security controls.
At Qualys, we see real value in that way of working because it helps move the conversation beyond technical detail alone. Security teams often know where weaknesses exist, but boards need a clearer understanding of the business effect. When risk is expressed in operational and financial terms, decision-making becomes more grounded and more practical.
Compliance can also become an advantage
The article makes another important point that I think deserves attention. This regulation will be a challenge for many suppliers and partners, but it should not be seen as something frightening or unreasonably expensive to support. It reinforces existing security best practices and provides companies delivering critical services with a clearer framework to follow. It will also expand the number of businesses expected to meet those rules, putting more emphasis on security as part of everyday operations.
For companies classed as RMSPs, following the rules will be essential. At the same time, there is an opportunity here. Organisations already covered by NIS and those that will fall under the Cyber Security and Resilience Bill in the future will pay closer attention to how well their suppliers follow the same standards. Compliance will increasingly influence purchasing behaviour and supplier ranking. Being open about how you support compliance and showing that you can go beyond the minimum where appropriate can be a genuine differentiator. The article is clear that strong security controls and continuous compliance will matter to customers.
What we should do next
The direction is clear. The Cyber Security and Resilience Bill will bring more organisations into scope and put greater emphasis on security processes, effective compliance management and incident reporting. For RMSPs, RDSPs and data centre operators, that means security investment will be needed, and continuous compliance will have to be put in place where it is not already established. The article also notes that this will mean a mindset change for some organisations and greater automation for others that already have compliance processes in place. It concludes that a risk operations centre approach can make it easier to track the effectiveness of controls, defend against new threats and show the wider business the value of security.
My view is straightforward. The organisations that prepare early, improve visibility, automate what matters, and connect security to business impact will be in the strongest position. The Bill raises the bar, but it also gives the market a clearer standard to work to. For providers delivering critical services, that is both a responsibility and an opportunity.
