Policy paper

Relevant managed service providers

Published 12 November 2025

What are we going to do? 

We will bring medium and large managed service providers (MSPs) who meet the definition of a ‘relevant managed service provider’ (RMSP) into the scope of the Network and Information Systems (NIS) Regulations 2018. RMSPs will be required to have appropriate and proportionate measures in place to manage risks posed to them and report significant incidents to their regulator. The Information Commission (IC) (formerly the Information Commissioner’s Office, or ICO) will act as the regulator, providing oversight, support and enforcement.

Why are we going to do it? 

The increasing growth of the digital economy and evolution of technologies means that businesses are more connected than ever before. This brings significant opportunities for economic growth but also exposes vulnerabilities which cyber criminals seek to exploit.

MSPs play a critical role in the UK economy by offering ongoing contracted IT services to businesses, and they often have unprecedented access to clients’ IT systems, including their networks, infrastructure, and data. MSPs’ widespread and trusted access to their clients’ networks has made them an increasingly attractive target for cyber attacks, which can lead to a “one to many” impact. This can cause huge financial losses and breaches of data for businesses of all sizes and across any sector of the economy.

Case study

A large-scale cyber attack targeting MSPs, known as Operation Cloud Hopper, compromised multiple MSPs, gaining unprecedented access to intellectual property and sensitive data belonging both to the MSPs themselves, and to their global client base. More recently, in May 2024, an incident involving an MSP enabled hackers to target the Ministry of Defence’s (MOD) payroll. Through the attack, hackers compromised the network putting the personal data of around 270,000 serving military personnel, reservists; and veterans at high risk of being taken by a malicious attacker.

While there has been an increase in cyber attacks that use MSPs as an attack vector, the cyber security and resilience of managed services is not currently regulated in the UK. Under the Cyber Security and Resilience (Network and Information Systems) Bill, MSPs who meet the definition of a ‘relevant managed service provider’, will be required to apply security measures to secure the networks and information systems that the managed service relies on, including any data being stored or processed on those systems, enhancing their ability to defend against attacks.

How are we going to do it? 

Bringing medium and large MSPs into scope of the NIS Regulations (the ‘RMSP measure’) is one component of the government’s drive to expand the remit of the regulations to protect more of the vital services upon which the UK’s business and public rely. 

This bill will set out a definition of an RMSP in legislation and will enable direct regulation of RMSPs that meet that definition.

An RMSP will be defined as a person who provides managed services in the UK (whether or not the person is established in the UK) and is not a small and micro enterprise. Entities subject to public authority oversight and deriving less than half their income from activities of a commercial nature are also exempted from being RMSPs.

“Managed services” will be defined as: 

• A service which is provided by a person under a contract entered into with another person, (i.e. the customer), for the provision of ongoing management of information technology systems for the customer. 
• This ongoing management may be in the form of support and maintenance, monitoring, active administration or other activities. 
• The ongoing management service provided under the contract is provided to the customer by a person, (or a person acting on their behalf), connecting to or otherwise obtaining access to network and information systems relied on by the customer in connection with a business or other activity carried on by the customer.  
• It does not matter whether the connection or access to the network and information systems in question is established or obtained on the customer’s premises or remotely. 
• A person does not provide a managed service by virtue of providing a data centre service as defined by the bill, or by virtue of providing a public electronic communications network or a public electronic communications service as defined by the Communications Act 2003.

A managed service can include services such as IT outsourcing (for example, IT remote support or helpdesks, and management of applications, such as emails and IT infrastructure management) and managed security services, such as security operations centre, and security information and event management.

Providers of operational technology will not be in scope of the RMSP measure. However operational technology is already captured under the NIS Regulations more generally if it forms part of the network and information system that regulated entities rely on to provide their services.

RMSPs will be regulated by the Information Commission and will be required to comply with cyber security duties:

• Register with the Information Commission and provide the regulated entity’s name, contact information and address for the service of documents. Additional categories may be added via secondary legislation. 
• Appoint a UK representative if the RMSP is based overseas.
• Notify the Information Commission of significant incidents; See incident reporting factsheet.
• Identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems that it relies on to provide a managed service in the UK, and in doing so:
  • ensure that the level of security applied to the network and information system is proportionate to the level of the risk posed (having regard to the state of the art, which could include, for example, the types of measures available, and the tools and techniques aggressors may use) and,
  • take measures to prevent and minimise the impact of incidents affecting the network and information systems that the managed services rely on.
• Further technical information to support RMSPs in complying with the regulations will be provided through secondary regulations.

While small and micro enterprise MSPs will be exempt from this measure, small and micro enterprise MSPs can be designated as critical suppliers, provided that they meet the conditions for designation (see Designated Critical Suppliers Factsheet for more information

Hypothetical case study 

Examples: Entities in scope of the RMSP measure 

For the purposes of these examples, we assume that the MSPs in these examples meet the definition of an RMSP, are not a small or micro enterprise and are not subject to public authority oversight.

• An IT company contractually responsible for the management of a business customer’s IT systems, including the customer’s applications, networks and infrastructure, via a connection to their customer’s systems, would be in scope as an RMSP. This could include activities such as backing up customer data, monitoring the customer’s IT systems for security or device health, and managing routers, switches, firewalls, and other equipment to ensure security, performance and reliability on behalf of the customer.
• An IT security company providing cyber security services to a UK business customer, such as ongoing firewall management, intrusion detection, and incident response services, through a connection to the customer’s systems, would be in scope as an RMSP.
• An IT company remotely managing IT systems used to monitor operational technology, on behalf of their business customer, would be in scope as an RMSP.
• An IT company which remotely manages a business customer’s IT systems to support one or more of its customers business processes and has a connection to those IT systems, would be in scope as an RMSP.
• An IT company which provides ongoing management of a cloud service for a UK business customer, including services such as configuration, maintenance, event monitoring and performance optimisation of that cloud service, would be in scope as an RMSP.

Other examples: Entities out of scope of the MSP measure 

• An industrial automation company providing operational technology with no additional IT management, such as a scanner in airports, sensors used in gas/electricity networks, or industrial controls systems, would not be in scope as an RMSP for that service. This would include where these may be being maintained or updated (for example, via patc hing) by the industrial automation company.
• A consultancy firm which provides business consultancy services, such as tax, accountancy, or legal services, via email, phone or in-person meetings would not be considered to have a connection to the customer or provide ongoing management of IT systems and would not be in scope as an RMSP  for that service.
• A company which installs and/or integrates information systems, but with no management of those systems or networks following the installation, would not be considered to meet the definition of “ongoing management” and would not be in scope as an RMSP for that service.
• A software company selling software as a product to UK business customers would not meet the definition of “ongoing management” and would not be in scope as an RMSP for that service. This includes where they may provide ad-hoc patch updates remotely.

Implementation

This measure will be brought into force through secondary legislation following Royal Assent.  

This is because it relies on additional technical detail to be operational, detail that is not appropriate for primary legislation. These details will be introduced via secondary legislation before this measure is brought into force.

This approach will also allow time to consult on the details of this measure and coordinate an effective and sequenced approach to commencement and implementation, giving regulators and RMSPs time to adjust and prepare.

Additional technical details to be set out in secondary legislation, and introduced in Parliament at the same time as commencement, include:  

• Additional security and resilience requirements to provide further details on what constitutes the appropriate and proportionate measures an RMSP should take to manage the risks posed to the networks and information systems upon which their managed service relies.   

• Thresholds at which an incident will be considered to have had a significant impact, making it reportable to the Information Commission.    

Once the regulations are commenced, an RMSP will have three months to register with the Information Commissioner. RMSPs will be expected to undertake measures to comply with the relevant security and incident reporting duties from when the relevant provisions come into force.