Cyber Essentials
The Cyber Security and Resilience Bill is back in Parliament, and it creates a new regulated category called the Relevant Managed Service Provider. For MSPs, that means new obligations to your clients and to the regulator. For the businesses that rely on those MSPs, it changes the assurance position whether you asked for it to or not. Cyber Essentials is the natural answer to most of what is now being asked, and it is the practical answer for both sides of the relationship.
By Jonathan Krause, Founder, Forensic Control. 20 May 2026.
The Cyber Security and Resilience (Network and Information Systems) Bill was reintroduced to Parliament on 14 May 2026, carried over from the previous session following the King’s Speech the day before. It is the biggest update to UK cyber security law in over a decade, and its single most consequential change for the audience reading this is the creation of a new regulated category called the Relevant Managed Service Provider, or RMSP.
An RMSP is a medium or large provider of managed IT services in the UK whose service involves ongoing management of a customer’s information technology systems by means of a connection into those systems. The Department for Science, Innovation and Technology estimates the population at 900 to 1,100 providers. Micro and small enterprises are out of scope. The Information Commissioner’s Office, which the Bill renames to the Information Commission, will be the regulator. Royal Assent is expected in the 2026-27 session, with a consultation on secondary legislation signalled for summer or autumn 2026.
The Bill remains subject to Parliamentary approval, and the detailed security measures will sit in regulations and statutory Codes of Practice rather than the primary text. What is already in motion, however, is the commercial conversation. Tenders are already asking harder questions. Renewals are already requiring a Cyber Essentials certificate. The Bill has not landed yet, but the market has.
In nine years of running Cyber Essentials assessments for UK organisations as an IASME Certification Body, we have watched the same pattern repeat: the most consequential security decisions in a small or mid-sized firm are taken by the MSP, not the client. The Bill recognises that pattern in statute for the first time.
If you are an MSP with more than 50 staff or more than ten million pounds of annual turnover, you should be working on the assumption that you are in scope. RMSPs will be required to register with the Information Commission within three months of the relevant provisions coming into force, and the Bill introduces a two-stage incident notification regime: an initial notification within 24 hours of becoming aware of a significant incident, then a full notification within 72 hours. Crucially for client relationships, RMSPs will also be required to notify affected customers as soon as reasonably practicable after the full notification to the regulator. That customer-notification duty is the change that will reshape MSP commercial conversations most.
Cyber Essentials, and in particular Cyber Essentials Plus, is the most defensible position an MSP can take while the regulations are being drafted. The five technical controls in CE (access control, patching, secure configuration, malware protection, user access management) map almost one to one onto the practical concerns the Bill formalises. CE Plus, the hands-on technical verification tier that adds external vulnerability scanning and sample-device testing on top of the self-assessment in base CE, is the version an in-scope RMSP should be holding. The IASME-recommended scope, and the one we recommend in turn, is the whole organisation. For an MSP that means your corporate IT, your remote management platform (Connectwise, NinjaOne, Atera, N-able, Datto, or whatever you use), your privileged access management tool, and your own Microsoft 365 or Google Workspace tenant all sit inside the same certification. Trying to carve out a tighter scope tends to create more assessor work, not less, and it leaves your clients with the worst of both worlds: a certificate that does not cover the systems they actually care about. FC’s Cyber Essentials work for MSPs is built around this whole-organisation scope.
What makes the timing matter is that CE for an MSP is not the same engagement as CE for an end-client. The scope is different, the partner economics are different, and the certification cycle has to be designed around a rolling client book rather than a single annual renewal. A Certification Body that has only worked with end-clients will treat your engagement the same way they treat a fifty-seat solicitors’ firm. That is not what you need.
The cleanest MSP-led CE engagement we have run was with an MSP supporting a portfolio of around forty SME clients, mostly in professional services. They approached us because two of their larger clients had asked, in the same quarter, what the MSP’s own CE position was. Rather than treat it as a one-off question, the MSP commissioned a single CE Plus for itself, scoped to include its RMM platform, its privileged access tooling, and its M365 tenant, and then ran a structured CE rollout across the client book on top of that. Eight months later, twelve of their forty clients had their own CE certificate, three were under contract for CE Plus, and the MSP had defensible answers to the assurance questions coming through their pipeline.
The pattern I see fail is the MSP that treats CE as a sales bolt-on rather than a technical engagement. The signal is usually the same: they tell their client “leave it with us” and then ask the assessor to make the answers fit. CE does not work that way. The assessor’s job is to verify, not to translate. Where I see an MSP pushing back on the technical content of the assessment rather than fixing the underlying control, the certification rarely sticks, and the client relationship suffers when the next renewal comes round. A good MSP-led CE engagement starts with the MSP fixing its own house first.
The RMSP measure regulates the MSP, not the MSP’s clients. That said, being a client of an in-scope MSP changes the assurance position of the client whether the client wanted it changed or not. If your MSP is in scope, you will be on the receiving end of a statutory customer-notification obligation, and your own customers and regulators will expect you to have been asking your MSP about it.
There are three questions worth putting to your MSP in writing this quarter, not because the Bill is in force, but because the answers will tell you how seriously they are taking it.
Ask whether they hold Cyber Essentials or Cyber Essentials Plus today, and on what scope. “Yes, on our head-office network” is a different answer from “yes, for the whole organisation, including the systems we use to access your environment.” The second answer is the one that matters, and it is the scope an MSP holding a properly run CE certification should be able to claim.
The right time to have this conversation is before contract renewal, not at it. Where your MSP cannot answer the three questions credibly, that is information you need before you commit to another year. It is also a strong signal that you should be holding your own Cyber Essentials certificate, scoped to the systems and data your business actually depends on, rather than relying on your MSP’s posture alone. Most of our client wins this year have come through exactly this conversation.
If you are an MSP picking a Certification Body, four things separate the partners that work from the ones that do not.
The first is in-house assessment. At Forensic Control, every assessment is conducted by our own assessors. That matters under an RMSP regime because the questions your clients will ask you about your CE position will come back to us, and we need to be able to answer them in operational detail. Our assessors have run thousands of assessments between them.
The second is partner economics designed for volume. A one-off CE engagement and a rolling MSP client-book engagement are different commercial animals. We work with MSPs on terms that reflect the latter, including pre-agreed pricing across a client book, a single relationship manager, and a renewal cadence aligned to your account-management cycle rather than to ours.
The third is technical accuracy at the assessor level. The MSP space is full of CE-adjacent advice from people who have never actually run an assessment. When something in your client’s environment is unusual, ambiguous, or sits on the edge of scope, you want the answer from the person who would assess it, not from a salesperson who would refer the question elsewhere.
The fourth, and the one MSPs tell us matters most after the first 90 days, is responsiveness. CE assessments fail commercially when the assessor disappears for a fortnight between the questionnaire and the verification call. Our standard turnaround on partner queries is one working day, and our CE Plus packages include twelve months of continuous vulnerability scanning at no extra cost. That last point matters more for MSPs than for direct end-clients, because the scanning programme gives you a recurring touchpoint with your client between formal certifications.
The two questions I wish more MSPs asked us in the first conversation are these. First, are they prepared to certify the whole organisation, rather than trying to carve out a tighter scope? IASME’s position, and ours, is that whole-company scope is the right one for almost every MSP. It is more defensible to clients, it is faster to assess once you commit to it, and it avoids the carve-out arguments that swallow weeks of engagement time on the larger jobs. MSPs sometimes arrive thinking that a narrower scope will be easier or cheaper; in practice the opposite is true, because the assessor still has to satisfy themselves that whatever is out of scope cannot reach what is in scope, and that is harder, not simpler, to evidence. The second question is how they handle their clients’ cloud services. The dominant compliance gap I see in CE assessments now is not multi-factor authentication failures, which most organisations have largely resolved, but cloud service underreporting. Clients declare three SaaS platforms in the assessment and we find seven on the network. An MSP partner who has internalised that pattern, and who can help us get to a complete picture quickly, is twice as fast to certify across a client book as one who has not.
The strongest MSP partners we have onboarded this year share three habits in the first 90 days. They appoint a single named technical lead on their side, not a rotating cast. They give us read-access to a representative sample client environment before the first certification, so we can flag scope ambiguities once rather than fifteen times. And they treat the first three certifications as learning engagements, not as commercial milestones. The MSPs that try to monetise the relationship from week one are also the ones who need the most remediation work in month three. The ones who treat the first quarter as a calibration exercise are the ones still with us in year two.
For MSPs, the first action is a 60-minute internal gap analysis against the IASME v3.3 question set, scoped to the systems through which you access client environments. Aim to know by the end of the hour which controls would pass an external assessment today and which would not. The second is pulling the contracts of your top ten clients by revenue and checking whether any of them already contain a security-incident notification clause; where your contractual clock differs from the statutory clock, that is a problem worth surfacing before an incident, not during one. The third is picking a Certification Body partner before the DSIT consultation closes.
For end-clients of MSPs, the first action is the three-question conversation above. The second is establishing your own CE position on the scope that matters to your business, rather than waiting to inherit one from your MSP.
In either case, we are happy to have the conversation. We are talking to MSPs now about partnership terms for the RMSP regime, and to end-clients of MSPs about how to get to a defensible CE position before their next contract renewal.
An RMSP is a medium or large provider of managed IT services in the UK whose service involves ongoing management of a customer’s information technology systems through a connection into those systems. Examples given in the GOV.UK factsheets include remote IT support, helpdesks, application management, infrastructure management, security operations centres, and managed security information and event management. The Department for Science, Innovation and Technology estimates 900 to 1,100 providers will fall in scope. Micro and small enterprises are excluded. The category is created by the Cyber Security and Resilience (Network and Information Systems) Bill, which is currently progressing through Parliament with Royal Assent expected in the 2026-27 session.
The Bill was introduced to the House of Commons on 12 November 2025, had its second reading on 6 January 2026, and was reintroduced at Report Stage as Bill 002 of the 2026-27 session on 14 May 2026 after being carried over from the previous session. Royal Assent is expected within the 2026-27 parliamentary session. Most of the substantive obligations, including the RMSP regime, will then require secondary legislation; the Department for Science, Innovation and Technology has signalled a consultation on implementation in summer or autumn 2026. RMSPs will be given three months from commencement to register with the Information Commission.
The Bill introduces a two-stage incident notification regime for RMSPs and other in-scope entities. An initial notification must reach the Information Commission within 24 hours of becoming aware that a significant incident has occurred or is occurring, containing the entity’s name, the affected service, and brief incident details. A full notification with more detailed information about the nature and impact of the incident must follow within 72 hours. RMSPs are also required to notify affected customers as soon as reasonably practicable after the full notification, which is a new statutory obligation not present in the existing Network and Information Systems Regulations 2018.
Cyber Essentials (CE) is not formally specified as a route to RMSP compliance in the current draft of the Bill, and the secondary legislation that will define the detailed security measures has not yet been consulted on. That said, CE and Cyber Essentials Plus cover the five technical control areas (access control, patching, secure configuration, malware protection, user access management) that map directly onto the practical security expectations the Bill creates. Holding CE Plus, scoped to the whole organisation rather than carved out to a narrower part of the estate, is the most defensible position an MSP can take while the regulations are being drafted, and it is the position most likely to be acceptable as evidence to clients asking assurance questions now.
The RMSP measure regulates the MSP, not the MSP’s clients. Being a client of an RMSP does not, in itself, bring an organisation into the regulated population under this measure. However, end-clients may already be in scope under other parts of the Network and Information Systems Regulations 2018 (for example as operators of essential services in energy, transport, health, water, or digital infrastructure), and the Bill expands and updates those existing categories. The Bill also introduces a separate “critical supplier” designation regime under which suppliers to in-scope entities can be brought into scope by the regulator regardless of their own size. End-clients should expect to be asked harder assurance questions by their own customers and regulators, even where they are not themselves directly regulated.
The Bill amends the UK’s Network and Information Systems Regulations 2018, which were the UK’s implementation of the EU’s original NIS Directive. The EU has since replaced that with NIS2, which took a different structural approach by introducing new categories of regulated entity and expanding scope wholesale. The UK approach is closer to an amendment of the existing framework than a replacement. The government has been clear that the policy intent is to bring UK cyber regulation into closer alignment with NIS2 on substance (supply chain duties, faster incident reporting, broader scope), without copying NIS2’s terminology. For UK MSPs servicing EU clients, the practical effect is that compliance with the UK RMSP regime should provide a substantial overlap with NIS2 obligations, though the two regimes will require separate compliance work in detail.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
