Managed Service Providers (MSPs) are third-party businesses that remotely manage IT systems whose services typically include network and infrastructure management, security and monitoring. Reliance on MSPs has increased substantially, with more and more small to medium sized businesses relying on these organisations to ‘keep them safe’.

They are however an attractive target for cyber-attacks as they often have wide access to client systems.

In recognition of an increase in attacks aimed at MSPs the government have recently announced its intention to bring MSPs into the scope of the Network and Information Systems (NIS) Regulations. This means that MSPs will now find themselves subject to the same rules as digital service providers; including mandatory cyber security measures and reporting obligations.

What is an MSP for the purpose of the regulation?

The proposed definition of managed services is broad, with services needing to meet all of the following characteristics:

  1. The managed service is provided by one business to another business (i.e. a third party); and
  2. The service is related to the provision of IT services, such as systems, infrastructure, networks and/or security; and,
  3. The service relies on the use of network and information systems, whether this is the network and information systems of the provider, their customers or third parties; and
  4. The service provides regular and ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, IT network, and/or the security thereof.

When these proposals come into effect, the Information Commissioner will set out further detailed guidance on the characteristics of managed service providers, as they have with other digital service providers in scope of the NIS Regulations.

The proposed characteristics are quite broad, are there any examples of MSPs?

The following illustrative examples of “managed IT services’’ have been provided by government to demonstrate which services it intends to capture through the new regulation

  • IT outsourcing services (ITO);
  • Private wide area network (WAN) managed services;
  • Private local area network (LAN) managed services;
  • Service integration and management (SIAM);
  • Application modernisation;
  • Application management;
  • Managed security operations centre (SOC);
  • Security monitoring (SIEM);
  • Incident response;
  • Threat and vulnerability management (TVM).

Will the NIS small and micro-business exemption apply to MSPs?

The NIS Regulations currently offers small businesses (turnover under £ 10 million and fewer than 50 people) or micro-businesses (turnover under £2million and fewer than 10 people) which would otherwise fall within scope fo the Regulation an exemption compliance. The government intends to largely maintain the exemption for small and micro businesses, but will provide the Information Commissioner with the power to designate specific small or micro digital service providers within its scope, if they are deemed systemically critical to the UK’s critical services or national security.

What do we need to do if we fall within scope?

Firstly, be aware that change is on the horizon with formal enactments expected fairly soon.

The NIS Regulations will create additional obligations for your business and you will be required to take appropriate and proportionate technical and organisational measures to manage the risks to your systems. These measures must ensure a level of security appropriate to the risk posed. NIS has specific obligations for these measures and should cover the security of your systems and facilities; incident handling; business continuity management; monitoring, auditing and testing; and compliance with international standards. More detail on the requirements under NIS can be found here: Security requirements | ICO.

Who enforces the NIS Regulations and what are the fines?

The NIS Regulations are enforced by the Information Commissioner’s Office, the same body that enforces compliance with the UK GDPR and the Data Protection Act 2018. Where an enforcement notice from the ICO has not been complied with, they may issue a fine (subject to proportionality and appropriateness requirements) of up to £17million in the most extreme circumstances.