Cyber Essentials for MSPs: Why Certification Is About to Become Non-Negotiable

Managed service providers sit at the centre of the UK's digital supply chain. A single MSP typically holds privileged access to dozens - sometimes hundreds - of client environments, making them one of the highest-value targets in the threat landscape. The UK government has noticed, and the regulatory response is now moving from guidance to statute.

This article sets out what is changing, why it matters, and what MSPs should do about it today.

The Cyber Security and Resilience Bill: MSPs in Scope for the First Time

The Cyber Security and Resilience Bill, introduced to the House of Commons on 12 November 2025, brings managed service providers into direct regulatory scope for the first time in UK law. The Bill defines "relevant managed service providers" as companies that provide ongoing IT support and management to other businesses by connecting to their computer systems.

Under the Bill, MSPs that meet the size threshold (medium and large businesses - small and micro businesses are excluded) will be required to:

• Apply appropriate technical and organisational measures to secure the networks and information systems on which their managed services rely
• Report significant cyber incidents to the Information Commissioner within 24 hours, with a full report within 72 hours
• Demonstrate control over privileged access to client environments
• Maintain documented risk management processes

The government estimates that between 900 and 1,100 MSPs in the UK will fall directly under the new regulations. The Information Commissioner's Office will serve as the competent authority overseeing MSP compliance.

Why MSPs Are Being Singled Out

The government's rationale is straightforward. MSPs operate as a "one-to-many" attack vector. A single breach at an MSP can cascade across every client environment that MSP manages. The Bill's explanatory notes reference the growing pattern of threat actors deliberately targeting MSPs to gain access to their downstream customers.

This is not theoretical. The Kaseya VSA attack in July 2021 compromised roughly 1,500 businesses through a single MSP supply chain vulnerability. The SolarWinds breach in 2020 demonstrated how deeply embedded supply chain attacks can penetrate even the most security-conscious organisations.

The UK government's position is clear: MSPs are critical digital infrastructure providers, and they need to be regulated as such.

Our Prediction: Cyber Essentials Will Become Mandatory for MSPs

Here is where we are going to put a stake in the ground.

The Cyber Security and Resilience Bill requires MSPs to implement "appropriate technical and organisational measures" to secure their networks and information systems. The Bill does not specify exactly what those measures must be - that detail will come through secondary legislation and regulatory guidance from the ICO.

But consider the pattern. When the UK government needed a minimum standard for its own supply chain, it created Cyber Essentials and made it mandatory for government contracts handling sensitive data under PPN 014. When the Legal Aid Agency needed to secure its criminal legal aid supply chain, it mandated Cyber Essentials for all contract holders from October 2025. When St. James's Place needed to secure its network of 2,800 partner firms, it mandated Cyber Essentials Plus.

Every time the UK government or a major institution has needed to define "appropriate" cyber security measures for a supply chain, the answer has been Cyber Essentials.

We believe it is a matter of when, not if, the ICO adopts Cyber Essentials as the minimum benchmark for MSP compliance under the Cyber Security and Resilience Bill. The scheme already maps directly to the five technical controls the Bill is designed to enforce: firewalls, secure configuration, access control, malware protection, and security update management.

MSPs that wait for the secondary legislation to confirm this will find themselves scrambling. MSPs that certify now will be ahead of the curve.

What Cyber Essentials Covers - and Why It Maps to the Bill

Cyber Essentials addresses five technical control themes:

Firewalls and internet gateways - boundary protection between your internal network and the internet. For MSPs, this includes the boundaries between your management infrastructure and client environments.

Secure configuration - removing unnecessary software, changing default passwords, and configuring systems to reduce their attack surface. For MSPs managing multiple client tenants, this means hardened configurations across your RMM, PSA, and remote access tooling.

User access control - restricting user accounts to the minimum privileges needed. For MSPs, this is directly relevant to the Bill's focus on privileged access management. Your technicians' access to client environments needs to be controlled, logged, and reviewed.

Malware protection - anti-malware software, application whitelisting, or sandboxing. For MSPs, this applies both to your own infrastructure and to the tools you deploy across client estates.

Security update management - applying patches within 14 days for critical and high-severity vulnerabilities. For MSPs, this includes patching your own management tools and ensuring client environments are kept current.

Cyber Essentials Plus adds an independent technical audit that verifies these controls through hands-on testing. For MSPs, Plus provides external validation that your security posture is genuine rather than self-assessed.

The Commercial Reality

Beyond regulation, the commercial pressure on MSPs to hold Cyber Essentials is already building:

Client expectations are shifting. Enterprise clients and public sector organisations increasingly require their MSP to hold Cyber Essentials or Plus as a procurement condition. If you cannot produce a valid certificate, you lose the bid.

Insurance premiums reflect certification status. Cyber insurance underwriters are tightening their requirements, and Cyber Essentials certification is increasingly a condition of coverage or a factor in premium calculation.

Competitive differentiation is narrowing. As more MSPs certify, those without certification stand out for the wrong reasons. Certification is shifting from a differentiator to a standard expectation.

Liability exposure is increasing. When the Cyber Security and Resilience Bill passes, MSPs will have a statutory duty to secure their services. Failure to do so creates direct regulatory liability. Holding Cyber Essentials provides a documented, verifiable foundation of compliance.

The v3.3 Update: What MSPs Need to Know

Cyber Essentials v3.3 takes effect on 28 April 2026. The key changes relevant to MSPs include:

Mandatory multi-factor authentication - MFA is now required for all cloud services and all administrator accounts. For MSPs, this means MFA on your RMM platform, PSA system, Microsoft 365 tenant, and every other cloud service your team uses. No exceptions.

Expanded device scope - all devices that access organisational data or services are in scope, including BYOD. If your technicians use personal devices to access client environments, those devices must meet Cyber Essentials requirements.

Enhanced access control - stricter requirements around account separation and privilege management. MSPs must demonstrate that individual technician accounts have appropriate access levels and that shared or generic accounts are eliminated.

Getting Certified: The Process

For MSPs, we recommend the following approach:

1. Run the readiness check - Use Fig's free readiness tool to assess your current position against the five controls

2. Address any gaps - The most common MSP gaps are around MFA enforcement on internal tools, documentation of access control policies, and patch management for management infrastructure

3. Certify to Cyber Essentials first - This can be completed same-day through Fig if you purchase before 12:00 midday

4. Progress to Plus - Once Cyber Essentials is in place, schedule the Plus audit. This takes 1-3 working days and provides the external validation that enterprise clients and insurers value

The Bottom Line

The regulatory direction is unmistakable. MSPs are being recognised as critical infrastructure providers, and the compliance obligations that come with that recognition are arriving. Cyber Essentials is the floor, not the ceiling - but it is a floor that every MSP needs to have in place.

The MSPs that act now will have their certification, their processes, and their documentation in place before the Bill receives Royal Assent. The MSPs that wait will be competing for assessment slots alongside every other provider trying to certify at the last minute.

Get Cyber Essentials certified today