The Cyber Resilience Bill's Lords Second Reading: What Was Said About MSPs | Assurix

A peer asked the government directly about MSP supply chain accountability during the Bill's Lords second reading. Here is what was said and what it means for MSPs.

This week the Cyber Security and Resilience Bill had its second reading in the House of Lords. It's the UK's first law with "cyber security" in the title, and it puts managed service providers squarely in the frame.

If you run an MSP, this is the moment the ground under MSP assurance starts to move. Here's what the Bill does, what was actually said in the chamber, and what it means for how you prove your security from here.

What the Bill actually does

The Bill amends the Network and Information Systems Regulations 2018. Its stated purpose is to "make provision about the security and resilience of network and IT systems used or relied on in connection with the carrying on of essential activities."

In plain terms, it widens the net. Critical infrastructure and the providers who sit inside those supply chains come under a tighter set of security and resilience obligations. Managed service providers are named directly.

That last point is the one to sit with. For years MSPs have been the connective tissue of the UK economy without being formally recognised in the security rules that govern it. This Bill changes that. It treats MSPs as part of the critical supply chain, because that is exactly what they are. When an MSP is compromised, every client behind it is exposed. Attackers worked that out a long time ago.

Opening the debate, the Minister made the stakes clear: the UK is now the most targeted country in Europe for cyber attacks. The Bill is the government's attempt to bring the rules governing critical systems in line with how attackers actually operate today.

It also gives the rules more teeth. The Bill points toward stronger incident reporting duties and a wider set of organisations that have to answer for how they secure the systems others depend on. The detail will be argued over in committee. The intent is not subtle: if you sit in a critical supply chain, you'll be expected to show your security stands up.

"The UK is now the most targeted country in Europe for cyber attacks."

Minister, opening the second reading

The MSP question, raised on the floor of the Lords

The line that matters most for our world came from Lord Holmes. One of his key questions to the Minister was this:

"How will the Government ensure that responsibilities across complex digital supply chains are clearly understood, particularly for managed service providers and their clients?"

Sit with that as an MSP owner. A member of the House of Lords is asking the government to make MSP responsibilities inside client supply chains explicit and enforceable.

He pushed further on the shape of the requirements, asking the government to ensure the new obligations are "outcome-focused, measurable and operationally realistic," and that reporting is "clear, practical, proportionate and sector-specific."

That phrase, operationally realistic, matters for smaller MSPs especially. Nobody wants a regime only the biggest providers can afford to satisfy. Lord Holmes was asking for rules a 20-person MSP can actually meet and evidence, without a full compliance team to run it.

That's a precise description of the gap most MSPs are carrying right now. The certifications on the wall describe work done once. The direction Lord Holmes is pointing in is work you can evidence when you're asked, tied to outcomes, in a form a regulator or an insurer would accept.

Where this leaves MSPs

Most MSPs hold the certifications. Cyber Essentials Plus, ISO 27001, IASME. They show work done at a point in time.

The direction the Bill points in is different: outcome-focused and measurable, proof that a control is operating rather than passed once. Follow that through and you land on continuous evidence. The question shifts from "can you show a certificate" to "can you evidence the control was holding on the day it mattered."

That's a harder question to answer, because a certificate earned in March says nothing about whether the control still held in September. Regulators, insurers and increasingly clients are starting to ask for proof that lives in the present tense.

You can see it already at insurance renewal. The questionnaires are getting longer and the questions sharper, moving from "do you hold this certificate" to "show us this control was active last quarter." The MSPs that answer quickly win the better terms. The ones that scramble for evidence look like a risk.

Point-in-time proof

  • A certificate dated once a year
  • Evidence gathered for the audit, then filed away
  • Says nothing about the other 364 days
  • Slow to reproduce when a client or insurer asks
  • Describes work done, not a control holding now

Continuous, outcome-based proof

  • Controls checked continuously, not once
  • Evidence you can produce on demand
  • A current picture, not a historical one
  • Mapped to defined outcomes, not activity
  • Answers "is it holding today", not "was it holding in March"

Three things worth doing now

Before the Bill becomes statute, three moves worth making.

Three things worth doing now

Not sure which of those you'd pass today? The Proof Gap Scorecard takes about 5 minutes and shows you.

Take the free Proof Gap Scorecard

Proof, not promises

Assurix is a live, independently verified trustmark for UK MSPs. All 64 controls have to pass, mapped to the NCSC Cyber Assessment Framework v4, audited annually with continuous monitoring between audits. If a control fails, there's a 30-day window to fix it before the trustmark is suspended.

That lines up with what Lord Holmes pressed for in the Lords: security that's outcome-focused and measurable, proof that a control is operating rather than a claim made once a year. Continuous evidence is our answer to that.

The Bill will change over the coming months, and it's only part of what the market needs. But the direction is set. MSP security is moving from promises to proof, and the providers who get ahead of it will be the ones still standing when it lands.

See where your MSP stands. The Proof Gap Scorecard takes about 5 minutes. It shows where your MSP stands against the Assurix standard, your single biggest exposure, and a ranked list of what to fix first.

Take the free Proof Gap Scorecard

Related reading