NIS2 for UK MSPs: Does It Apply to You? | Assurix
NIS2 names MSPs directly. A UK based MSP isn't automatically bound, but can fall in scope through EU clients. Plain-English guide to who it catches.
NIS2 is an EU directive on cybersecurity that took effect with a transposition deadline of 17 October 2024. It names managed service providers and managed security service providers directly. A UK based MSP is not automatically bound by NIS2, but it can fall in scope if it provides services to entities operating in EU member states. The UK has its own parallel route, the Cyber Security and Resilience Bill, which is moving in the same direction.
This page explains NIS2 in plain English, who it actually catches, how it differs from the UK regime, and how to prepare without over-engineering it.
What is NIS2 in plain English?
NIS2 is the second version of the EU Network and Information Security Directive. It widens the original 2016 rules to cover more sectors and, for the first time, names IT managed services and managed security services as in scope. It splits organisations into two tiers, essential entities and important entities, with heavier supervision for essential ones. The core demand is risk-based security management, incident reporting within tight deadlines, and management accountability.
The sectors it covers are wide. Essential entities include energy, transport, banking, health, water and digital infrastructure. Important entities include postal services, waste management, chemicals, food, manufacturing of certain products, and digital providers. The reason MSPs care is that managed service providers and managed security service providers are listed in their own right, and almost every MSP also sells into one or more of those sectors, so the obligation arrives from both directions.
Does NIS2 apply to a UK based MSP?
It depends on where your clients operate, not only where you are registered. Three rough cases:
- You serve only UK clients with no EU operations: NIS2 does not bind you directly, but UK regulation is heading the same way and clients may ask about it anyway.
- You serve clients that operate in one or more EU member states: those clients are likely in scope and will push NIS2-style requirements down to you as their provider through contracts and supplier assessments.
- You provide managed or security services into the EU directly: you may be in scope as a provider in your own right under the member state's implementing law.
The practical point: even when NIS2 does not bind you on paper, it reaches you through your clients' supply chain obligations.
How is NIS2 different from the UK Cyber Security and Resilience Bill?
The UK left the EU NIS regime and is building its own. The Cyber Security and Resilience Bill, announced in 2024, is expected to bring managed service providers under formal oversight in the UK, aligned in spirit with NIS2 though not identical in detail. The direction for UK MSPs is clear even while the exact text is still moving.
| NIS2 (EU) | UK Cyber Security and Resilience Bill | Cyber Essentials Plus | |
|---|---|---|---|
| Type | Directive, member-state law | Primary legislation, in progress | Technical certification |
| Covers MSPs? | Yes, named directly | Expected to, yes | The MSP's own infrastructure |
| Scope | Risk management, reporting, accountability | Expected similar direction | Narrow technical baseline |
| Status for UK MSP | Via EU-operating clients | Watch closely, prepare now | Available today |
What does NIS2 actually require?
Stripped of the legal language, the obligations land in four areas.
- Risk management: documented, proportionate security measures covering policies, access control, encryption, supply chain and continuity.
- Incident reporting: an early warning within 24 hours of becoming aware of a significant incident, a fuller report within 72 hours, and a final report within a month.
- Supply chain security: organisations must assess and manage the security of their providers, which is the line that pulls MSPs in.
- Management accountability: senior leaders can be held personally responsible for failures, so this is not only an IT problem.
Which MSP sizes are most exposed to NIS2?
Exposure tracks your client base, not your headcount. A 12-person MSP with three manufacturing clients that ship into Germany carries more NIS2 exposure than a 60-person MSP serving only UK retail. Size affects how much capacity you have to respond, not whether the obligation reaches you. Map by client footprint first, then worry about resourcing.
What evidence will EU-operating clients ask you for?
In-scope clients have to assess and manage the security of their providers, so they push that obligation down to you. Expect requests for:
- A documented information security policy, owned and dated.
- Evidence of access control and enforced MFA across your estate.
- An incident response plan with reporting timelines that match the 24-hour and 72-hour rule.
- Backup and continuity testing results, not just a policy saying you have them.
- A named accountable owner, because management responsibility is part of the regime.
The MSPs that lose these accounts are the ones who treat each request as a fire drill. The ones that keep them have the evidence ready before the assessment lands.
What do UK MSPs most often get wrong about NIS2?
- Assuming that because the UK left the EU, NIS2 cannot reach them at all.
- Treating it as only an EU client's problem and not a supplier obligation that flows down a contract.
- Waiting for the final UK Bill text before doing anything, when the underlying controls are the same either way.
- Treating it as a documentation exercise when the demands are operational and time-bound.
WHAT TO DO THIS WEEK
List every client that has staff, offices or customers in the EU. That list is your NIS2 exposure. Everything else is preparation you should be doing for UK regulation anyway.
PROOF GAP SCORECARD
See how ready you are for the direction UK and EU regulation is heading. The Proof Gap Scorecard takes about 3 minutes and scores how well you can evidence your controls today.
Take the Proof Gap ScorecardNIS2 will not catch every UK MSP directly, but the question it represents will reach all of them through clients and UK law. Know your exposure, get the underlying controls current and continuously evidenced, and track readiness in one place. That is what Assurix is for.