A new cyber law will regulate IT providers for the first time. If you outsource your IT, this is about you too.
Compliance & Data

A new cyber law will regulate IT providers for the first time. If you outsource your IT, this is about you too.

The Cyber Security and Resilience Bill reached the House of Lords on 14 July. For the first time it pulls managed IT providers into cyber regulation, aiming to close a supply-chain gap.

14 July 20264 min read

The government's Cyber Security and Resilience Bill had its second reading in the House of Lords on 14 July, moving it a step closer to becoming law. Its headline change is that, for the first time, the companies that run other businesses' IT, known as managed service providers, will be brought under formal cyber security regulation. The thinking is plain. An IT provider holds the keys to every client it serves, so one break-in there can reach dozens of businesses at once.

What the Bill does

The Bill updates the UK's existing network security rules, first written in 2018, and widens who they cover. Alongside providers of essential services like energy and water, it brings in medium and large managed service providers and some data centres. Those in scope, which the Bill calls relevant managed service providers, will have to register with the regulator, manage the security risks in the systems they run, and report significant incidents. The Information Commission, the body that used to be the ICO, will oversee IT providers. Penalties for serious failures run to £17 million or 4% of worldwide turnover.

Small firms are exempt, but that is not the end of it

There is an important carve-out. Small and micro businesses, broadly those under fifty staff, are exempt from the main requirement, so the smallest IT providers will not be directly regulated. Even so, a small provider can still be designated as a critical supplier where it matters enough to a client's security. The wider signal is the one to read. The government now treats the IT supply chain as part of national infrastructure, and the expectation of tighter security is moving down the chain whether or not a given firm is formally in scope.

What it means if you outsource your IT

You do not need to follow the Bill through Parliament to take something from it. If your IT is handled by an outside provider, that relationship is one of your biggest security dependencies, and it is a fair moment to ask how they protect themselves as well as you. Do they hold a recognised security standard such as Cyber Essentials, keep their own systems patched, and control who can reach your data? The reason the law is changing is the same reason to ask the question, whatever size your provider is.

What this means for your business

The pattern behind a lot of business breaches is a trusted supplier being used as the way in, and this law is the government acting on it. For our part, we hold ourselves to the standards we set for the businesses we look after: patched systems, controlled access, and recognised certification like Cyber Essentials, so we strengthen your security rather than adding a weak link to it. If you have never asked how your IT provider secures its own house, a changing law is a good reason to start.

#WEARECOBALT

Ready when you are.

Tell us what's slowing your business down. We'll tell you exactly how we'd fix it — plainly, with no obligation.