UK Government to Regulate MSPs in Fight Against Supply Chain Attacks

MSPs will be treated like essential service providers and could face millions in fines if they don’t comply with regulations.

Christine Horton, Contributing Editor

January 20, 2022

5 Slides

The UK government is to extend cybersecurity regulations to MSPs in a bid to counter supply chain attacks.

In May 2021 the UK government called for views on how to improve cybersecurity in supply chains and in MSPs. Then in November it announced that intervention would be required to address the problem. The government will publish the call for views later this year.

In the meantime, the government is to extend Network and Information Systems (NIS) regulations to include MSPs.

NIS regulations came into force in 2018 to improve the cybersecurity of companies which provide essential services such as water, energy, transport, health care and digital infrastructure. Organisations which fail to put in place effective cybersecurity measures can face fines as high as £17 million ($23 million).

The regulations require essential service providers to undertake risk assessments and put in place reasonable and proportionate security measures to protect their networks. They have to report significant incidents and have plans to ensure they quickly recover from them.

Regulations currently apply to some digital services such as online marketplaces, online search engines and cloud computing. However, there has been an increase in the use and dependence on digital services for providing corporate needs such as information storage, data processing and running software.

‘It’s Not an Optional Extra’

Research by the Department for Digital, Culture, Media and Sport (DCMS) shows only 12% of organisations review the cybersecurity risks coming from their immediate suppliers. Only one in 20 firms (5%) address the vulnerabilities in their wider supply chain.

Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez, said the plans will “help protect essential services and our wider economy from cyber threats.


Minister Julia Lopez

“Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra,” she said.

Lawmakers are also proposing improvements in the way organisations report cybersecurity incidents. Additionally, they want reform legislation to be more flexible and react to the speed of technological change.

The plans follow recent high-profile cyber incidents such as the cyberattack on SolarWinds and on Microsoft Exchange Servers which showed vulnerabilities in the third-party products. They also follow an increase in ransomware threats to organisations, including some in critical national infrastructure such as the Colonial Pipeline attack in the U.S.

UK MSPs and other cybersecurity professionals have roundly welcomed the proposals. Some have described them as “a wake-up call” for MSPs. Others have said it is an opportunity for firms to “practise what they preach.”

The cybersecurity channel sounds off in the slideshow above.

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Christine Horton or connect with her on LinkedIn.


Read more about:


About the Author(s)

Christine Horton

Contributing Editor, Channel Futures

Christine Horton writes about all kinds of technology from a business perspective. Specializing in the IT sales channel, she is a former editor and now regular contributor to leading channel and business publications. She has a particular focus on EMEA for Channel Futures.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like