back to article UK mulls making MSPs subject to mandatory security standards where they provide critical infrastructure

Small and medium-sized managed service providers (MSPs) could find themselves subject to the Network and Information Systems Regulations under government plans to tighten cybersecurity laws – and have got three months to object to the tax hikes that will follow. Plans to amend the EU-derived Network and Information Systems …

  1. Anonymous Coward
    Anonymous Coward


    I did wonder what Members of the Scottish Parliament had got involved in now, when I saw the headline!

    1. Arthur the cat Silver badge

      Re: MSP

      The same here. Then I realised the idea of them providing critical infrastructure was unlikely.

  2. Anonymous Coward
    Anonymous Coward

    The problem with Moderately Secure Providers..

    .. is that security is still seen as a COST, ditto for most companies.

    If they want to go that route, could we start with much, MUCH higher fines for banks that get breached, because they're presently very good at dodging decent fines for it which is why it keeps happening. A breach should cost a bank at least four times as much as it has saved by 'good enough" security, which usually isn't, but they get away with it. Stop the volume discount and apply the same fines as a poor SME would get if they lost the details of 10 customers, multiplied by actual.

    Sure, getting MSPs up to scratch would be good, but you'd have to start with getting people people interested in IT and security. In case you didn't notice, the combination of Brexit and allowing HMRC to scare away talent with its IR35 gaming has rather reduced the amount of people willing to stay here, and there are not enough in school to cover the gap, also because the newbies first have to build up a bit of experience. Even DISorganised crime does better.

    Nice words, little substance.

  3. Smelly Socks


    This is part of the promised bonfire of red tape (lighting the way to the sunny uplands?)

    Oh wait, it's about suffocating smaller organisations in bureaucracy. Business as usual, then! Carry on!

    1. Yet Another Anonymous coward Silver badge

      Re: bonfire

      That's the plan.

      Make the fee £££ per company with ever increasing registration and reporting costs.

      So only GS4/Crapita/etc can afford to play - and non of them can be fined or cancelled because they are a vital part of infrastructure.

  4. emfiliane

    It's about time

    The MSP I joined in 2017 and was bought out a year later looked slick and professional from the outside, but as soon as you get in you realize their security was an absolute joke, with the vast majority of management and remote user access being done over RDP with an administrator password of, I kid you not, Magic123. I'm surprised ransomware didn't hit earlier, but it rolled through like a bulldozer in 2018. The clients I actively serviced were mostly immune, since I shut things off and instituted some best practices (even though I'm no CISSP), but I seemed to be the only person who gave two shits and wasn't surprised when the worst hit and they had to sell. Plus staffing was way too lean to do anything but fight fires all day, taking home work was the only way to get anything longer done.

    There should definitely be some sort of compliance regulation, though I worry it'd be watered down to overbearing yet useless, like PCI.

    1. Death_Ninja

      Re: It's about time

      "Overbearing yet useless"....

      Spot on, that's exactly what it will be.

      It won't be specific, it won't be up to date and it will involve a lot of annual paperwork to prove that your systems aren't vulnerable to something from the 1990's.

  5. Howard Sway Silver badge

    Bringing MSPs under NIS

    But how are the PHBs going to understand all these TLAs?

    1. ShadowSystems

      Re: Bringing MSPs under NIS

      Buzzword buzzword buzzword, bollocks buzzword shite & shineola, buzzword buzzword buzzword.

      *Hands over a fat brown envelope*

      Buzzword buzzword bollocks?


      *Shakes hands & leaves before the Reality Distortion Field collapses*

    2. Roland6 Silver badge

      Re: Bringing MSPs under NIS

      They won't, going on previous experience around "critical infrastructure", everything they need to know to comply will be hidden behind government security. So just to be able to read the new Network and Information Systems Regulations you will need to be a CLAS consultant.

  6. Anonymous Coward
    Anonymous Coward

    Its about time.

    Every other provider of essential services is under regulation.

    IT is an essential service. The cost of security is part of the cost of delivering the service. As with any other service we all have to pay for improvement.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022