If you've been watching the UK tech landscape, you've probably heard something about the Cyber Security and Resilience (Network and Information Systems) Bill. It's not flashy headline news, but it's one of the most important pieces of regulation your business needs to understand right now. Here's why: most of you don't know who's actually protecting your data when you outsource IT to a managed service provider (MSP). That changes this year.
At Netitude, we've been ahead of this curve for years. But if you're currently working with any MSP — us or otherwise — this article matters to you.
The bill introduces a framework for managing cyber risk across essential sectors and critical infrastructure. For those in scope, it means mandatory security controls, incident reporting, and regular audits. But here's what most of the noise misses: this isn't some impossible new standard. It's codifying what world-class organisations already do.
What controls framework does the bill reference? It's the CAF (Cyber Assessment Framework), which aligns closely with standards such as ISO 27001 and NIST. In other words, if you're already serious about security, you're already most of the way there.
Let's be direct: Netitude is likely to fall within the definition of "Relevant Managed Service Providers" under this legislation. But whether we do or not is almost irrelevant to you, because we've already built our security posture to exceed the CAF framework — and we've just added another independently assessed credential to prove it.
Here's what that means in practice:
ISO 27001 Accreditation: We hold full ISO 27001 certification. This isn't a checkbox; it's an external audit by independent assessors who verify our information security management every single year. It covers everything: how we manage access to your data, handle incidents, train staff, and manage third parties. It's comprehensive, and it's independently verified.
Cyber Essentials PLUS: We're certified to Cyber Essentials Plus — the UK Government's security certification programme. While our ISO 27001 is the strategic framework, Cyber Essentials Plus is the operational proof that our technical controls actually work. This certification requires hands-on penetration testing and vulnerability validation. We don't just claim to be secure; we're tested regularly to demonstrate it.
CAF Compliance: ll three of these standards embed the CAF controls. We don't just claim alignment; our annual audits verify it. Firewalls, encryption, access controls, incident management, supply chain oversight — it's all mapped, measured, and continuously improved.
The point: whether the bill requires us to be compliant or not, you're working with an MSP that's held to the highest standard. That's the way it should be.
Here's an uncomfortable truth: not every MSP operates to this standard. Some operate with minimal controls. Some have never had an independent audit. Some have no incident response plan. And because MSPs sit at the centre of your IT infrastructure — managing your servers, email, backups, and access controls — a compromised MSP is a backdoor into thousands of businesses.
This has happened in the real world. MSPs are attack vectors. Criminals know this.
The bill exists because the industry needs guardrails. We support it completely, and here's why: it raises the floor for everyone. It means that every MSP handling sensitive data for UK businesses will have to meet a baseline standard.
That's not a burden we're worried about. It's a burden we already carry — and it's the right one to carry.
The companies that should be nervous about this bill are those that've been cutting corners on security. For the rest of us, it's validation that doing the hard work of security actually matters.
One of the most important parts of the new framework is supply chain management. And this is where a lot of organisations get it wrong.
When you hand your IT to an MSP, you're not just contracting with that company. You're indirectly contracting with their entire supplier network: cloud providers, backup vendors, security tools, and managed service platforms. If any of those fail to manage their own security properly, it becomes your problem.
We've seen it play out:
This is why we take supply chain security very seriously at Netitude:
This isn't theoretical. This is how you actually reduce the risk of working with an outsourced provider.
Here's what to ask your MSP — whether it's us or someone else:
"Are you ISO 27001 certified? By an independent auditor? When was your last audit?" If they can't produce a current certificate, you're taking on blind risk. Period.
Are you Cyber Essentials PLUS certified?" This proves that your controls actually work, not just that you have them on paper.
"Walk me through your supply chain risk management. Who are your critical vendors? How do you audit them? What happens if one of them fails?" If they “umm and err” here, that's a red flag. You should get a clear, specific answer.
"Show me your incident response plan. What happens if you get hit by ransomware? How do you notify me? What's the SLA?" Most MSPs will be vague here. Good ones will show you their playbook.
"How do you manage my access to systems? What authentication methods do you use? How do you handle offboarding?" Access control is where most breaches happen. A good MSP will have thoughtful, layered controls.
"What does your compliance framework actually cover? Can you show me your audit reports?" Not everything, obviously — you shouldn't get sensitive audit details. But they should be transparent about what they're audited against.
Don't settle for reassurance. Get evidence.
The Cyber Security and Resilience Bill is a good thing. It's not because it's revolutionary — it's because it makes security expectations explicit and auditable. It means you can trust that any MSP operating legally in the UK has met a baseline standard.
At Netitude, we've been operating beyond that baseline for years. We're ISO 27001 certified. We're Cyber Essentials PLUS certified. We meet the CAF framework. We take supply chain security seriously, not because the law requires it, but because it's the only way to do this right.
When you're choosing whom to trust with your technology and your data, security posture should be the deciding factor. Not price. Not features. Security first, then everything else.
If you're using an MSP who can't show you independent evidence of their security standards, it's time to ask harder questions. And if you'd like to talk about how we actually operate, we're here to help.
Questions about how we meet these standards, or what they mean for your business? Get in touch with our team — no pressure, just a conversation.