Want to speak with sales?
Situating MSPs in the Modern Supply Chain
Supply chain cyber risk is a defining security challenge of modern business. Research suggests that the average small and medium-sized business (SMB) in Europe has nine times more suppliers than employees, with a median of 800 suppliers. As for larger enterprises, the supply chain can be made up of thousands of organisations of varying sizes. With such complex connectivity between organisations of all sizes, it’s clear that supply chain risk is no longer a theoretical concern, rather one that business leaders must deal with head on.
While we’ve made progress in recognising that risk is shared across ecosystems, we still haven’t fully reckoned with the role of one of its most critical components: Managed Service Providers (MSPs).
The Changing Role of the MSP
MSPs have evolved far beyond their traditional remit. They are no longer just providers of IT support, instead they are embedded operators within the digital infrastructure of thousands of organisations. The 2025 CyberSmart MSP Report found that 60% of customers now expect their cybersecurity and IT infrastructure, which is a big responsibility. As trusted partners, they manage endpoints, control identity layers, deploy security tooling and increasingly act as outsourced security teams for time and resource strapped SMEs.
Managed compliance is becoming the next evolution of managed security. IT providers have moved from break-fix to managed services to managed security, and are now entering the era of compliance as a service.
In many cases, MSPs have a significant level of access to customer organisations. That level of access fundamentally changes the risk equation.
Attackers understand the value of targeting an MSP. Rather than targeting individual organisations, they are increasingly looking upstream as a way to achieve scale. A single compromise can cascade across an entire client base. It’s efficient, repeatable and, with a sharp rise of AI-enabled attack techniques, becoming even easier to execute.
Supply chain security only works if responsibility is clearly assigned and proportionate to risk, not just broadly shared.
Regulatory Gaps and The Cyber Security Resilience Bill
Whilst MSPs sit at the centre of the ecosystem, from a regulatory and standards perspective, they remain under-defined.
The UK’s Cyber Security and Resilience Bill, however, represents a positive step forward, particularly in its recognition that cyber risk extends beyond individual organisations and into the wider supply chain. MSPs that employ at least 50 people and have a turnover exceeding €10 million will be regulated, placing approximately 1,100 MSPs within its scope (for context, the UK is home to 12,867 MSPs, according to DSIT, as of 2025). What does this mean for those MSPs?
If an MSP falls into scope, it must be registered with the Information Commissioner’s Office (ICO). The MSP must have appropriate and proportionate security measures in place to mitigate risk and any incidents must be reported to the ICO.
However, it still lacks specificity when it comes to MSPs at large. They are implicitly included, but not explicitly addressed as a distinct and high-impact category. MSPs are not just another supplier. Their level of privilege, access and operational responsibility sets them apart. Treating them as part of a broad supplier base risks missing the systemic impact they can have, both positive and negative.
Shifting Expectations and Accountability
Whilst frameworks like Cyber Essentials, ISO 27001 and various best-practice guidelines are valuable, they are not designed specifically for MSPs. They don’t fully account for the multi-tenant environments MSPs operate in, the scale at which they deploy changes or the downstream risk they carry on behalf of their clients.
What’s emerging, therefore, is a growing case for something more tailored, like a dedicated standard or certification framework for MSPs.
Not as an additional compliance burden, but as a necessary evolution of how we manage systemic cyber risk. CyberSmart’s 2025 MSP Report found that customers (or potential customers) are already scrutinising the security of MSPs they partner (or are considering partnering) with. In fact, 77% of MSP leaders globally said scrutiny of their businesses’ security capabilities has increased, suggesting that MSP customers are more aware than ever of the importance of good cyber credentials in a potential partner. A dedicated framework would make this unofficial good practice and due diligence on the part of the end customer more official, shifting the burden of responsibility and accountability from end user to MSP and standardising good cyber hygiene.
A well-designed MSP framework would set a clear baseline for security controls, operational processes and incident response expectations. It would recognise the unique role MSPs play and provide a mechanism for validating that they are operating at an appropriate level of maturity.
For customers, particularly SMEs, it would bring much-needed transparency. Selecting an MSP would no longer be a leap of faith based on marketing claims, but a decision grounded in verifiable security standards. This is especially important for SMEs that don’t have the time, knowledge or resources to carry out this research themselves.
For MSPs, it would help professionalise the sector further. Those already investing in robust security practices would be able to differentiate, while the broader market would be lifted through clearer expectations. If MSPs are regulated, will customers choose those that are over those that are not? Put it this way: If you had to choose from two high street banks, one that was regulated and one that was not - which would you pick? Regulation could have significant implications for the market - accelerate consolidations and a “race to the top” to meet the thresholds. Alternatively, and more likely, smaller MSPs will still voluntarily comply and demonstrate it through CAF assurance.
And for policymakers, it would offer a scalable way to strengthen national cyber resilience without placing unrealistic demands on individual businesses.
MSPs as Critical Infrastructure
We need to stop treating MSPs as an edge case in supply chain discussions and start recognising them as critical infrastructure in their own right. That means bringing them into the centre of regulatory frameworks, not leaving them implied within broader categories.
It also means acknowledging that the threat landscape is shifting faster than our governance models. 44% of MSP leaders note that emerging AI threats are the biggest threat to the MSP they work for. The unknown of these attacks raises the stakes significantly. However, MSPs have always been at the forefront of change, with a strong history of supporting customers through uncertain times. These professionals have scale and expertise unmatched by SME IT teams, and, with increasing digital complexity, they are well placed to help those organisations without security and technical skills to navigate change.
Ultimately, improving supply chain security is about recognising the industries and areas that matter most. MSPs are a critical cornerstone of many supply chains and leaving them behind when it comes to regulation poses significant security risk.
If we want to build a more resilient digital economy, we need to ensure that the organisations with the greatest reach and influence are held to the highest and most appropriate standards. Anything less leaves a gap that attackers will continue to exploit.
MSPs are often seen as the weakest link, let's make them the strongest line of defence.
-Jamie Akhtar, CEO & Co-founder of CyberSmart