Calling all MSPs: Do you have Cyber Essentials (CE)? Most MSPs do; however, the real question is whether you believe it is enough to protect your business — not just your clients, but you. We need to be fully aware of the new regulatory reality under the upcoming Cyber Security Resilience Act.
CSRA doesn’t just ask: “Did you try your best?” It asks: “Show us your decisions, and the evidence.” To stay compliant with the law, insurable and competitive, you need governance — not just Cyber Essentials.
Most MSPs instinctively want to say yes: they do have CE; it feels like a badge of honour, a sign you’re doing things “properly”. It signals professionalism, competence, and a commitment to security best practice. But the uncomfortable truth is this: Cyber Essentials on its own is no longer enough. CE proves controls exist at a point in time. Modern regulation does not reward effort or good intentions. It demands evidence. It expects organisations — and the advisers supporting them — to demonstrate structured oversight, accountability, and ownership of risk.
Governance proves decisions were taken and are being acted upon. Governance is now essential. Cyber Essentials alone will not get you there.
Why Cyber Essentials Feels Comforting — and Why That’s a Problem
Most MSPs instinctively answer “yes” when asked if they have Cyber Essentials. It feels like the right response. After all, CE proves that a defined set of technical controls exists. But that is precisely the limitation.
Cyber Essentials proves controls exist at a point in time. Governance proves that decisions were taken, reviewed, and acted upon over time. And when regulators investigate an incident, they do not punish missing controls as harshly as they punish unmanaged risk.
Cyber Essentials answers the question: “Did you lock the door?” Governance answers very different — and far more important — questions: “Who decided to lock it? Why was that decision taken? And what happened when the window was left open?”
That difference matters more than many MSPs realise. That difference is very important, and there is a trap that many MSPs fall into, believing that CE and even CE+ are enough. Many MSPs cling to CE as their compliance shield… but Cyber Essentials is static. Governance is dynamic.
What do we mean by that?
Cyber Essentials is static. It is a snapshot, reflecting the situation at a moment in time. Governance is dynamic, however. It is a living process that records decisions, assigns ownership, and tracks accountability. When something goes wrong, regulators do not ask whether you had Cyber Essentials. They ask:
• Who owned the risk?
• What was reviewed?
• What was accepted?
• What evidence exists?
Cyber Essentials cannot answer those questions. Governance can.
What Governance gives MSPs that CE never will
1. Liability Control: Governance documents who owns every risk. If you don’t document it, regulators assume you, the MSP, own it. It is key to ensure that you and your clients have clear risk ownership – signed and sealed! Clear, signed risk ownership protects both parties. It ensures that decisions are understood, accepted, and defensible — rather than implied or assumed.
2. Defensibility: Governance creates a paper trail:
• Decisions recorded
• Trade-offs justified
• Evidence is readily available
When the spotlight hits, and you are under investigation, whether from regulators, insurers, or lawyers you’re not scrambling around to prove compliance or find evidence of agreed decisions.
3. Commercial Leverage: Clients rarely fire the MSP who undertakes regular governance reviews. They do leave the MSP who just runs tickets. Governance elevates you from an “IT provider” to a “strategic advisor”. It positions you as someone who helps clients navigate risk, not just fix problems.
Where MSPs may go wrong is that they do the work but are not recording the decisions, creating evidence. This is the silent killer. MSPs patch, configure, monitor, and advise, but they don’t always document the client’s decisions. And if it’s not written down and agreed:
• Risk ownership defaults to you, the MSP
• Blame travels uphill
• Insurance becomes painful
Governance turns your effort into protection. The silent killer: doing the work without the evidence. Many MSPs already do much of the right work. They patch systems, configure security controls, monitor environments, and provide sound advice. Where things go wrong is where there is no supporting documentation.
If client decisions are not recorded and formally agreed:
• Risk ownership defaults to the MSP
• Blame travels uphill
• Insurance claims become painful
This is the silent killer. The effort exists, but the evidence does not. Governance turns that effort into protection.
Incident Response: Where CE completely fails
Cyber Essentials offers no meaningful support during an incident. It does not:
• Define reporting timelines
• Assign regulatory roles
• Prove escalation and notification decisions
Governance does.
Miss a reporting window and you, the MSP, and your client, move from victim to suspect. That’s the regulatory reality in which MSPs now live and operate.
What MSPs must make nonnegotiable with clients
Governance is not just about controls; it is about decisions around those controls. It is not just putting controls in place but ensuring there is Governance around the controls. MSPs must insist on governance covering:
• Patching with agreed timelines and documented exceptions
• Access rules with named owner approval
• Backups that are tested and formally signed off
• Logging and monitoring with defined retention decisions
• Supplier and third-party risks that are reviewed and accepted
And if a client refuses? Get them to sign their acceptance of that refusal: that refusal must be documented and signed. Governance is how you say: “We warned you.”
Why MSPs should care commercially
“CE is basic hygiene” – what does that mean? It’s simple: Cyber Essentials is the minimum standard. Everyone has it. It doesn’t differentiate you. Clients don’t pay extra for antivirus, MFA or patching. They pay for confidence when things go wrong. Governance delivers that confidence. It helps MSPs:
• Keep clients longer
• Win regulated and higher value buyers (clients)
• Create recurring advisory revenue
Cyber Essentials keeps you in the room. Governance keeps you in the contract. In today’s environment, the question is no longer whether Cyber Essentials is useful. It is whether MSPs are prepared to rely on it alone when regulators, insurers, and clients demand evidence of decisions, ownership, and accountability. For MSPs who want to survive what’s coming, and grow through it, governance is no longer optional.
