Government publishes external research on the Managed Service Provider market

The Department for Science, Innovation and Technology (DSIT) has published an independent research paper quantifying the size and scope of the Managed Service Provider (MSP) market in the UK

The research has been published as part of the introduction of the Cyber Security and Resilience Bill (CSRB) to Parliament. Large- and medium-sized MSPs who meet the definition for a ‘Relevant Managed Service Provider’ (RMSP) will be brought into scope of the Network and Information Systems (NIS) Regulations.

The research, conducted by Frontier Economics and Glass.AI, has produced key findings and highlights opportunities and challenges for these types of organisations as the sector prepares for the introduction of the CSRB.

Key findings

According to the report, the UK is home to 12,867 MSPs, employing approximately 343,762 people, generating an estimated £51 billion in revenue and contributing £22.3 billion in Gross Value Added (GVA).

More than half of the active MSPs identified (7,074) offer cloud services. All the MSPs identified in this research are companies registered and active on Companies House, with at least one office in the UK, whether headquartered in the UK or overseas.

Scope of the CSRB

To fall within the scope of the CSRB, an MSP must employ at least 50 people and have an annual turnover of €10 million or more.

It remains unclear whether the employment threshold for the CSRB refers to UK-based staff or global headcount. This distinction significantly impacts the number of MSPs in scope of the regulation. Based on an annual turnover of €10 million or more and UK employment only, 977 MSPs meet the criteria, whereas 1,213 MSPs qualify when global employment figures are considered. Missing revenue data also widens the scope as employment levels become the only measurable metric, increasing included MSPs from 977 to 1,214 when considering UK employment, and from 1,213 to 2,381 MSPs.

Analysis indicates that a significant proportion of MSPs already fall within the Bill’s scope. Cloud service providers account for approximately 658 of 1,214 UK-based MSPs and 1,362 of 2,381 globally meeting this definition.

In total, between 556 and 1,019 additional MSPs could fall within the scope of the CSRB, beyond those already covered as cloud service providers.

Updated taxonomy

The inclusion of three new service categories in the MSP taxonomy: system integration, business process outsourcing and IT support for operational technology adds a further 255 companies to the count. These additions reflect the evolving nature of managed services and their critical role in operational resilience.

Challenges in defining MSPs

The study highlights several obstacles to establishing a clear definition of Managed Service Providers (MSPs), particularly in the context of the CSRB.

• Lack of a universal definition – MSPs do not fall under any dedicated Standard Industrial Classification (SIC) code, making them difficult to identify consistently across official datasets. This absence of a formal classification creates gaps in traceability and complicates regulatory oversight.
• Overlap with other IT services – due to MSPs lacking a precise definition, they are often grouped with other IT service categories such as cloud computing, IT consulting, infrastructure management and outsourcing. These categories differ significantly in terms of cyber security risk and compliance requirements, yet they are frequently treated as one, blurring the boundaries of what constitutes an MSP.
• Rapidly evolving service offerings – MSPs are inherently dynamic, adapting their services to meet changing cyber security needs and respond to emerging threats. This constant evolution makes it challenging to maintain a static definition that accurately reflects the sector.
• Diverse business models – The market comprises both dedicated MSPs, whose core business is managed services and diversified firms that offer managed services alongside other activities. Estimating employment and revenue for diversified providers is particularly difficult, as they rarely report figures by service category. This complicates market sizing and classification efforts.