Cybersecurity laws and legislation (2023)

| By:
Michael Brands

Determining the cybersecurity regulations that apply to your business depends on the industry you operate in, the geographical location of your organization, the location of your clientele, and other factors. Here are some of the most important cybersecurity laws broken down by region that every MSP should know:

The United States

Operating in the United States requires compliance with several laws dependent upon the state, industry, and data storage type.

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects patient health information. If you provide cloud hosting services to a healthcare provider, you must ensure your systems adhere to healthcare cybersecurity regulations.

The Gramm-Leach-Bliley Act (GLBA) regulates the collection and handling of financial information. Any organization that collects or stores financial data must comply with this law. 

The Payment Card Industry Data Security Standard (PCI DSS) sets rules for safeguarding consumer credit card data. Any MSP that processes payment card data must be compliant with this regulation. Additionally, if you have clients in the financial services sector, you may be subject to the New York Department of Financial Services (NYDFS) cybersecurity regulation.

NYDFS regulation is expanding, making it a very important legislative body to MSPs and IT professionals nationwide. Recent additions to the NYDFS regulations require more stringent notification procedures, specifically when it comes to ransomware deployment. These new requirements affect leadership responsibility, stress the importance of sound vulnerability assessments, and incident and disaster response and recovery. While these regulations only apply to the New York jurisdiction now, they could be foreshadowing for other state’s reporting requirements in the near future. 

The Executive Order on Improving the Nation’s Cybersecurity, signed in 2021, was created in the wake of several high-profile security incidents in the U.S. The goal was to modernize cybersecurity by implementing protected networks for federal institutions to better respond to cyber incidents and improving collaboration between the public and private sectors.

NIST 800-53 is a set of guidelines issued by the U.S. National Institute of Standards and Technology that regulates how governmental agencies approach cybersecurity. Though geared towards governmental bodies, 800-53 shares many components related to The NIST Cybersecurity Framework which provides public and private organizations alike with a comprehensive set of best practices for protecting systems from cyberattacks.

Recently, the Securities and Exchange Commission (SEC) has also weighed in on cybersecurity regulations in the U.S. The financial regulatory body recently passed legislation demanding cybersecurity disclosures from organizations operating within the industry. This “final rule” governs cybersecurity management, incident reporting, governance, and strategy disclosures.

Capitol Hill is also changing the U.S.’s cybersecurity regulation landscape. Recently, D.C. lawmakers passed a $1.7 trillion spending bill for the Department of Defense. The entire bill, spanning nearly 5,000 pages, covers several different initiatives; the most pertinent to our industry is the pledge of $2.9 billion worth of funding to the Cybersecurity and Infrastructure Security Agency (CISA).

This $2.9 billion “shot in the arm” to the organization will cover initiatives to bolster overall federal cybersecurity protection, protect civilian networks that may interface with lesser levels of government, improved threat hunting, emergency communications preparedness, and expanding regional operations.

The European Union 

The European Union has enacted several data privacy laws to protect the personal information of its citizens. The General Data Protection Regulation (GDPR) is one of the most important regulations to be aware of, as it sets out the requirements for collecting, storing, and processing personal data. 

MSPs who operate in the EU must ensure their systems adhere to GDPR standards and be prepared to face hefty fines if found in violation.

Some of the key features of the GDPR involve the following:

  • Providing clear and transparent information on how data is being collected, stored, and used.
  • Establishing protocols for responding to data breaches.
  • Ensuring data is only kept for as long as necessary.

The United Kingdom 

The Data Protection Act (DPA) is a law in the UK regulating personal data handling. Passed in 2018, it replaces the previous Data Protection Act (1984), which laid out data processing requirements for organizations, including MSPs.

The DPA requires organizations to inform customers about their data handling practices and provide a way for customers to access and delete their data. It also sets out requirements for handling data breaches, preventing unauthorized access, and ensuring secure data disposal. 

Cyber Essentials is similar to NIST in the US because it is a government-backed set of cybersecurity standards that organizations are encouraged to follow. In fact, to bid on government contracts, organizations must be certified for Cyber Essentials.

MSPs operating in the UK must also pay attention to new Network and Information Systems (NIS) regulations. Piggybacking off of a £2.6 billion government cybersecurity initiative, the new rules are designed to bolster the cyber resilience of at-risk businesses. 

Since MSPs are third-party vendors who remotely access sensitive data in some of the world’s most important industries (i.e., healthcare, finance, etc.), they are now in the crosshairs of the new cybersecurity regulations. The new legislation focuses on more stringent reporting requirements to governmental bodies like Ofcom, Ofgem, and the Information Commissioner’s Office (ICO).


Though ASEAN countries have yet to pass an overarching regulatory framework, the Association of South East Asian Nations announced a Cybersecurity Cooperation Strategy that adopts many vital tenets of the GDPR and DPA. This includes protecting personal data, ensuring secure data storage and disposal protocols, and informing customers of their rights related to cybersecurity. 

With a comprehensive framework in place, managed service providers can ensure that their cybersecurity practices comply with the laws of each country in the region.

In Australia, there is already a general standard for cybersecurity professionals to follow: the ACSC Essential 8. Similar to Cyber Essentials and the NIST framework, these are a set of mitigation strategies and controls that help protect Australian businesses from cyberthreats. This primarily focuses on protecting Microsoft Windows-based network connections but can also be applied to other platforms.


Cybersecurity laws to watch 

Governments worldwide continue to pass more stringent cybersecurity laws and regulations as technology evolves. Here are some of the most important laws and legislation that MSPs should focus on.

The California Consumer Privacy Act (CCPA) is a state law enacted on July 1, 2023. This law protects the personal information of California residents, requiring companies to provide customers with access to and control over their data. Similar to the GDPR, this legislation applies not only to California-based operations but to any entities seeking to engage with California residents and organizations.

The United Kingdom is expected to pass a new Data Protection Bill by the end of 2023, imposing stricter requirements on businesses, including MSPs. The bill will introduce new regulations around data security and breach notifications. The UK also plans to strengthen its existing NIS Regulations during 2023. These regulations were originally implemented in 2018 to strengthen the cybersecurity of organizations providing critical services.

In November of 2022, the European Union enacted the Network and Information Security 2 Directive (NISD2), which replaced the original NIS Directive. The NIS2 Directive introduces new reporting requirements for data breaches and increases fines for non-compliance.

Maintaining compliance with the ever-evolving regulatory landscape is integral to running a successful managed service provider business. MSPs must stay abreast of the latest laws and regulations to ensure that their practices remain best practices. Though rules and regulations constantly change, resources like ConnectWise's Cybersecurity Center are here to help MSPs stay informed on the latest global developments.

How MSPs can adapt to regulatory changes

Adapting to new regulatory changes may seem daunting for MSPs, especially those new in the space. Fortunately, you can do several simple things to adapt to the changing times.

First, an MSP should adopt and adhere to a cybersecurity framework or standards that aligns with the primary industries they support.  For most MSP’s, the CIS Controls or NIST Cybersecurity Framework are a great starting point.  

From there, ongoing security awareness training, inventory management, change management, and regular vulnerability assessments are crucial to any successful security program. 

Finally, MSP’s should create an easy to follow Incident Response plan and ensure that is tested regularly with all employees through tabletop exercises. 

Cybersecurity solutions to tackle new regulations 

Ultimately, the cybersecurity regulations outlined here are meant to better the world’s digital experience. While managing compliance with these regulations may seem challenging and cumbersome (dealing with a stack of multiple tools to meet compliance), there are ways to make compliance within your client’s organization more practical and increase the efficiency of your compliance offering.

Partnering with an experienced MSP software provider is one way you can make regulatory compliance easier. ConnectWise professional service automation tools can handle your reporting and administrative tasks, and our SOC-as-a-service offering can help maintain compliance with more complex cybersecurity tasks. Request a demo of our cybersecurity suite today and discover how best-in-class software solutions can help you master compliance and better serve your clients.


Yes, there are numerous laws and regulations around the world governing cybersecurity. Organizations must comply with local and international laws to protect customer data and guard against cyberattacks.

Cybersecurity regulation in the United States is divided between federal and state laws. The Federal Trade Commission (FTC) is responsible for enforcing cybersecurity regulations and legislation at the federal level. In addition, the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) also have roles in regulating cybersecurity. 

The primary law governing cybersecurity in the United States is the Federal Trade Commission Act (FTCA). This law prohibits deceptive acts and practices in business, including those related to data security. The FTC also enforces the Gramm-Leach-Bliley Act (GLB), which requires companies to protect the customer data they collect. 

Currently, 47 states and the District of Columbia have passed their own cybersecurity laws. These laws range from breach notification laws to data privacy regulations. California has the most comprehensive cybersecurity laws, with the California Consumer Privacy Act (CCPA) providing residents greater control over their data.