📍 Geographic scope: NIS2 is an EU directive. It applies to MSPs operating in EU member states or serving EU-based clients above the size thresholds (50+ employees or €10M turnover). If you’re based in the US, UAE, or another non-EU region with no EU operations, this regulation doesn’t directly apply — though the UK section below covers the post-Brexit position for UK-based MSPs.
Most MSPs Don’t Know They’re Regulated
NIS2 — the EU’s revised Network and Information Security Directive — came into force across EU member states in October 2024. It’s the most significant update to EU cybersecurity law in nearly a decade, and it directly names ICT managed service providers operating in Europe as regulated entities.
Most EU-based MSPs have no idea.
They’ve heard of NIS2. Some have clients asking questions about it. But the assumption is that NIS2 is a big-company problem — something for banks, energy firms, and telecoms. The reality is different. Under NIS2, if you’re an MSP with 50 or more employees or €10M in annual turnover and you operate in (or serve clients in) the EU, you’re classified as an “important entity” with legally binding security obligations.
That changes the conversation significantly.
This guide covers what NIS2 actually requires of MSPs, how to assess where you stand, and — more interestingly — how to turn the compliance pressure your mid-market clients are now facing into a structured service line.
What NIS2 Actually Requires
Before building a service, it’s worth understanding what the law actually says. NIS2 creates a list of mandatory security measures under Article 21. For MSPs, the relevant obligations are:
Risk management. You need a formal policy for managing risks to your network and information systems. Not a document that gathers dust — an active risk register with ownership and remediation tracking.
Incident handling. Significant incidents must be reported to your national competent authority within 24 hours of detection (early warning), with a full incident report within 72 hours, and a final report within one month. “Significant” means incidents that cause or could cause major service disruption or financial loss.
Business continuity. Backup management, disaster recovery plans, and crisis management procedures that have actually been tested.
Supply chain security. You must assess the security of your direct suppliers and service providers. This includes software vendors, cloud platforms, and any third party with access to your systems or your clients’ systems.
Access control and authentication. Multi-factor authentication and privileged access management aren’t optional under NIS2. Neither is a documented access control policy.
Cryptography. A policy covering encryption of data in transit and at rest, with key management.
Security training. Cyber hygiene training for staff, and security awareness at board and senior management level.
Governance accountability. This is the part most MSPs haven’t processed yet: senior management is personally accountable for NIS2 compliance. Directors can be held individually liable for non-compliance. The law requires management bodies to approve security measures and undergo training.
If you’re reading that list and realising your current security documentation doesn’t cover most of it — you’re not alone. Most MSPs have policies for client environments that are more mature than their own internal posture.
The Supply Chain Angle Is Where It Gets Interesting
Here’s the part that makes NIS2 a commercial opportunity, not just a compliance burden.
NIS2 doesn’t just regulate MSPs directly. It also requires every regulated entity — banks, hospitals, energy companies, water utilities, transport firms, public administration — to assess the security of their supply chain. And for most of those organisations, their IT managed service provider is a critical supplier.
That means your enterprise and mid-market clients are about to get significantly more demanding about your security posture. They’ll ask for evidence of your NIS2 compliance as part of their own supply chain assessments. Some will require it as a contract condition.
The clients who are themselves subject to NIS2 — and there are a lot of them — also need help meeting their own obligations. Many mid-market companies have no internal security resource. The IT function sits with their MSP. So when they get an email from their legal team saying “we need to be NIS2 compliant by Q3,” they’re calling you.
If you have a structured service to offer, that call turns into revenue. If you don’t, they start looking for someone who does.
Running a NIS2 Gap Assessment for Your Own Practice
Before you can sell NIS2 compliance as a service, you need to sort out your own house. This is also the practical way to learn what the assessment involves so you can deliver it for clients.
A NIS2 gap assessment for an MSP covers five domains:
1. Governance and accountability Do you have a named person responsible for information security? Does your senior management understand their NIS2 obligations? Is there a documented security policy approved by leadership? If the answer to any of these is “sort of,” that’s a gap.
2. Risk management Do you have an active risk register? Is it reviewed at least quarterly? Are risks assigned owners and tracked to resolution? Most MSPs have some form of security risk awareness but rarely have a formal register that would satisfy a regulator.
3. Incident response Do you have a documented incident response plan? Have you tested it? Do you know your reporting obligations and who to notify if you have a significant breach? Under NIS2, “we’ll figure it out when it happens” isn’t a plan.
4. Supply chain security Have you assessed your critical vendors? This means your PSA/RMM provider, your cloud platforms, your security tooling vendors. Have you reviewed their security documentation? Do your contracts with them include security requirements?
5. Technical controls MFA across all privileged access? Encryption policies documented and enforced? Regular vulnerability scanning? Access control reviews? Backup and recovery tested within the last six months?
The output of this assessment should be a gap register with severity ratings, remediation owners, and timelines. That’s your NIS2 roadmap. It’s also the template you’ll use when you run the same exercise for clients.
Building NIS2 as a Client Service
Once you’ve worked through your own compliance posture, the service offer for clients becomes straightforward. Most mid-market companies in regulated sectors need exactly what you’ve just built for yourself: a gap assessment, a remediation roadmap, ongoing compliance management, and incident response capability.
Here’s how to structure it:
Phase 1: NIS2 Readiness Assessment (Fixed fee, one-off)
A four-to-eight week engagement covering all five domains above. Output: a gap register, prioritised remediation plan, and a regulatory registration checklist (NIS2 requires in-scope entities to register with their national authority). Price this at £3,000–£8,000 depending on company size. It’s not a high-margin engagement on its own, but it qualifies every client for ongoing work.
Phase 2: NIS2 Compliance Programme (Recurring monthly)
This is your ongoing vCISO service scoped to NIS2. It includes:
- Monthly risk register reviews
- Incident response plan ownership and quarterly tabletop exercises
- Evidence collection for NIS2 technical controls
- Supplier security assessments (2–4 per quarter)
- Reporting package for management sign-off (satisfies the governance accountability requirement)
- Regulatory monitoring — NIS2 is being transposed differently across member states; clients need to know when obligations shift
Price this at £2,000–£5,000/month depending on client size and your delivery model. For clients already on a compliance framework like ISO 27001, the overlap is significant and you can bundle efficiently.
Phase 3: Incident Response Retainer (Annual)
NIS2’s incident reporting requirements (24-hour early warning, 72-hour notification) are genuinely demanding. Most mid-market companies cannot manage this without external support. An IR retainer that guarantees response support within four hours gives clients coverage and gives you a defensible premium product.
The Multi-Framework Play
NIS2 doesn’t exist in isolation. Most of your clients who are subject to NIS2 are also dealing with other frameworks — ISO 27001, SOC 2, Cyber Essentials Plus, DORA (if they’re in financial services), or sector-specific regulations.
The smart approach is to map NIS2 controls to the other frameworks your clients are working toward. The good news: there’s significant overlap. NIS2’s Article 21 requirements map closely to ISO 27001 Annex A controls and to the NIST CSF 2.0 core functions. If a client has already done ISO 27001 work, they’re probably 60–70% of the way to NIS2 compliance.
A GRC platform that handles multi-framework mapping makes this manageable at scale. You run one evidence collection exercise and map the outputs to each framework simultaneously. That’s how you serve five clients across NIS2, ISO 27001, and Cyber Essentials without five separate compliance programmes running in parallel.
The UK Picture
For UK-based MSPs, the situation is slightly different but pointing in the same direction. Post-Brexit, the UK operates its own NIS Regulations, which were enacted under the Network and Information Systems (NIS) Regulations 2018 and updated in 2022. The UK framework has not yet been updated to match NIS2’s expanded scope, but the government has signalled that further reforms are coming — specifically to bring ICT managed service providers explicitly into the regulatory perimeter.
UK MSPs with EU operations, EU-headquartered clients, or EU branches are already potentially subject to NIS2 in relevant member states. For everyone else, the UK NIS update is a matter of when, not if.
The practical implication: building a NIS2-aligned compliance practice now gives you a framework that works for EU-facing clients today and will translate directly to the updated UK regime when it lands. You’re not doing redundant work — you’re building ahead of where regulation is heading.
What Enforcement Actually Looks Like
One objection you’ll hear from clients: “Is anyone actually being fined?”
The honest answer is that enforcement is ramping up, not fully operational yet. Most EU member states were late transposing NIS2 into national law (the deadline was October 2024; several countries missed it). National competent authorities are building their supervisory functions. The first enforcement actions are starting to land.
But enforcement is not the only risk. The reputational and contractual exposure from a significant incident is immediate regardless of regulatory fines. Under NIS2, if you’re an MSP and you suffer a breach that cascades to clients, you face both regulatory penalties and potential civil liability to affected clients under your contracts.
The supply chain scrutiny angle is also real. Enterprise procurement teams are already running NIS2-based vendor questionnaires. An MSP that can’t produce evidence of its own compliance posture is increasingly going to lose deals to one that can.
Build the Practice Before the Demand Peaks
The window to position this service properly is now. In twelve months, every MSP will have heard of NIS2 and some will be scrambling to put something together. The ones who’ve already run their own gap assessment, built their delivery methodology, and landed two or three clients in the service will be the ones who close the deals and set the market price.
This isn’t complicated work — it’s structured, repeatable, and maps well onto what a vCISO platform is built to deliver. The first-mover advantage in your market is real, and the barrier to entry is lower than you think.
Ready to Build Your NIS2 Practice?
GetCybr gives MSPs the compliance framework coverage and automation to deliver NIS2 programmes at scale — multi-framework evidence collection, risk registers, incident response templates, and client-ready dashboards.
Book a demo to see how it works →
We’ll walk through how NIS2 delivery fits into your existing service model and what a four-client NIS2 practice looks like on the platform.
Further Reading
Ready to Scale Your vCISO Practice?
See how GetCybr helps MSPs deliver enterprise-grade security services.