NIS2 for IT Service Providers and MSPs: The Dual Role as Affected Party and Advisor

Why MSPs Are Under Particular Scrutiny in NIS2

Managed Service Providers and IT service providers hold a special position under NIS2 that many initially underestimate. Unlike a manufacturer or logistics company that views NIS2 as a regulatory obligation and then looks for someone to help with implementation, MSPs sit on both sides of the table. They are simultaneously affected parties and potential advisors — regulated entities and solution providers.

This dual role is no coincidence. When drafting the NIS2 Directive, the EU deliberately decided to include B2B ICT service providers as a separate sector of high criticality. The reasoning is obvious: A compromised Managed Service Provider endangers not just its own company but potentially dozens or hundreds of client companies simultaneously. The Kaseya attack of 2021 vividly demonstrated how a single attack vector can spread through an MSP to thousands of end clients. Supply chain attacks of this kind are among the greatest threats in recent years.

ICT Service Providers as a Separate Sector in Annex I

In Annex I of the NIS2 Directive, you'll find the sector "Management of ICT services (business-to-business)" as a sector of high criticality. The NIS2 transposition act (NIS2UmsuCG) has adopted this classification. Affected are companies that provide the following services to other businesses:

• Managed Service Providers (MSPs): Companies that operate and manage IT infrastructure, networks, applications, or security systems for clients
• Managed Security Service Providers (MSSPs): Specialized providers offering security monitoring, incident response, or vulnerability management as a service
• IT outsourcing providers: Companies that partially or fully replace their clients' IT departments

The classification is clear: If you operate or manage IT systems for other companies as a service provider and reach the size thresholds (50 employees or EUR 10 million revenue), you fall under NIS2. Since ICT service providers are listed in Annex I, you belong to the sectors of high criticality. Depending on company size, you'll be classified as an essential or important entity.

Why Classification as a Sector of High Criticality Matters

The distinction between Annex I (high criticality) and Annex II (other critical sectors) has practical consequences. Large companies in Annex I sectors are classified as essential entities and subject to stricter supervision:

For an MSP with 60 employees, this typically means classification as an important entity. But even as an important entity, all substantive requirements of Article 21 apply in full.

The Dual Role: Building Your Own ISMS and Advising Clients

The particular challenge for MSPs lies in the dual role. You must simultaneously deliver two things that are both complex and resource-intensive.

Side 1: Building Your Own ISMS

As a company affected by NIS2, you need a functioning information security management system yourself. This covers all ten minimum measures from Article 21, adapted to the specific risks of an IT service provider.

And this is where it gets interesting, because the risk landscape of an MSP differs significantly from that of a manufacturing company. Your critical assets are not production machines but remote management tools, client access credentials, monitoring systems, and the infrastructure through which you administer client networks.

The risk assessment must reflect these specifics. Typical high-risk assets for an MSP:

• RMM platform (Remote Monitoring & Management): Compromise means access to all client systems
• PSA system (Professional Services Automation): Contains client data, contracts, access information
• Backup infrastructure: If you manage backups for clients, enormous responsibility resides here
• VPN and remote access solutions: Every tunnel to a client is a potential attack vector
• Ticketing system and documentation: Often contains passwords, network diagrams, and other sensitive information
• Privileged Access Management: Who has admin access to which client systems?

A security incident in your RMM platform is not just your problem. It is a security incident at every single client managed through that platform. This is precisely why the EU placed ICT service providers in Annex I.

Side 2: Supporting Clients with NIS2 Implementation

Many of your clients are also affected by NIS2 — whether as companies in the manufacturing sector, logistics, healthcare, or other regulated sectors. These clients expect their IT service provider not only to have their own security under control but also to help them with implementation.

This is partly an obligation (your clients will ask about it as part of their supply chain assessment anyway) and partly a tremendous business opportunity. After all, which advisor knows the client's IT infrastructure better than the MSP that manages it every day?

Supply Chain Responsibility: You Are the Supplier

Article 21(2)(d) of the NIS2 Directive requires "security of the supply chain including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." For an MSP, this has two consequences.

You Will Be Assessed

Every one of your clients that falls under NIS2 must evaluate their supply chain. And as an IT service provider, you are one of the most critical suppliers. Therefore, expect the following from your clients:

• Security questionnaires: Detailed questions about your security measures, certifications, incident response processes, and backup concepts
• Contractual requirements: Supplementary clauses in existing contracts regarding security standards, incident notification obligations, and audit rights
• Proof of compliance: Clients will regularly request evidence that you maintain your security measures
• Audit rights: Some clients will reserve the right to audit your security measures on-site or through third parties

If you don't have your own ISMS and cannot provide structured evidence, it becomes difficult for your clients to fulfill their supply chain obligations without documenting you as a risk. In the worst case, they'll find a different service provider.

You Must Assess Your Own Supply Chain

At the same time, as a company affected by NIS2, you must assess your own suppliers. What tools do you use? Where is your clients' data stored? What cloud services do you use? Which software vendors have access to your systems?

For a typical MSP, the supply chain looks roughly like this:

Offering ISMS as a Service

Here comes the strategically interesting part. If you as an MSP have to build your own ISMS anyway and are simultaneously supposed to advise clients on implementation, it makes sense to offer ISMS as a managed service. Instead of providing one-time consulting and then disappearing, you build a continuous service package.

Why ISMS as a Service Works

Most NIS2-affected mid-market companies have neither the personnel resources nor the expertise to build and permanently operate an ISMS on their own. An internal Information Security Officer (ISO) as a full-time position quickly costs EUR 80,000 to 100,000 per year, and even then the regulatory experience is often lacking.

As an MSP, you have several advantages:

• Economies of scale: You develop policy templates, risk assessment methods, and processes once and use them for many clients
• Existing infrastructure knowledge: You already know your clients' IT landscape from daily operations
• Trust basis: Your clients already entrust their IT to you; the step to ISMS service is natural
• Technical competence: Many NIS2 measures (MFA, encryption, patch management, backup) you already offer
• Continuous relationship: ISMS is not a project but an ongoing process — that fits the MSP model

What the ISMS Service Covers

A well-structured ISMS managed service for NIS2-affected clients could include the following components:

Base Package (NIS2 Compliance):

• Applicability analysis and BSI registration
• Initial risk analysis for the client's critical IT systems
• Creation of core policies (information security policy, password policy, incident response plan, backup policy)
• Setup and maintenance of the asset inventory
• Quarterly risk reviews
• Annual internal audit
• Training concept and awareness measures
• External CISO function (part-time)

Extended Package (NIS2 + Operations):

• Everything from the base package
• Incident response readiness (first response, BSI notification within 24h)
• Monthly vulnerability scans and patch reporting
• Supplier assessment and contract review
• Business continuity planning and annual tests
• Preparing and moderating management reviews
• Audit preparation and support during external assessments

Premium Package (ISMS + SOC):

• Everything from the extended package
• Continuous security monitoring
• SIEM integration and log analysis
• Regular penetration tests
• Preparation for ISO 27001 certification

Pricing Model for the ISMS Service

Pricing depends on client size, IT landscape complexity, and the chosen package. Here is a realistic model that has proven effective in practice:

One-time Setup Costs:

Monthly Managed Service Costs:

These numbers are reference values. Actual pricing depends on many factors: client industry, additional regulatory requirements (e.g., GDPR interfaces), existing security measures, and regional market conditions.

For an MSP with 50 clients, 20 of which are NIS2-affected and book the base package, this yields a monthly recurring revenue of EUR 16,000 to 24,000 from the ISMS service alone. On top come one-time setup fees of EUR 160,000 to 240,000 in the first year. That's a substantial business segment. And tool costs remain manageable: ISMS Lite offers an MSP package for EUR 10,000 one-time with unlimited instances, so you can run all client ISMS on a single platform.

Practical Example: MSP with 60 Employees and 50 Clients

Let's look at how a specific MSP can approach NIS2 implementation in the dual role.

Starting Position:

NetCare IT Services (fictitious example) is a Managed Service Provider with 60 employees and annual revenue of EUR 8.5 million. The company serves around 50 clients in southern Germany, primarily mid-market companies from the manufacturing sector, healthcare, and the services industry. While employee count is 60, revenue doesn't exceed EUR 10 million. However, the balance sheet total is EUR 11 million, which means the size threshold is met regardless.

NetCare offers classic MSP services: network management, server administration, backup management, helpdesk, endpoint protection, and cloud migration. A structured ISMS does not yet exist, although the fundamental technical security measures are solid.

Phase 1: Building Own NIS2 Compliance (Months 1-4)

Months 1-2: Laying the Foundations

NetCare appoints the technical director as internal CISO with 40% time allocation for ISMS tasks. The executive management formally assumes the approval role and is trained in a half-day workshop on their obligations and personal liability.

The asset inventory is created. For an MSP with 60 employees and 50 clients, this covers not only its own infrastructure but also the management interfaces to client systems. NetCare identifies 45 internal IT assets and documents the access paths to 50 client environments.

Registration with the BSI takes place via the designated platform. NetCare registers as an important entity in the ICT service provider sector.

Months 3-4: Risk Analysis and Core Processes

The risk analysis focuses on MSP-specific high-risk areas:

In parallel, NetCare creates the core policies. Particularly important for an MSP is the incident response plan, because a security incident at NetCare must not only be reported to the BSI but also communicated to all affected clients. The communication plan therefore defines two notification streams: one regulatory (BSI within 24 hours) and one client-oriented (affected clients within 4 hours of detection).

Phase 2: Developing the ISMS Service (Months 3-6)

In parallel with its own compliance, NetCare develops the ISMS service offering. The team uses the experience from building its own ISMS directly as a blueprint for the client service.

Creating policy templates: Industry-agnostic templates are derived from NetCare's own policies that can be adapted to different clients with minimal effort. The information security policy, password policy, incident response plan, mobile device policy, and backup policy are prepared as modular templates.

Standardizing risk assessment methodology: NetCare develops a standardized risk assessment process applied to every client: create asset catalog, run through threat scenarios, determine protection requirements, define risk treatment. The approach is always the same; only the specific assets and risks vary.

Setting up tooling: To manage multiple client ISMS, NetCare needs a scalable platform. Why a self-hosted architecture per client is often the better choice than a central cloud solution relates to data separation, client sovereignty, and regulatory requirements. ISMS Lite is set up as the central system with separate tenants for each client. This allows the team to manage risks, measures, audits, and documents across clients without mixing data.

Defining service levels: NetCare defines three packages (Base, Extended, Premium) with clear service descriptions, SLAs, and pricing. Sales materials are created and the sales team is trained.

Phase 3: Onboarding Clients (Months 5-10)

Of NetCare's 50 clients, an initial analysis identifies 22 as affected by NIS2. The team prioritizes onboarding by urgency and client size.

Wave 1 (Months 5-7): The Five Largest and Most Regulated Clients

These are clients where NIS2 compliance is most urgent — for example because they are classified as essential entities or because they have already received inquiries from supervisory authorities. For each client, NetCare conducts a two-day onboarding workshop: applicability analysis, initial risk analysis, policy adaptation, and action planning.

Wave 2 (Months 7-9): The Next Ten Clients

With the experience from Wave 1, the process is already well-established. Workshops become more efficient because many issues are similar and the templates have been tested. NetCare can now onboard two clients per week.

Wave 3 (Months 9-10): The Remaining Seven Clients

The last clients are often smaller companies that barely exceed the thresholds. Here, the base package is the right choice: pragmatic, focused on minimum requirements, affordable.

Phase 4: Ongoing Operations (From Month 6)

From month 6, ongoing ISMS operations begin for the first clients in parallel with further onboarding.

Monthly activities per client (base package):

• Review risk status and update as needed (1-2 hours)
• Measure tracking and documentation (1-2 hours)
• Evaluate vulnerability reports and provide recommendations (1 hour)
• Communication with the client contact (0.5-1 hour)

Quarterly activities:

• Risk review with the client (half day)
• Coordinate or conduct training measures
• Review policies for currency

Annual activities:

• Conduct internal audit (1-2 days per client)
• Prepare and moderate management review (half day)
• Update supplier assessment

Resource Planning at NetCare

For the ISMS service, NetCare builds a dedicated team:

That's effectively 3.4 full-time equivalents for the ISMS area. With monthly revenue of around EUR 20,000 from the ISMS service (20 clients on the base package) plus setup fees, the model is profitable from the second half of the year.

Common Pitfalls for MSPs Under NIS2

From working with IT service providers, several recurring mistakes have emerged that you should avoid.

Neglecting Own Compliance

The most common mistake: MSPs rush into client consulting because they see revenue there and forget their own ISMS in the process. This is dangerous for two reasons. First, you're personally liable as the managing director of a company affected by NIS2. Second, your clients will sooner or later ask about your own security status. If you can't provide structured evidence, you lose credibility — and potentially the client.

Not Systematically Managing Client Credentials

Many MSPs store client credentials in Excel spreadsheets, shared password managers without granular access rights, or even in ticket notes. This is one of the greatest risks of all. A Privileged Access Management solution is not an optional luxury for MSPs but a fundamental prerequisite. Every access to client systems must be traceable, time-limited, and restricted to the necessary minimum.

Not Planning Incident Response Communication

If your RMM tool is compromised, you have 50 crisis communications to manage simultaneously. Nobody can improvise that. You need a thoroughly planned communication sequence: Who informs which client? Through which channel (since your email system could be compromised)? With what wording? Who coordinates the BSI notification?

Promising Too Much, Delivering Too Little

The temptation is great to sell the ISMS service as a worry-free all-inclusive package. But NIS2 compliance is not a product you buy and then have. The client remains responsible; the client's executive management continues to be personally liable. Communicate clearly what your service delivers and where the client's responsibility begins. Document this delineation contractually. The NIS2 fines and liability provisions continue to apply personally to the client.

Misjudging the Balance of Standardization vs. Customization

On one hand, you need standardized processes and templates to scale. On the other hand, every client has individual risks and requirements. The art lies in the balance: A standardized framework with modular components that are customized per client. The information security policy always follows the same structure, but the specific risks and measures are individual.

Contractual Protection as an MSP

An aspect that is often underestimated: The contractual design of your client relationships must be adapted to NIS2. This applies to both your existing MSP contracts and the new ISMS service agreements.

Add to existing MSP contracts:

• Notification obligations for security incidents that may affect client systems
• Cooperation obligations for client audits (with reasonable lead time and cost arrangement)
• Minimum security standards for the tools and systems you use
• Liability limitations and responsibility delineations
• Provisions for handling client data after contract termination

Define in ISMS service contracts:

• Clear delineation of responsibilities (who does what?)
• Service description with specific deliverables and timelines
• Client cooperation obligations (access to information, participation in reviews, approvals)
• Liability limitation for the consulting service (you don't guarantee compliance)
• Confidentiality provisions for information shared in the ISMS context
• Exit provisions: What happens to the ISMS documents when the contract ends?

Economic Perspective: ISMS as a Growth Driver

NIS2 is initially a cost issue for many MSPs. Building your own ISMS costs time and money. But long-term, it's one of the strongest growth levers in recent years for the MSP industry.

The math is simple: NIS2 affects an estimated 30,000 companies in Germany. The vast majority of them have neither the staff nor the knowledge to build an ISMS independently. External consultants are expensive and disappear again after the project. The MSP that already knows and manages the client's IT is the natural partner for ISMS implementation.

Additionally, there's an important strategic effect: A client whose ISMS you operate won't switch IT service providers easily. Switching costs increase significantly because a new MSP would first need to build up all the ISMS knowledge. ISMS as a Service increases client retention far more strongly than classic MSP services like helpdesk or server management.

And one more point: Your own ISMS increasingly becomes a competitive advantage. When clients must evaluate IT service providers as part of their supply chain obligations, the MSP with a demonstrated ISMS wins over the competitor who only verbally assures that "security is fine."

What You Should Do Now

As an MSP or IT service provider, the following approach is recommended:

Short-term (next 4 weeks):

1. Formally clarify your own applicability and register with the BSI
2. Conduct an executive management workshop (own obligations and liability)
3. Analyze your client portfolio: Which clients are affected by NIS2?

Medium-term (next 3 months): 4. Build your own ISMS, starting with asset inventory and risk analysis 5. Develop ISMS service packages and pricing model 6. Initiate first client conversations about the ISMS service

Long-term (next 12 months): 7. Complete own NIS2 compliance 8. Roll out ISMS service and onboard clients 9. Establish ongoing ISMS operations for clients 10. Optional: Pursue your own ISO 27001 certification (strengthens market position)

The dual role as affected party and advisor is demanding, but it offers a unique opportunity to future-proof your business model. NIS2 isn't going away. Requirements are more likely to increase than decrease. And the demand for competent partners who help SMEs with implementation will continue to grow in the coming years.

Further Reading

• NIS2 for SMEs: What You Need to Know and What to Do Now
• NIS2 vs. ISO 27001: Differences, Commonalities, and How Both Fit Together
• Building an ISMS: The Complete Guide for Companies with 50 to 500 Employees
• Reviewing DPAs and Assessing Service Providers: Meeting Your Due Diligence Obligations
• NIS2 Fines: Who Is Liable and How High Are the Penalties?