We are an 80-person MSP. Are we affected by NIS-2?

Most likely yes. ICT service management (MSPs and MSSPs) falls under Annex I as an essential entity. The size thresholds for essential entities typically sit at 250 employees or 50 million euros revenue, but MSPs can be affected earlier through specific sector definitions. The legally binding evaluation remains a matter for counsel. We provide the expert classification in the risk check.

What additional obligations come through customer contracts?

NIS-2-affected customers must include you in their supply chain risk analysis. Expect: security questionnaires with similar depth to NIS-2 obligations, audit rights in contracts, incident reporting obligations, termination and exit clauses for critical outsourcing. Whoever delivers structured answers fast wins mandates.

Can we offer the Cybervize platform to our customers?

Yes. The Cybervize platform is built multi-tenant. You can resell as a partner, co-sell with Cybervize or run under your own brand (co-branding). Strict data isolation per tenant, separate permissions, separate audit trail.

How do we handle multi-tenant incidents?

Incidents affecting multiple tenants need cross-sector assessment and parallel reporting obligations. A single cyber incident in MSP infrastructure can simultaneously trigger BSI reporting as an essential entity, notifications to every affected NIS-2 customer and possibly data-protection notifications. Structured incident response with documented escalation paths becomes mandatory.

What does NIS-2 preparation cost for an MSP?

NIS-2 gap assessment as a fixed price from 4,500 euros. Audit-ready readiness in 8 to 14 weeks, plus ongoing vCISO support recommended. Partner models for simultaneous customer delivery have their own pricing logic. Exact cost estimate comes from the risk check.

NIS-2 for IT service providers and MSPs

ICT service management is Annex I. Plus supply-chain pressure from customers.

Annex I of the German NIS-2 implementation act covers Managed Service Providers and MSSPs as essential entities. From 250 employees or 50 million euros revenue, the obligations apply directly. Additionally NIS-2 requirements come from customer contracts, because customers classify you as a critical supplier. The Cybervize platform covers your own ISMS plus a multi-tenant platform for your customers.

Book the NIS-2 risk check

Cybervize Platform maturity report per ISO 27001 as evidence of cross-industry consulting expertise

What NIS-2 means in practice for IT service providers

Managed service providers (MSPs), MSSPs and IT service providers typically fall under NIS-2 Annex I as providers of managed services once they exceed the size thresholds — and via the supply-chain clause are additionally exposed indirectly through their NIS-2-obligated clients. Four consequences of this classification for MSPs and IT firms. Sector alone is not enough: classification as managed service provider, MSSP or digital infrastructure provider follows from the concrete activity per NIS2UmsuCG plus size thresholds. The legally binding evaluation remains a matter for specialised counsel.

01 · Scope

Essential entity with proactive BSI supervision

Annex I means the highest sanction tier and active BSI supervision. Cyber incidents in MSP infrastructure can hit thousands of customers simultaneously, hence the strict classification.

02 · Scope

Dual obligation: own ISMS plus customer evidence

IT service providers must meet their own cybersecurity obligations AND prove to customers that they support those customers' NIS-2 obligations. Customer security questionnaires become routine.

03 · Scope

Multi-tenancy as a security requirement

MSPs manage several customers on shared infrastructure. NIS-2 requires strict data isolation, cross-sector risk assessment and consolidated incident reporting.

04 · Scope

Supply-chain position makes you a supplier risk source

Every NIS-2-affected customer must include you in their risk analysis. Assessments, contractual requirements and audit rights become standard. Whoever delivers evidence fast wins mandates.

Five minimum measures with IT service provider examples

Five NIS-2 minimum measures per §30, translated into MSP practice.

Risk analysis for multi-tenant environments

Risk register evaluating customer tenants separately but consolidated. Concentration risks with cloud providers, sub-suppliers and third-party software documented.

Security in your own supply chain

Sub-supplier inventory (e.g. cloud providers, tooling vendors, specialists), contractual requirements, concentration-risk heatmap. Customers demand this transparency in security questionnaires anyway.

Multi-factor authentication for privileged access

MFA and just-in-time access for admin accounts in customer environments. Privileged access management as hygiene. Particularly critical in multi-tenancy.

Multi-channel incident response

Incident response plan with three layers: own infrastructure, individual customer tenants, sector-wide incidents with domino effect. BSI report plus customer notification with documented escalation thresholds.

Business continuity with customer SLA reference

BCM plans with customer SLA as input. RTO commitments must be backed by BCM tests. Restart sequence on multi-tenant incident documented.

Cybervize building blocks for IT service providers

The Cybervize platform covers ISMS, BCM, TPRM and assessment in one solution. For MSPs, multi-tenancy and co-branding options additionally allow you to pass the platform on to customers.

Service 01

NIS-2 risk check

Free 30-minute initial call with an indicative NIS-2 classification, top-5 gaps and a path recommendation.

Learn more Service 02

Cybervize platform

ISMS, compliance and evidence from a single platform. Multi-entity, multi-country, AI-supported.

Learn more Service 03

Virtual CISO

Platform plus permanent CISO function. For organisations without an in-house CISO.

Learn more Service 04

NIS-2 onboarding project

Gap assessment, roadmap, implementation via the platform. Fixed price from 4,500 euros.

Learn more

Self-check available

NIS-2 maturity check: 30 questions, 10 §30 BSIG measures, instant traffic light

Free, no signup, around 5 minutes. Detailed evaluation by email if desired.

Start the check

Why Cybervize fits IT service providers

Industry experience in IT services and MSSP structures from 25 years of ISMS practice at PwC, Deloitte and KPMG. The Cybervize platform is built multi-tenant, with strict data isolation and co-branding options. Partner sales is a dedicated line.

Multi-tenant: strict data isolation per tenant
16 roles: RBAC with fine-grained permissions
Co-branding: your brand, our methodology
Audit-ready: evidence towards BSI and customers

Frequently asked questions from IT service providers

Classify NIS-2 for IT service providers in 30 minutes

Free risk check with indicative NIS-2 classification, own and customer supply-chain requirements, path recommendation. Ideally with CISO or compliance plus management board present.

Book the NIS-2 risk check

Memberships, programmes and partnerships

Content last reviewed: May 18, 2026

ICT service management is Annex I. Plus supply-chain pressure from customers.

Book the NIS-2 risk check

What NIS-2 means in practice for IT service providers

ICT service management is Annex I. Plus supply-chain pressure from customers.

What NIS-2 means in practice for IT service providers

Essential entity with proactive BSI supervision