Why NIS2 matters more than NIS1 did

NIS1 had a narrow scope and member states implemented it inconsistently. The result was a patchwork of national approaches that most MSPs could safely ignore unless they served clients in a handful of critical sectors.

NIS2 is different. The scope is broader, the obligations are clearer, and the penalties are significant. Up to EUR 10 million or 2% of global annual turnover for essential entities. Up to EUR 7 million or 1.4% for important entities. Member state competent authorities have audit powers and can impose personal liability on senior management for non-compliance.

This is not a regulation your clients will treat as a low priority. And MSPs who understand the step-by-step requirements are going to win the compliance conversation in a way that MSPs who do not will not.

Which clients are in scope

Essential entities

NIS2 defines essential entities as organizations in sectors including energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management and public administration. Essential entities are subject to stricter oversight and higher penalty thresholds. They include large operators above 250 employees or EUR 50 million turnover.

Important entities

Important entities cover a broader range of sectors including postal services, waste management, chemicals, food, manufacturing of medical devices, computers, electronics, machinery and motor vehicles, and digital providers. The threshold drops to medium-sized enterprises with 50+ employees or EUR 10 million turnover.

This is the part that catches most MSPs by surprise. Many mid-market manufacturing and food sector clients who were not in scope under NIS1 are now classified as important entities under NIS2. If your client base includes manufacturers, food producers, medical device companies or chemical businesses operating in the EU with 50 or more employees, those clients are in scope.

MSPs specifically

Article 3 of NIS2 explicitly includes managed service providers in the scope of important entities. You are not just a supplier to NIS2-regulated clients. You are a regulated entity yourself if you provide services to covered sectors in the EU. That means the security measures you apply to your own operations, and to your service delivery, come under NIS2 scrutiny.

What NIS2 alignment requires

Risk management measures

Article 21 specifies 10 minimum security measures that covered entities must implement. These include risk analysis, incident handling, business continuity, supply chain security, network and information system security, policies for access controls, cryptography and multi-factor authentication, and HR security. Each of these needs documented evidence of implementation, not just operational practice.

Incident reporting

NIS2 requires a 3-stage reporting process. An early warning to the competent national authority within 24 hours of becoming aware of a significant incident. An incident notification within 72 hours with an initial assessment including severity and indicators of compromise. A final report within one month with a root cause analysis, impact assessment and cross-border impact evaluation where relevant.

Incident reporting timelines are tighter than most MSPs' current reporting infrastructure supports. If your SOC produces a weekly summary report, that is not fit for NIS2 incident notification. You need the ability to produce a structured early warning within 24 hours of detection. That requires continuous monitoring and structured incident data, not post-hoc report writing.

Supply chain security

NIS2 requires covered entities to assess and manage cybersecurity risks in their supply chains, including the security practices of direct suppliers and service providers. As an MSP, you are in your client's supply chain. Your client will ask you to evidence your security practices, your incident response capability and your sub-supplier dependencies. The OT compliance and supply chain risk picture adds another layer for clients in manufacturing and energy sectors where OT environments introduce additional supply chain complexity.

Business continuity

NIS2 requires covered entities to have documented business continuity plans covering backup and recovery, crisis management and communications. For MSPs, this means your clients need to evidence that the services you provide have defined recovery time and recovery point objectives, and that those objectives have been tested.

The commercial conversation

NIS2 creates a straightforward commercial trigger with a large proportion of the mid-market. Your client is in scope. They need documented risk management, structured incident reporting and supply chain evidence. You provide the monitoring and detection infrastructure that makes all of that possible.

The MSPs I see losing NIS2 clients are the ones who wait for the client to lead the conversation. By the time a compliance deadline is approaching, the client is already talking to a specialist who positioned themselves six months earlier.

Start the NIS2 conversation with every EU client in scope sectors now. Ask them where their incident notification workflow sits. Ask them what evidence they are producing for their competent authority. Ask them who reviewed their supply chain risk documentation last. The answers will tell you exactly where your SOCaaS fits.

Compliance as a service is the framing that turns security monitoring into a regulatory deliverable. That is the conversation NIS2 makes possible.