Compliance · 6 min read
NIS2: What MSPs Must Deploy for Their Clients in 2026
By Cyna Team · Published on
The NIS2 directive is now enforced across EU member states. It dramatically expands the scope of the previous NIS directive: around 160,000 entities are now covered in Europe, up from 15,000 under NIS1.
For MSPs, this means a double exposure: their clients must comply, and MSPs themselves are classified as critical digital service providers. Here are the 5 priority workstreams.
1. Governance and executive accountability
NIS2 requires top management to be trained on cyber risk and to be held personally accountable for failures. Outsourced DPO or CISO is no longer sufficient: the executive committee must document its decisions.
2. 24/7 incident detection and response
Entities must detect, analyze and respond to security incidents continuously. A managed SOC is the most realistic option for SMB clients of an MSP: building it in-house requires teams of 8 to 12 people, out of reach for most organizations.
24/7 detection
Continuous correlation and alert triage, including nights and weekends.
SLA-backed response
Critical incident handled in under 15 minutes.
Forensic investigation
Ability to reconstruct an incident for the regulator.
3. Incident notification within 24 hours
Any significant incident must be reported to the national competent authority (ANSSI in France, BSI in Germany, NCSC in Ireland) within 24 hours of detection, with a detailed report within 72 hours.
This deadline is unrealistic without dedicated tooling. A managed SOC automatically produces the incident timeline, enabling the client CISO to submit the notification in time.
4. Supply chain risk management
NIS2 requires assessing and monitoring risks from suppliers, including software dependencies (Log4Shell, SolarWinds, MOVEit…). MSPs must demonstrate traceability of their own subcontractors and the software components deployed at client sites.
5. Resilience testing and continuity planning
Business continuity (BCP) and disaster recovery (DRP) plans must be regularly tested. NIS2 expects proof of exercise, not a document on a shelf. Backup restoration tests, crisis exercises and red team simulations are becoming standard.
MSP role: scale compliance by 10x
An MSP who industrializes these 5 workstreams can offer them to all in-scope clients, without hiring 100 SOC analysts. This is the model Cyna enables: the MSP keeps the client relationship, Cyna operates the SOC under white label.
Further reading
- Official directive text: EUR-Lex 2022/2555
- French transposition: Law No. 2024-1039 of November 14, 2024
- ANSSI guidance: cyber.gouv.fr