Partners
The buyer moved to the boardroom. Most MSPs are still talking to the server room.
After a recent event for managed service providers, an experienced security director at a European distributor asked me a question that stuck with me. Not how the platform works. Not which features matter. He asked how an MSP builds a service around compliance in the first ninety days. How you turn a regulatory headache into a proposition you can actually sell.
That question is more revealing than it looks. It signals a shift that most MSPs can feel but have not yet translated into their business model. The person who buys cybersecurity has changed. The question they ask has changed. And the MSPs who do not move with that change are not going to lose customers because their engineering was weak. They are going to lose customers because a competitor had a conversation they could not have.
The buyer is no longer the IT manager
For most of the last decade, the person who bought security from an MSP was the IT manager. The conversation was technical. The budget sat inside IT. The question was some version of “are we patched, are we covered, are we monitored”.
That person is no longer the only buyer, and increasingly not the decisive one. Cybersecurity has moved up the building, into the boardroom, and the law put it there. Under the NIS2 directive, responsibility for cyber risk management sits explicitly with the management body, and directors can be held personally liable for failing to govern it. NIS2 goes further still: it obliges member states to ensure that board members follow cyber risk training, a duty that now reaches directors across the whole of the European Union. ENISA, the EU agency for cybersecurity, published guidance on these roles and responsibilities in June 2025, and national transpositions are turning the principle into hard law at different speeds. Germany moved first and moved hard: the NIS2-Umsetzungsgesetz, the German implementation act, took effect on 6 December 2025 with no transition period, which means organisations that waited for enforcement guidance were already non-compliant on day one. The Netherlands is close behind. Its parliament adopted the Cyberbeveiligingswet, the Dutch NIS2 implementation act, on 15 April 2026, and the law is expected to enter into force on 1 July 2026. The accompanying decree that spells out the detailed obligations, the Cyberbeveiligingsbesluit, makes the director training duty explicit.
Read that last point again. Across Europe, and now written into national law country by country, board members are required to be trained in cyber risk. When the legislator writes a training duty for directors into hard law, the topic has unambiguously left the server room.
So the question your customer’s board now asks is not “are we patched”. It is “can we prove we are resilient and compliant”. And that single word, prove, changes everything for you as their MSP.
Why does “prove” change everything?
There is a world of difference between being secure and being able to demonstrate it. Saying “we take security seriously” used to be enough to renew a cyber insurance policy or satisfy a customer’s procurement department. It is not enough any more.
Cyber insurance is the clearest example. Underwriting has quietly turned into a technical audit. According to Aon’s 2026 cyber market report, “roughly three out of four carriers now run an external attack-surface scan during underwriting” rather than relying on self-attestation. The financial stakes are significant: documented controls can swing a premium by twenty to forty percent at renewal, and S&P Global Ratings projects cyber premiums climbing fifteen to twenty percent in 2026 after two years of softening. An organisation that cannot produce evidence does not just pay more. It can find coverage unavailable at any price.
The same pattern shows up in supplier questionnaires. Mid-market and SME companies now receive these by the dozen, each one asking not whether controls exist but for proof that they do. As the distributor and MSP community itself has documented, the one-page attestation has given way to detailed questionnaires and, in some cases, external assessments before a policy is bound. Continuous evidence beats an annual snapshot, because the buyer on the other side has learned that a point-in-time attestation tells them very little.
This is the heart of the shift. The market has moved from claiming to proving. And proving is continuous, structured, and time-consuming work. Which is precisely where the opportunity, and the problem, lies for MSPs.
Why most MSPs are not moving with the buyer
Here is the uncomfortable part. Most MSPs cannot have the boardroom conversation today. Not because they are bad at their job. Because of two things that have nothing to do with the quality of their engineering.
The first is the tools. A typical customer environment has endpoint protection, Microsoft 365 security, identity tooling, a password manager, and backup. Each of those tools is excellent at its own job. But each speaks its own language, produces its own report, and lives in its own dashboard. When the CFO walks in and asks “can we prove we are compliant with NIS2”, there is no single place that answers the question. Someone has to open one console after another and assemble the answer by hand, mapping technical findings to compliance controls across a spreadsheet. Multiple consoles, scattered reports, no single answer.
The second reason is the team, and it is the more serious of the two. Even if the tooling could assemble the picture, the MSP does not have the hours. Good engineers are scarce and expensive, and the ones you have are billable on the work that pays today: patch cycles, incident response, onboarding. The evidence work that the boardroom now demands fits nowhere. It is too strategic for the service desk and too detailed for management, and nobody has a free week per customer to do it by hand. So even the MSPs who clearly see the opportunity often cannot execute on it, because the work does not scale with the team they have.
Two gaps, then. The tools cannot translate, and the team cannot keep up. Together they explain why so many capable MSPs are stuck delivering excellent technical work to a buyer who has quietly left the room.
Compliance is not a cost. It is your biggest margin opportunity in a decade.
Most of the market treats NIS2, DORA and the rest as a burden. A cost. A box-ticking obligation that someone, somewhere, has to absorb. That framing is understandable, and it is also why the opportunity is being left on the table.
Turn the frame around. Every regulation that lands on your customer is a reason for them to need a partner who can translate it into something the board can act on. That is not a cost to you. It is a service line. And it stacks into several streams of margin at once.
There is recurring revenue from the platform that makes continuous evidence possible, sold with margin built in and growing as the customer’s environment grows. There is a new layer of advisory services billed at advisory rates rather than engineering rates: quarterly board reporting, NIS2 readiness reviews, support with supplier questionnaires, audit preparation. There is retention, because once you are the partner who produces the dashboard the board relies on, you are structurally embedded and very hard to replace. And there is new business, because the MSP who can walk into a prospect and open with the compliance conversation enters at a level where price is not the first question.
Many vendors at that event talked about features. The conversation that actually matters to an MSP owner is about margin, differentiation, customer relationships, and long-term business value. Compliance, reframed, is where all four of those live.
How do you build this in the first ninety days?
This was the distributor’s question, and it deserves a concrete answer rather than a slogan.
Do not start with a grand transformation programme. Start with a handful of existing customers where you already know the environment and the relationship is good. Produce one thing they have never had before: a single, board-readable view of where they stand against the frameworks that apply to them, with the most important risks prioritised and a plan to address them. That artefact, the thing the board can actually read, is what turns a technical relationship into an advisory one.
Then let the calendar do the selling. Most of your customers have a cyber insurance renewal coming, and the broker community is explicit that preparation should start around ninety days before renewal. Many of them have a supplier questionnaire sitting in an inbox that nobody knows how to answer efficiently. Each of those is a natural, time-bound reason for the customer to say yes now rather than later. You are not inventing demand. You are meeting a deadline the customer already has, with a service they did not know you could offer.
Build the recurring service around that rhythm: continuous monitoring underneath, a periodic report to the board on top, advisory hours when something needs interpreting or remediating. Ninety days is enough to prove the model with a few accounts. It is not enough to roll it across your whole base, and you should not try.
Not every MSP has to become an advisory firm
In fairness, this is not the only viable path. Some MSPs are outstanding technical operators, they are happy in that role, and there will continue to be real demand for pure technical delivery. If that is a deliberate strategic choice, made with eyes open, it is a perfectly defensible one.
The risk is not in choosing to stay technical. The risk is in not choosing at all, and discovering eighteen months from now that the advisory relationship with your best customers has quietly been taken by someone else. A competitor MSP who started two years earlier. A regional security specialist who now picks off your mid-market accounts because they can answer the boardroom question. Or a consulting firm moving downmarket, who will not touch the technical work but will happily own the conversation with the CFO, and then decide which MSP gets the implementation, and on what terms.
The choice
Your customers are going to have the resilience-and-compliance conversation. That part is no longer up to you; the regulators, the insurers and their own biggest customers have settled it. The only open question is whether they have that conversation with you, or with somebody else.
For transparency: my own company, Guardian360, is an independent software vendor in this space. We build the Lighthouse platform and we sell only through partners, never directly, so I have a clear interest in MSPs winning this shift. But the argument stands without us. The MSPs who disappear over the next few years will not disappear because their engineering fell short. They will disappear because a competitor had a conversation they could not have.
So it is worth asking yourself the question plainly. Are you in the feature business, or are you in the business of making your customers happy? One of those is easy to copy within three years. The other is not.