You cannot sell what you have not built

At a recent industry roundtable on the workplace of 2030, Ewoud Melis, CEO of Trustteam, said something that most MSPs are quietly avoiding. Sort your own data first. Optimise your own workflows. Only then go to your customers with the AI conversation. It sounds obvious. It is not what is happening.

The remark landed because it named a gap that the market is busy papering over. MSPs across Europe are selling Copilot deployments, AI productivity tooling, and AI-readiness assessments to customers while their own security posture, compliance obligations, and resilience arrangements remain works in progress. That is not just a credibility problem. It is a vulnerability. And NIS2 is about to make it a liability.

The credibility gap nobody is pricing in

A recent study by AvePoint and Omdia, drawing on 333 MSPs, found that more than half of respondents identified governance and compliance issues as the main obstacle preventing their customers from adopting AI. Not data security. Not skills shortages. Not return on investment. Governance and compliance. The irony is that the MSP is being asked to solve a problem it has not solved for itself.

The Omdia report on MSP trends for 2026 is even more direct: the most successful MSPs deploy AI internally first, to automate service desk operations, enhance knowledge management, and strengthen security operations, before monetising AI-enabled services externally. That sequencing is not a nice-to-have. It is the difference between an MSP that can demonstrate something and one that can only describe it.

What makes this gap dangerous is that customers are becoming more sophisticated. Robin Ody, practice leader for MSP analysis at Omdia, put it plainly: MSPs that adopt business-solution and vertical-specific approaches will be best positioned to capture this demand. The inverse is also true. MSPs that cannot demonstrate their own governance posture will struggle to hold that conversation at board level, where it increasingly needs to happen.

‘Weerbaarheid’ and ‘veerkracht’: two words Dutch MSPs keep confusing

The Dutch-language conversation in this market often conflates two concepts that deserve to be kept separate. Weerbaarheid, or resilience in the sense of robustness, is about preventing incidents from occurring in the first place. Strong access controls, continuous vulnerability scanning, patching disciplines, hardened configurations. Veerkracht, closer to recovery capacity, is about what happens after something goes wrong. Incident response, business continuity, backup integrity, the ability to restore operations quickly.

Both matter. But they require different investments, different questions, and different conversations with customers. An MSP that has not made that distinction internally will conflate them in customer conversations too, and that conflation tends to produce organisations that are neither particularly robust nor particularly good at recovering.

NIS2 does not conflate them. The directive explicitly requires covered entities to address both risk management and resilience measures, and imposes reporting obligations that assume a functioning incident response capability. For MSPs operating in the Netherlands, the Cyberbeveiligingswet, the Dutch implementation of NIS2, is expected to take effect in the second quarter of 2026, replacing the existing Wbni. This is no longer a future obligation. It is arriving now.

What NIS2 actually requires of the MSP itself

There is a persistent misconception that NIS2 is primarily a customer problem, something MSPs help their clients with. That is only partially true. MSPs are themselves within scope of NIS2 as providers of managed ICT services, which is listed explicitly as a covered category. ENISA has published specific technical implementation guidance for MSPs under Implementing Regulation (EU) 2024/2690.

The obligations are not abstract. They include regular risk assessments, access and identity controls, incident detection and reporting, supply chain security measures, and governance structures with explicit management accountability. In Germany, where the NIS2 implementation law entered into force on 5 December 2025, management bodies are personally liable for compliance failures. The number of regulated entities in Germany alone is expected to increase from approximately 4,500 to around 29,000. Board-level accountability is the intent across the EU, not a German specificity.

An MSP that advises customers on NIS2 compliance while its own obligations under the same directive remain unaddressed is in a position that will not hold. Not commercially, and increasingly not legally.

Why AI makes the gap dangerous, not just embarrassing

The threat context has shifted faster than most governance frameworks. Research from Flashpoint, published in March 2026, found that AI-powered cybercrime surged 1,500% in 2025. Attackers are using the same large language models and automation tools that MSPs are selling to customers as productivity enhancers. Shadow AI, where employees use unvetted AI tools outside approved channels, is emerging as a primary vector for data leakage, according to the Omdia 2026 MSP trends report.

The practical consequence is this. An MSP that deploys AI tooling into a customer environment without first understanding its own exposure to AI-enabled threats, and without having hardened its own environment accordingly, is extending its attack surface into every customer it touches. MSPs are high-value targets precisely because of their privileged access. The adversary does not need to compromise each customer individually if the MSP is the common point of access.

Weerbaarheid in this context means understanding what AI-enabled attacks actually look like, continuously monitoring your own infrastructure for the vulnerabilities that enable them, and being able to demonstrate that monitoring to customers and regulators. That is not a future capability. It is a current requirement.

What does leading by example actually look like?

It starts with the MSP’s own environment. Not a self-assessment checkbox, but a continuous and measurable programme. That means daily scanning of the MSP’s own attack surface, not just customer environments. It means a documented and tested compliance posture against the norms the MSP is selling to others, NIS2, ISO 27001, and whatever sector-specific frameworks apply to the MSP’s customer base. It means being able to show a customer, in a concrete and auditable way, that the MSP has walked the path it is recommending.

At Guardian360, where I founded the company in 2015, we built the Lighthouse platform to give MSPs and their customers continuous visibility into their attack surface and compliance posture. I will say openly that we have a commercial interest in MSPs taking this seriously. But the argument does not depend on that interest. It depends on what Ewoud said at that roundtable, and on what the data confirms: governance and compliance are the primary blocker of AI adoption, and the MSP that has not built this internally cannot credibly sell it externally.

The question worth sitting with

If your customers asked you today to open your own compliance dashboard and walk them through your security posture, what would you show them? Not what you could show them in six months with some preparation. What you could show them tomorrow morning.

That answer is your real value proposition.

Sources

1. AvePoint and Omdia study: “The MSP AI gap is about governance, not skills”. Channel Dive, April 2026. channeldive.com
2. Omdia “MSP Trends and Predictions 2026”, cited in Acronis blog, February 2026. acronis.com
3. Kennedy Van der Laan: “Cyber in 2026: NIS2 on the way”. January 2026. kvdl.com
4. ENISA: “NIS2 Technical Implementation Guidance” (Implementing Regulation (EU) 2024/2690). enisa.europa.eu
5. Flashpoint research cited in Channel Insider: “Managed Security Services Shift as AI Reshapes Risk”. April 2026. channelinsider.com
6. Reed Smith: “EU Cybersecurity Regulatory Update for 2026 and Beyond”. April 2026. reedsmith.com