Do I need compliance certifications to offer these services?

No. You are not performing the audit. You are helping clients become audit-ready, which means tracking controls, collecting evidence, and closing gaps. The actual certification audit is performed by accredited CAB auditors. Think of it like a bookkeeper preparing accounts for an external auditor.

How much time does compliance management take per client?

After the initial setup (4-8 hours for a gap analysis and framework mapping), ongoing management typically takes 2-4 hours per client per month. With the right tooling, much of this is automated. One compliance-trained technician can manage 20-30 clients.

What if my clients are too small for NIS2?

NIS2 has a supply chain effect. Even if a client is not directly in scope, their larger customers or partners may require them to demonstrate basic cybersecurity hygiene. CyFun Basic is designed exactly for this. Also, cyber insurance providers increasingly require evidence of a security framework.

Can I white-label or co-brand the compliance platform?

Most compliance platforms designed for MSPs support white-labelling or co-branding. This means your clients see your brand, not the tool vendor. It reinforces your position as the trusted compliance partner.

Why Your MSP Should Offer Compliance Services

The NIS2 directive and the CyberFundamentals framework are changing the game for MSPs. Clients need help with risk assessments , security policy , and meeting the NIS2 requirements.

The Market Opportunity: NIS2 Is Creating Massive Demand

The NIS2 directive came into effect in Belgium in October 2024. Over 4,000 organizations have registered with the CCB, and thousands more in their supply chains will need to demonstrate compliance. The CyberFundamentals (CyFun) framework is the CCB-endorsed path to compliance, and it applies to organisations of all sizes.

4,000+

Belgian organizations registered with the CCB

10,000+

SMEs affected through supply chain requirements

67%

of Belgian SMEs have no compliance plan yet (Agoria, 2025)

Apr 18

essential entity self-assessment deadline

Your Clients Already Expect You to Handle This

When a client gets a letter about NIS2 obligations, they do not call a compliance consultant. They call their IT partner. Surveys consistently show that SMEs view their MSP as the first line of defence for anything cyber-related. If you cannot help, they will find someone who can, and that someone may also take over the rest of your contract.

SMEs see cybersecurity and compliance as "IT stuff" and expect their MSP to cover it
Clients who already trust you with their infrastructure trust you with their compliance
A compliance conversation deepens the relationship beyond break-fix or monitoring
If a competitor MSP offers compliance and you do not, you risk losing the entire account

The Revenue Model: Recurring, Predictable, High-Margin

Compliance services are inherently recurring. Frameworks require continuous monitoring, annual reviews, and evidence collection. This is not a one-time project; it is an ongoing service that adds predictable monthly revenue to every client relationship.

Basic compliance tracking

50-100/mo

Framework mapping, gap analysis dashboard, quarterly review calls

Managed compliance

100-175/mo

Policy management, evidence collection, control monitoring, audit preparation

Full compliance-as-a-service

175-250/mo

All of the above plus risk assessments, supplier management, incident response planning, audit-readiness guarantee

MSPs Who Offer Compliance vs. Those Who Do Not

MSPs offering compliance

Higher average revenue per client
Stickier relationships (compliance is hard to migrate)
Positioned as strategic partner, not just a vendor
Win new clients through compliance-first conversations
Protected against commoditisation of basic IT services

MSPs without compliance

Clients seek help elsewhere and discover alternative MSPs
Revenue limited to shrinking-margin infrastructure services
Perceived as "just IT support"
Losing deals to MSPs who bundle compliance
Vulnerable to price competition on commoditised services

How to Start: A Practical 5-Step Plan

Pick your framework

In Belgium, CyberFundamentals (CyFun) is the obvious choice. It is CCB-endorsed, maps to NIS2, and has clear maturity levels (Basic, Important, Essential). Start with CyFun Basic for most SME clients.

Tool up with a compliance platform

You need software that tracks controls, collects evidence, and generates reports. Spreadsheets will not scale. Look for a platform built for MSPs that supports multi-tenant management and the CyFun framework natively.

Train your team

You do not need to become compliance auditors. You need to understand the framework well enough to guide clients through it. One or two people with CyFun knowledge can serve dozens of clients.

Pilot with 3 existing clients

Choose clients who are already asking about compliance or who are in NIS2 scope. Run them through a gap analysis. The results will sell the service better than any pitch deck.

Package and price it

Create 2-3 tiers (see the revenue model above). Bundle compliance into your existing MSP agreements or offer it as a standalone add-on. Make it a line item on the monthly invoice.

The Easy Way to Add Compliance Services

Easy Cyber Protection is built specifically for MSPs who want to offer compliance services without building everything from scratch. It gives you a multi-tenant platform with the CyFun framework built in, automated evidence collection, client-facing dashboards, and audit-ready reports. Your clients get audit-ready. You get new recurring revenue.