Auf Deutsch lesen
Guides by

Offering NIS2 Monitoring as a Managed Service: A Whitelabel Guide for MSPs

How MSPs can package NIS2-aligned monitoring for German SMB clients: § 30 BSIG mapping, whitelabel resale math, reporting deadlines — and honest limits.

Yes, MSPs and IT service providers can sell NIS2-aligned monitoring as a managed service — but packaged honestly: as evidence artifacts plus operations, not as a compliance promise. Continuous uptime monitoring, heartbeat checks for backup jobs, and whitelabel status pages address a clearly delimited subset of the duties in § 30(2) BSIG — they do not replace an ISMS and do not make any client “NIS2 compliant.”

This guide is for MSPs serving clients in Germany, where NIS2 has been national law since December 2025. It maps which client obligations monitoring actually supports, shows a whitelabel pricing example, and marks the legal boundaries — including whether your MSP is itself in scope. It is orientation, not legal advice.

What is the German NIS2 law, and why does it matter for MSPs now?

Germany implemented the EU NIS2 Directive through the NIS2UmsuCG (NIS2 Implementation and Cybersecurity Strengthening Act), signed on 2 December 2025, promulgated on 5 December 2025 (Federal Law Gazette, BGBl. 2025 I No. 301), and in force since 6 December 2025 — with no general transition period. The substantive obligations live in the rewritten BSIG (the Federal Office for Information Security Act, BSIG 2025); when this article cites ”§ 28” or ”§ 30,” those are sections of that German statute.

Three facts explain the current demand from German SMBs:

  • The BSI (Germany’s federal cybersecurity authority) estimates roughly 29,500 companies in Germany are in scope — many of them mid-sized businesses without a dedicated security team.
  • Registration under § 33(1) BSIG is due at the latest three months after an entity first qualifies; for entities already in scope when the law took effect, that works out — as a derived date — to 6 March 2026. The BSI itself states that the statutory registration deadline has already passed (BSI on regulated companies). Registration runs through the BSI portal with an ELSTER organization certificate.
  • Risk management and reporting duties have applied immediately since 6 December 2025 — clients who have not implemented them are in arrears, not in a grace period.

That gap — binding law, limited internal resources at the SMB — is exactly where a managed monitoring offering fits.

Is my MSP itself in scope of NIS2?

Before selling NIS2 services, check your own exposure — because MSPs are covered as a sector in their own right. Annex 1 of the BSIG lists, in the Digital Infrastructure sector, “managed services providers” (no. 6.1.10) and “managed security services providers” (no. 6.1.11) (Annex 1 BSIG); the legal definition of a “provider of managed services” is in § 2 no. 26 BSIG.

This matters because many secondary sources get it wrong: the normal size thresholds of § 28 BSIG apply to MSPs — there is no size-independent coverage here.

CategoryThreshold (§ 28 BSIG)
Important entity50+ employees or more than €10M turnover and more than €10M balance sheet total
Particularly important entity250+ employees or more than €50M turnover and more than €43M balance sheet total

An MSP with 60 employees is therefore an important entity itself — with its own registration, risk management, and reporting obligations. A five-person shop below the thresholds is generally not directly regulated but will receive the requirements contractually through the supply-chain duty of its regulated clients (§ 30(2) no. 4 BSIG). For the individual assessment, the BSI offers an anonymous, non-binding NIS2 self-assessment tool (in German).

The upside: an MSP that practices the evidence discipline it sells is more credible than one that merely resells it.

Which of the client’s § 30 BSIG duties can monitoring actually support?

§ 30(1) BSIG requires appropriate, proportionate, and effective technical and organizational measures against disruptions of availability, integrity, and confidentiality — including a documentation duty. Subsection 2 spells this out in ten minimum measures. Monitoring delivers solid evidence artifacts for five of them:

§ 30(2) BSIG — the SMB client’s dutyWhat the MSP delivers with monitoring
No. 1 — Risk analysis and IT security conceptsDocumented monitoring coverage: which services, endpoints, and jobs are watched, at what frequency — a building block of the risk concept
No. 2 — Handling of security incidentsAutomated incident detection with timestamps, alerting through defined channels, and a complete, searchable incident history
No. 3 — Business continuity (backup management, recovery, crisis management)Continuous availability monitoring of the client’s services plus heartbeat checks for backup jobs: if the ping after a backup run stops arriving, an alert fires — proof that backups actually execute
No. 4 — Supply chain security, including relationships with direct suppliers and service providersA documented sub-processor chain for the monitoring stack itself: EU data residency, DPA, operator jurisdiction — the monitoring service is part of the client’s supply chain
No. 6 — Concepts for assessing the effectiveness of the measuresContinuous availability reports and uptime history as running evidence of whether the continuity and incident measures work

The honest flip side is just as important: monitoring does not cover nos. 5, 7, 8, 9, and 10. Vulnerability management, security training, cryptography concepts, access control, and MFA are separate organizational and technical measures — monitoring contributes nothing to them. Suggesting otherwise sells false security and puts your client relationship at risk.

What stays with the client — and what must you never promise?

Two legal guardrails define what an MSP can sell — and what it cannot:

First: responsibility cannot be delegated. The addressee of the duties in § 30 BSIG and of the fine provisions in § 65 BSIG remains the regulated entity itself. From this it follows, as a legal inference, that the client can outsource operational implementation to you, but not its legal responsibility. The fine ranges are substantial — up to €10 million for particularly important entities, or up to 2% of total turnover where turnover exceeds €500 million; up to €7 million or 1.4% for important entities.

Second: the client’s management is personally on the hook. Under § 38 BSIG, management must implement the risk management measures and monitor their implementation (subsection 1), is liable under German corporate law for breaches (subsection 2), and must attend regular training (subsection 3). A well-built MSP offering hands management exactly the material it needs to discharge that oversight duty: periodic availability reports, incident summaries, documented coverage.

That yields the correct positioning of your package: you sell evidence artifacts plus operations — monitoring coverage, incident history, reports, alert chains, and their ongoing upkeep. You do not sell compliance. “NIS2 compliant with our package” does not belong in your proposal; “supports the evidence for § 30(2) nos. 2, 3, and 6” does.

What does a whitelabel resale example look like?

Tooling is the smallest line item in the calculation — which is what makes the model attractive. The FoundersDeck Scale tier costs €39 per month and includes 50 monitors, 10 status pages with whitelabel branding, 30-second checks, and 365 days of data retention.

An example calculation (your prices are yours to set; none of this is a revenue promise):

ItemExample value
SMB clients on one Scale account10
Setup per client5 monitors + 1 whitelabeled status page
Capacity used50 of 50 monitors, 10 of 10 status pages
Example price for an “availability evidence package” per client€25–49/month
Example total revenue€250–490/month
Tooling cost€39/month

The difference is not pure profit: it has to carry your onboarding, ongoing incident handling, the monthly report to the client’s management, and your sales effort — but that operational work is precisely what the client buys from you and cannot deliver in-house. A sensible package typically bundles: monitoring of the client’s own services, heartbeat checks for backup jobs, a status page under the client’s branding (or your own), defined alert chains, and a monthly availability report as a § 30 evidence building block.

Beyond 10 clients, you scale with additional accounts — the cost structure stays linear and predictable.

Which reporting deadlines do you need to track for your clients?

When a significant security incident hits a regulated client, § 32 BSIG prescribes a three-stage report to the joint reporting office of the BSI and the BBK (Germany’s federal civil protection agency):

StageDeadlineContent
Initial reportwithout undue delay, at the latest 24 hours after becoming awareFirst classification of the incident
Updated reportat the latest 72 hours after becoming awareConfirmation/update, initial assessment
Final reportat the latest 1 monthFinal account and assessment

A security incident is “significant” under § 2 no. 11 BSIG if it can cause severe operational disruption or financial loss for the entity, or considerable damage to others.

For your offering this means: the reporting duty stays with the client (and with you, if your MSP is itself in scope) — but the 24-hour deadline is barely defensible without automated incident detection. A monitoring setup with detection timestamps, an alert chain, and a searchable history gives the client the raw data for the initial report, the 72-hour update, and the final report. That belongs in the package as a named deliverable (“reporting support: timestamps, incident data, history export”) — the legal filing itself is made by the client.

What role does FoundersDeck play — and which role doesn’t it play?

Framed honestly: FoundersDeck is the tooling underneath your managed service, not the service itself. What it contributes to the MSP model:

  • Whitelabel status pages on the Scale tier (€39/month, 50 monitors, 10 status pages, 30-second checks, 365 days of data retention) — the status page carries your client’s branding or your own, not ours
  • Uptime and heartbeat monitoring in one tool — including backup-job monitoring for § 30(2) no. 3
  • A clean supply chain for no. 4: FoundersDeck is an owner-operated German company; all data lives on Netcup infrastructure in Nuremberg, Germany, with no exposure to the US CLOUD Act; the DPA is an instant download, no sales call. How other tools compare on jurisdiction and CLOUD Act exposure is broken down in the EU Jurisdiction Database and our comparison of the best GDPR-compliant monitoring tools
  • 365 days of data retention — enough history for annual reports and effectiveness evidence under no. 6

What FoundersDeck explicitly does not do: it makes neither you nor your clients NIS2 compliant. It covers the monitoring-adjacent items of § 30(2) and supplies the evidence artifacts — risk analysis, training, cryptography, access control, and the rest of the organization remain the client’s job and, where applicable, your consulting work.

If you serve clients in healthcare — practices, care providers, or the software vendors supplying them — the sector-specific angle is summarized on our healthcare page.

Frequently Asked Questions

Are MSPs themselves in scope of Germany’s NIS2 law?

Potentially yes — directly. Annex 1 of the BSIG (Germany’s revised Federal Office for Information Security Act, which implements NIS2) lists managed services providers (sector Digital Infrastructure, no. 6.1.10) and managed security services providers (no. 6.1.11) as covered entity types, with the legal definition of a “provider of managed services” in § 2 no. 26 BSIG. Contrary to a common misreading, the normal size thresholds of § 28 BSIG apply — MSPs are not covered regardless of size: an MSP with 50 or more employees, or with more than €10 million in both annual turnover and balance sheet total, qualifies as an important entity in its own right. Smaller MSPs below those thresholds are usually not directly regulated but will meet NIS2 through the supply-chain requirements of their regulated clients. Classification must be assessed case by case, for example with the BSI’s free online self-assessment.

Does a monitoring package make my SMB clients NIS2 compliant?

No — and you should never promise that. § 30(2) BSIG lists ten broad minimum measures, from risk analysis through cryptography and security training to access control and multi-factor authentication. Continuous monitoring addresses a defined subset: availability monitoring, timestamped incident detection, incident history, and availability reports as evidence artifacts. What you sell as an MSP is that evidence plus its ongoing operation — not an ISMS and not compliance. Overall conformity remains an organizational achievement of the end client.

Can an SMB client outsource its NIS2 responsibility to an MSP?

The operational work, yes; the legal responsibility, no. The addressee of the obligations in § 30 BSIG and of the fine provisions in § 65 BSIG remains the regulated entity itself — from which it follows, as a legal inference, that responsibility cannot be transferred by hiring a service provider. On top of that, § 38 BSIG requires the client’s management to implement the risk management measures and to monitor their implementation, with personal liability under German corporate law if that duty is breached. For you as an MSP, this means you deliver implementation and evidence, and your contract should document the division of responsibility clearly.

What are the NIS2 incident reporting deadlines under § 32 BSIG?

For a significant security incident, German law prescribes a three-stage report to the joint reporting office of the BSI and the BBK (the federal civil protection agency): an initial report without undue delay and at the latest 24 hours after becoming aware; an updated report within 72 hours; and a final report no later than one month after the report. What counts as “significant” is defined in § 2 no. 11 BSIG — essentially severe operational disruption or financial loss for the entity, or considerable damage to third parties. Every minute counts against the 24-hour deadline, so automated incident detection with timestamps and a searchable history is the practical foundation for reporting on time. The legal reporting duty itself stays with the regulated client.

What does it cost to start a whitelabel monitoring offering?

Surprisingly little — that is the appeal of the model. The FoundersDeck Scale tier costs €39 per month and includes 50 monitors, 10 status pages with whitelabel branding, 30-second checks, and 365 days of data retention. As an example setup, 10 SMB clients with 5 monitors and one whitelabeled status page each fit into a single account. How you price your “availability evidence package” is entirely up to you — managed service pricing typically reflects your setup, operations, and reporting work on top of the tooling. This is an example calculation, not a revenue promise: your margin depends on your own labor and your sales.


This article is orientation, not legal advice. The authoritative sources are the statutory text of the BSIG 2025 — in particular § 2, § 28, § 30, § 32, § 33, § 38, § 65, and Annex 1 — plus an individual assessment of your own classification. Further sources: Federal Law Gazette (BGBl. 2025 I No. 301), BSI on NIS2-regulated companies, BSI NIS2 self-assessment. Last reviewed: July 2026.

Engin Yildirim – Founder of FoundersDeck

Engin Yildirim

Founder of FoundersDeck. 13+ years in software engineering. Building EU-first tools for founders.

Read more about me →