NIS2 for MSPs: run every client from one pane
One multi-tenant console for your whole book of NIS2 clients — 10 to 50 organizations, each in its own isolated tenant. The AI drafts each client's policies and imports their existing ISO 27001 or IT-Grundschutz state, so onboarding a client takes hours, not weeks — and every client gets its documents and authority-ready exports in its own language. MSP pricing from €1,499/year base (10 orgs) + €80/year per additional org.
Why MSPs need a NIS2-first platform
Generic GRC tooling was built for one organization at a time. NIS2 puts MSPs and consultancies in a different position: every client has its own scope, its own management body, its own incident clock, and its own national authority — and you carry all of them at once. Three patterns surface in every conversation we have with MSP teams.
Each NIS2 client needs its own Annex I / Annex II classification, its own headcount and turnover thresholds, and its own essential-vs-important determination. Doing this by hand in a spreadsheet for a portfolio of 10–50 clients eats hours of senior consultant time every quarter — and the scoping logic is where new clients typically disqualify or upgrade themselves. MSPs that price a fixed-fee NIS2 retainer cannot afford to re-derive scope manually each renewal.
Article 21(2) lists ten cybersecurity risk-management measures. Every client must evidence all of them. MSPs deliver several of those measures themselves — incident handling, supply-chain risk, patch management, MFA — but the artifact lives at the client. Without a per-client evidence register, the MSP's audit-readiness depends on whichever consultant happens to know which client has which document. National authorities (ANSSI, BSI, ACN, CNCS, APDC) are now asking MSPs to produce per-client evidence on demand.
Article 20 makes each client's management body personally accountable for cybersecurity oversight. The MSP cannot inherit that liability — but the MSP is on the hook to give the board the dashboards, attestations, and quarterly reports that prove oversight happened. Doing this with PowerPoint and email across a portfolio is unsustainable, and it is exactly where MSPs lose deals to clients who have already built the evidence chain themselves.
How Reglyze fits the MSP workflow
Reglyze ships with a multi-tenant MSP console designed around the way NIS2 work actually happens at MSPs: one master account, many client tenants, shared training content, isolated client data, and a single quarterly view across the portfolio.
Add a managed organization in two clicks: the MSP sees a portfolio view with each client's compliance score, overdue tasks, open incidents, supplier risk, and Article 20 training coverage. Switch into a client tenant with one click for hands-on work, switch back without losing context. Each managed org is a fully isolated PostgreSQL tenant — no cross-client data leakage. The portfolio dashboard is the page MSPs leave open on their second monitor all day.
Every client tenant gets the same scoping wizard (Annex I/II + headcount + turnover + member-state classification) and gap-assessment workspace (Article 21(2) controls a–j plus Article 20 board duties). Maturity scoring is per-client; the MSP's senior consultant can fill in cells on behalf of the client. Auto-generated remediation tasks land in the per-client remediation register with severity, due date, and ownership.
Documents, training records, supplier assessments, incident timelines, and effectiveness KPIs are all per-client. Bulk export per client is one button; portfolio-level analytics (which clients have overdue training, which clients are below 60% maturity on Article 21(2)(c), which clients have unresolved supplier risk) is the default view. CSV and XLSX exports include the MSP's own master cover sheet so the artifact is audit-ready out of the box.
When a client takes a significant incident, the on-duty MSP analyst opens the client tenant, fills the standardized fields, and downloads an ANSSI-native (France) or ACN-native (Italy) report in the authority's own language — copy-paste straight into the official portal. The 24-hour / 72-hour / 1-month timer is computed per client. The MSP is the one who runs the clock; the client is the one who signs.
Every managed organization gets the full Reglyze training catalog (board / IT / general staff / sector packs) included in the MSP plan. The MSP issues attestations from a single console; per-client validity tracking; auto-reminder before expiry. The MSP's own consultants can also take the curriculum for internal upskilling — the same content the client board sees, so the consultant frames the conversation correctly.
Set a logo and accent color per managed organization from the org settings. The accent color themes the MSP console, the per-client dashboards, and the color of your exported PDF/Excel reports; client logos appear across the portfolio and client dashboards. Branding cascades from your MSP account to every managed org and is opt-in and reversible. Honest line we hold: exported documents still carry a Reglyze mark today (themed to your color) — a fully unbranded export and a custom white-label domain (your-brand.com) are on the 2026 roadmap.
MSP pricing — €1,499/year base + €80/year per overage org
Reglyze's MSP plan is designed around slot-count economics: pay a single annual base fee for the first ten managed client organizations, then €80/year per additional managed org up to fifty. Use the live calculator on the pricing page to set your slot count; portfolios beyond fifty client organizations route through our sales team for a custom plan.
Includes 10 managed organizations
Starter pack for boutique MSPs and consultancies onboarding their first NIS2 client portfolio. Up to ten managed organizations included; full Professional feature set per managed org; multi-tenant MSP console; client-branded dashboards (logo + accent color); NIS2 training bundled per managed org; priority MSP support.
Up to 50 managed organizations self-serve
Add additional managed organizations on top of the base at €80/year per slot. A portfolio of 30 client orgs costs the base €1,499 plus 20 × €80 = €3,099/year all-in. The /pricing page calculator surfaces the exact annual total live as you adjust the slot count.
Custom plan
Portfolios beyond fifty managed organizations route through our MSP sales team for a custom plan with sector-pack bundles, dedicated onboarding support, and an annual contract reviewed by a named account manager. Talk to us at [email protected] or click the Contact MSP team button at the top of this page.
The headline is the annual portfolio fee, not a per-seat charge. Add or remove managed organizations within your slot count any time. Slot release on a client churn is super-admin-audited so we keep your portfolio economics honest.
Which plan? Up to 5 client organizations → Pro 5 (€999/year, flat). 10 or more → MSP (€1,499/year base for 10 included, then €80/year per additional org, self-serve up to 50; above 50 talks to sales). A 6–9 client book is the judgement call — Pro 5 caps at 5, so 7 clients is MSP territory.
On the MSP roadmap — coming, not yet live
- RoadmapCustom white-label domain (your-brand.com). Today: per-client logo + accent color in-app, cascading from your MSP account. A fully branded domain is on the 2026 roadmap.
- RoadmapFully unbranded PDF/Excel export. Today: exports carry a Reglyze mark themed to your accent color. An unbranded export is on the roadmap.
- RoadmapPublic API + PSA integrations (ConnectWise first, then HaloPSA). On the roadmap — not available today.
What MSPs say about Reglyze
Reserved for a verified MSP testimonial — see Reglyze's review policy: only paying customers can leave a review, and reviews are surfaced on the trust page once moderated.
Quote pending — published once Stefano writes it.
A typical MSP runbook with Reglyze
Most of the MSPs we speak to settle into the same rhythm within 90 days. The cadence below is illustrative; the platform supports every variation we have seen, including monthly versus quarterly board reporting and per-client incident-response retainers.
Spin up one managed organization per client. Run the scoping wizard on each (10–15 minutes per client). For clients with prior compliance work, upload the existing ISO 27001 SoA or DORA self-assessment and let Reglyze crosswalk to NIS2 Article 21(2). Each client lands on the MSP portfolio dashboard with a starting compliance score and a list of overdue or missing artifacts.
Auto-generated remediation tasks are filtered per client by severity. The MSP works through the [CRITICAL] items first — usually MFA coverage gaps, missing incident-response plans, untrained boards — and assigns each task to the right consultant. The MSP's senior consultant can re-score on behalf of a client once the evidence is uploaded; the client signs off in their own login.
Every client's management body completes the Reglyze board-track training and the MSP issues per-director attestations. The MSP exports a quarterly board pack (compliance score, top-5 risk, overdue tasks, training coverage) and presents it at each client's board meeting. The platform retains a versioned copy so the next audit can pull it.
When a significant incident hits a client, the on-duty MSP analyst declares it from the portfolio view, fills the standardized fields, and downloads the ANSSI- or ACN-native report. The 24h / 72h / 1m clock runs in the platform. Quarterly reviews are scheduled per client; the MSP closes annual cycles by exporting a per-client compliance pack for the client's own retention.
What makes Reglyze different for MSPs
- Built around the EU SME footprint — Annex I and II classifications, member-state authorities, transposition statutes (ANSSI, BSI, ACN, CNCS, APDC) wired in from day one, not retrofitted as US-first product.
- Multi-tenant from the ground up. Per-client PostgreSQL tenancy with row-level isolation; no cross-client data leakage; the MSP console is a first-class surface, not a hidden admin panel.
- Pricing that reflects MSP economics. Base-plus-overage, not per-seat. €1,499/year base (10 orgs included) + €80/year per additional managed org is closer to one fixed-fee retainer than to a typical GRC tool's per-user license.
- Native authority reporting in French (ANSSI) and Italian (ACN), with English fallbacks for the rest of the EU. Member-state transposition statutes (loi n° 2024-1039, D.lgs. 138/2024) cited in the report templates so the client doesn't have to.
- Training included per managed organization — not an upsell. NIS2 Article 20 board training is the single most common audit failure; bundling it removes a recurring negotiation.
- Designed for senior consultants. The same person who runs the scoping wizard at signup is the person who reviews the gap assessment three months later — no separate analyst console, no per-seat training.
One console, clients across the EU
Most MSPs are national — but if your book crosses borders, each client works in its own country. Set a client's country and it gets its documents in its own language plus authority-format exports for its own regulator. It is also proof of EU-wide depth, not just a single market.
Product UI ships in English, French, Italian, German and Portuguese; authority-format supplier exports cover ANSSI, ACN, BSI, CNCS and a generic EU fallback. Native incident-report templates ship for France (ANSSI) and Italy (ACN) today, with more EU authorities on the roadmap.
MSP FAQ
Partly today, fully on the 2026 roadmap — and we'd rather show you the exact line than over-promise. Today: set a per-client logo and accent color; the color themes the MSP console, the client dashboards, and your exported reports, and client logos show across the portfolio. Branding cascades from your MSP account to each managed org and is opt-in and reversible. Not there yet: exported PDFs still carry a Reglyze mark (themed to your color), and a custom white-label domain (your-brand.com) is on the roadmap.
Each managed organization holds its own gap assessment with maturity scoring on Article 21(2) controls (a–j) plus Article 20 board duties. The overall compliance score is the average of implementation and documentation maturity across all controls, weighted by sub-control count. The portfolio view aggregates these into a single MSP-wide chart and surfaces the bottom-quartile clients for prioritized attention.
Slot release is a super-admin-audited action. The MSP admin requests a release with a written reason; a Reglyze super-admin reviews and applies it; an immutable audit log entry is written. This keeps the portfolio economics honest — slots can be reused after a churn, but the process is logged so you can defend your retainer math to your own finance team.
Native templates ship for France (ANSSI) and Italy (ACN) today, in the authority's own language. English fallback templates work for the rest of the EU. Direct portal submission to ACN / ANSSI is on the 2026 roadmap.
Priority MSP support is included in every MSP plan: same-business-day response on business-hours channels, escalation paths for active incidents, and direct access to the Reglyze product team for feature requests tied to a real client retainer. Above fifty managed organizations, a named account manager is included.
Related reading
NIS2 training catalog
The training bundle every managed organization gets — board, IT, general staff, sector packs.
NIS2 training catalogNIS2 Article 20 — board duties
The single most common audit failure. Board training is bundled in every MSP plan.
NIS2 Article 20 — board dutiesNIS2 vs ISO 27001
If a client already has an ISMS, Reglyze crosswalks to the NIS2 delta.
NIS2 vs ISO 27001NIS2 compliance software compared
How Reglyze sits next to the rest of the EU NIS2 GRC market.
NIS2 compliance software comparedRun NIS2 across your portfolio with Reglyze
Get started on the MSP base plan in under an hour: spin up your first ten managed organizations, run the scoping wizard, and have your first client portfolio dashboard live the same day. Add additional slots at €80/year per org up to fifty; talk to us if your portfolio is larger than fifty client organizations.