Cybersecurity for IT Service Providers

Managed Service Providers (MSPs) and IT service providers are particularly attractive from an attacker's perspective: compromising an MSP potentially grants access to the systems of all its clients. This multiplier effect makes supply chain attacks against IT service providers one of the most effective attack vectors used by modern threat actors. SolarWinds in 2020 and Kaseya in 2021 demonstrated this compellingly: by compromising a single vendor, thousands of end customers were reached.

The security level of an IT service provider is therefore directly linked to the security level of its entire client base. Customers who give their IT service provider privileged access to their infrastructure must be able to trust that the provider protects that access. This trust must today be demonstrable — no longer on the basis of contract text, but through certificates, test reports, and structured security attestations.

IT service providers thus face a dual task: they must credibly demonstrate their own security (to clients, auditors, NIS2 supervisory authorities) while simultaneously meeting the growing requirements their own clients impose on them. The security proof has become a competitive differentiator.

ISO 27001 is the baseline attestation that clients in regulated industries — financial sector, healthcare, public administration — now require as standard. ISO 27001 certification demonstrates that the IT service provider operates a functioning information security management system and is regularly reviewed by an independent party. Without this certificate, access to regulated clients is increasingly foreclosed.

For cloud service providers and SaaS vendors serving public sector clients, financial institutions, or KRITIS operators, BSI C5 is increasingly the more relevant proof instrument. A C5 attestation (Type 2) certifies that the cloud infrastructure was demonstrably operated securely over an observation period. It addresses cloud-specific requirements that ISO 27001 alone does not differentiate sufficiently.

We support IT service providers on both paths: ISO 27001 certification, C5 attestation, or — for providers serving both markets — a combined implementation that exploits the overlap. The effort for a combined build is significantly less than two separate certification programmes.

NIS2 explicitly classifies managed service providers and cloud service providers as important or essential entities — regardless of the sector their clients operate in. This means: IT service providers that previously had no direct cybersecurity regulatory obligations are now subject to NIS2 requirements: risk management, incident reporting, security measures, and management training.

The implications are significant. A managed service provider must now operate a documented risk management system, report significant security incidents to the national authority within 24 hours, and demonstrate that its management has received cybersecurity training. Fines for non-compliance reach up to €10 million or 2% of global annual turnover.

We support IT service providers with NIS2 applicability analysis, gap analysis against technical and organisational requirements, and implementation of a pragmatic compliance programme. For companies already pursuing ISO 27001, NIS2 compliance can be efficiently integrated — the requirements overlap substantially.