IT compliance for MSPs: how to build a practice that scales

Compliance has quietly become one of the most commercially important capabilities an MSP can develop. The combination of rising regulatory complexity, growing enterprise procurement requirements, and client awareness of their own compliance obligations has created demand for compliance management services that most SMBs and mid-market organizations simply cannot address in-house.

According to the 2026 Kaseya State of the MSP Report, 71% of MSPs say cybersecurity issues are a top business challenge. Compliance management is increasingly how MSPs demonstrate they are addressing that challenge on behalf of clients. MSPs that understand the compliance landscape, what frameworks apply, how they overlap, and how to deliver compliance as a scalable managed service, are winning enterprise clients, commanding premium pricing, and building high-retention service relationships.

Kaseya’s compliance and security platform is used by thousands of MSPs worldwide, giving us a clear view of where compliance practices succeed operationally and where they stall.

This guide covers the full picture: what IT compliance means for MSPs, the frameworks you and your clients need to understand, and how to build a compliance practice that delivers real margin.

What is IT compliance?

IT compliance refers to the policies, controls, and processes organizations must follow to meet legal, regulatory, and contractual requirements covering how they manage and secure data and IT systems. Regulatory bodies at the federal, state, and international level set these requirements based on industry, data type, and geography.

For MSPs, IT compliance operates on two levels simultaneously. First, there are the compliance obligations that apply to your own business as a service provider handling client data. Second, there are the compliance obligations that apply to your clients’ businesses, which you may be contracted or positioned to help them meet.

Most MSPs are being asked about both at the same time. And increasingly, the ability to answer those questions with evidence rather than assurances is what separates the MSPs that win enterprise business from those that get screened out early.

What is the purpose of IT compliance?

The goal is to protect the security and integrity of an organization’s digital assets, and to give regulators, clients, and partners confidence that appropriate controls are in place. Non-compliance is not just a legal risk: it creates direct business exposure through fines, loss of contracts, cyber insurance exclusions, and reputational damage. GDPR violations carry fines of up to €20 million or 4% of annual global revenue, whichever is higher. HIPAA criminal penalties can reach $250,000 per violation and include jail time. PCI DSS security breach fines can reach $500,000 per incident.

Beyond penalties, clients and customers in regulated industries will not work with service providers who cannot demonstrate compliant practices. Compliance is increasingly a table-stakes commercial requirement, not just a regulatory one.

Why compliance has become a core MSP opportunity

Several converging trends have moved IT compliance from a specialization to a core service line for competitive MSPs.

Regulatory expansion. CMMC became contractually required in DoD supply chains from 2024. NIS2 came into force in October 2024, explicitly covering MSPs as in-scope entities. PCI DSS v4.0 became mandatory in March 2024. HIPAA Security Rule updates are in progress. The regulatory surface area is growing, not stabilizing.

Enterprise procurement requirements. Enterprise clients increasingly require documented compliance evidence, SOC 2 Type II reports, ISO 27001 certification, HIPAA Business Associate Agreements, before engaging service providers. MSPs without these credentials are locked out of enterprise sales cycles before they begin.

Cyber insurance requirements. Insurers now mandate evidence of specific security controls, MFA across all accounts, endpoint detection and response (EDR), tested backups, patch management, and documented incident response plans, as conditions of coverage. Helping clients achieve and document those controls is a compliance service with direct financial value to them.

Client awareness. Organizations in regulated industries are increasingly aware that their compliance obligations extend to their service providers. They are asking questions they never asked before, and MSPs that cannot answer them are losing the business to those who can.

The MSP’s own compliance obligations

Before selling compliance services to clients, an MSP needs to address its own compliance posture. The obligations are significant and often underestimated.

HIPAA. Any MSP managing IT for healthcare clients handling protected health information (PHI) is a business associate under HIPAA. A signed Business Associate Agreement is legally required. The Security Rule, covering MFA, encryption, audit logging, and incident response, applies directly to your environment.

NIS2. MSPs are explicitly included in NIS2’s scope as providers of managed services. If you have EU clients in covered sectors, or you operate within the EU, NIS2 obligations apply to your organization directly.

CMMC. MSPs providing IT services to DoD contractors in environments that contain controlled unclassified information (CUI) may face CMMC requirements for their own systems, not just their clients’.

PCI DSS. MSPs whose services touch the security of cardholder data environments are classified as service providers under PCI DSS and carry their own specific compliance obligations under that standard.

Contractual requirements. Enterprise and government clients routinely impose compliance requirements through contracts. These are binding regardless of any direct regulatory requirement.

The MSP’s own compliance programme is not a separate project from the compliance services you sell. It’s the credibility foundation. An MSP that does not meet the standards it sells to clients is commercially vulnerable the moment a client asks for evidence of the MSP’s own compliance. Starting with your own house is both the ethical and the commercially smart move.

IT compliance frameworks MSPs need to know

Understanding which frameworks apply where is the foundation of any compliance engagement. Here is a practical reference for the frameworks that matter most in the MSP context.

HIPAA

The Health Insurance Portability and Accountability Act governs the handling of PHI by any organization, including MSPs classified as business associates, in the US healthcare sector. Technical safeguards under the HIPAA Security Rule cover access controls, audit logging, encryption, and integrity controls. HIPAA compliance is not optional for MSPs serving healthcare clients; the Business Associate Agreement makes it a contractual obligation.

PCI DSS

The Payment Card Industry Data Security Standard protects cardholder data wherever it is stored, processed, or transmitted. All merchants who accept payment cards are required to comply, and service providers, including MSPs, with access to those environments carry their own compliance obligations. PCI DSS v4.0 became the mandatory standard in March 2024. Fines for violations can reach $500,000 per incident.

CMMC

The Cybersecurity Maturity Model Certification framework protects the defense industrial base. As of 2024, CMMC is contractually required in DoD supply chains. MSPs serving defense contractors need to understand CMMC Level 1 (basic cyber hygiene) and Level 2 (aligned to NIST SP 800-171) requirements, both for clients and potentially for their own environments handling CUI.

GDPR

The General Data Protection Regulation applies to any organization handling personal data of EU residents, regardless of where the organization is based. For MSPs, this typically means data processing agreements with EU clients and compliance with requirements around data security, breach notification, and data subject rights. GDPR fines reach up to €20 million or 4% of annual global revenue.

NIS2

NIS2, which came into force across EU member states in October 2024, is particularly significant for MSPs because it explicitly includes managed service providers in scope. Requirements cover risk management, incident reporting, supply chain security, and minimum technical controls including MFA, encryption, and vulnerability handling.

NIST CSF

The NIST Cybersecurity Framework is a voluntary US framework built around five functions: Identify, Protect, Detect, Respond, and Recover. It is widely referenced in contracts, cyber insurance applications, and client security assessments. NIST SP 800-171 is the mandatory version applicable to organizations handling CUI for the federal government, and forms the basis for CMMC Level 2.

SOC 2

SOC 2 reports are produced by independent CPAs and assess a service provider’s controls around security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II, which covers a period of time rather than a point in time, is increasingly required by enterprise clients before engaging a service provider. For MSPs, achieving your own SOC 2 Type II report is a significant commercial differentiator.

SOX

The Sarbanes-Oxley Act governs financial reporting for US public companies and some private ones. MSPs serving publicly traded clients may encounter SOX requirements around financial data integrity, audit trails, and access controls for financial systems.

FISMA

The Federal Information Security Management Act applies to US federal agencies and their contractors. MSPs serving federal government clients must understand FISMA requirements, which align closely with NIST standards. FedRAMP authorization is required for cloud service providers serving federal agencies.

Scoping compliance for your clients

Effective compliance service delivery starts with accurately scoping which frameworks apply to each client. A compliance intake questionnaire, asked during onboarding, prevents discovering scope gaps during an incident or audit.

Key scoping questions to cover:

Industry: Healthcare maps to HIPAA. Financial services in New York maps to NY DFS. Payment card processing maps to PCI DSS. Defense contractors map to CMMC. EU-operating organizations map to NIS2. Each industry has a primary framework, and most organizations need to meet more than one.

Data subjects: Handling data about EU residents triggers GDPR. Data about California residents above CPRA thresholds triggers CPRA obligations.

Client size and contracts: Enterprise clients almost always require SOC 2 or ISO 27001 evidence from their service providers. Federal contracts bring FISMA, FIPS, and potentially FedRAMP into scope. DoD contracts bring CMMC.

Cyber insurance: Review your clients’ insurance policies carefully. Insurers now specify technical controls as conditions of coverage. Missing an insurer’s MFA or EDR requirement is a compliance gap with direct financial consequences for the client regardless of any regulatory requirement.

For a typical MSP managing 40 to 60 clients across healthcare, financial services, and general SMB, you might have ten to 15 clients with active HIPAA obligations, five or six with PCI DSS exposure, and a growing tail of enterprise clients asking about SOC 2. Scoping each properly from the start is what makes a compliance practice scalable rather than reactive.

Compliance as a managed service: the 3 service levels

Most MSPs structure compliance services in tiers that reflect increasing depth of engagement and corresponding price points.

Level 1: compliance foundation

Implement the security controls that address the majority of requirements across most frameworks simultaneously. The core control set is consistent: MFA across all accounts, automated patch management, EDR, backup and disaster recovery with tested restoration, audit logging retained for required periods, and security awareness training with phishing simulation.

This foundational layer addresses PCI DSS requirements 6 through 10, HIPAA Security Rule technical safeguards, NIS2 Article 21.2 minimum measures, CIS Controls IG1, and the NIST CSF Protect and Detect functions in one pass. For many SMB clients, Level 1 delivers the majority of their compliance posture. It also creates the evidence that shows those controls are operating.

Level 2: compliance assessment and gap management

Framework-specific gap assessment against the client’s applicable requirements. A System Security Plan or equivalent documentation. A Plan of Action and Milestones (POA&M) tracking remediation. Quarterly compliance review meetings. Organized evidence collection for audit readiness. This level serves clients who need a documented compliance programme, not just security controls.

Consider the example of a 200-person accounting firm that has just lost a large enterprise client because they could not provide evidence of SOC 2 controls. A Level 2 engagement gives them a gap assessment against the Trust Services Criteria, a remediation tracker, and a documented compliance programme they can show the next enterprise prospect while working toward a formal audit.

Level 3: audit preparation and certification support

Deep engagement supporting third-party assessment. This includes preparing for a Qualified Security Assessor (QSA) audit for PCI DSS, a C3PAO assessment for CMMC Level 2, a CPA audit for SOC 2, or an ISO 27001 certification audit. Evidence packaging, pre-assessment readiness reviews, and audit liaison are all in scope. This level requires genuine expertise and commands premium pricing. Not every MSP starts here, but it is a logical destination for those that build a serious compliance practice.

Building the evidence engine

The most operationally demanding part of compliance management is ongoing evidence collection. Evidence is the documentation that proves controls are operating, not just designed. Without it, compliance exists on paper only and falls apart under any auditor scrutiny.

Evidence types that matter across the most common frameworks:

Patch management evidence: Patch compliance reports showing what was patched, when, and what remains outstanding with exception documentation. VSA generates these automatically. This evidence satisfies PCI DSS Requirement 6, HIPAA Security Rule technical safeguard controls, and CMMC AC.1.001 and SI.1.210.

MFA coverage evidence: Authentication reports showing MFA-protected access across all user accounts and administrative interfaces. This is now a baseline requirement for cyber insurance and appears explicitly in NIS2, CMMC, and HIPAA.

Backup verification: Backup completion logs, screenshot verification results, and recovery test records. Datto BCDR generates these automatically. Tested restoration is a specific requirement under NIS2 Article 21 and a standard cyber insurance condition.

Vulnerability scan results: Reports showing identified vulnerabilities, remediation status, and exception documentation with business justification. Required under PCI DSS, CMMC, and NIST SP 800-171.

Audit logs: Retained access logs for required periods. HIPAA requires six years. PCI DSS requires 12 months with 90 days immediately available. Log retention periods vary; knowing the requirement for each framework your client is subject to is part of the service.

Security awareness training records: Training completion percentages and phishing simulation results from BullPhish ID. Required under HIPAA, CMMC, and NIS2. Insurers ask for these routinely.

Incident response: Incident logs, response timelines, and post-incident reviews. Required across virtually every framework.

The efficiency differentiator in compliance delivery is automating evidence collection rather than building reports manually. MSPs that pull evidence directly from operational tools, RMM, backup platforms, security tools, into a compliance management workflow have a structural cost advantage over those assembling evidence reports by hand. That advantage compounds across every client and every renewal cycle.

Pricing and packaging compliance services

Compliance services command meaningful premiums over standard managed services because they deliver measurable risk reduction and enable business activities, contract eligibility, insurance coverage, that clients need and cannot get elsewhere. Some practical anchors on pricing:

Compliance foundation layer: Bundle across all managed clients as a security baseline add-on. Priced as a per-device or per-user increment to the base contract. Positions compliance controls as standard rather than optional, which is the right commercial frame.

Framework-specific assessment: Fixed-fee project engagement scoped to the specific framework and environment. Typical range is $5,000 to $25,000 or more for a full assessment with documentation, depending on environment complexity and framework requirements.

Ongoing compliance management: Monthly retainer for continuous programme management, evidence collection, gap tracking, policy maintenance, and quarterly reviews. Price based on the number of frameworks managed and client environment size.

Audit preparation support: Project-scoped engagement before a third-party audit. The value is high, the pricing reflects it, and the deliverable is tangible: a client that passes their audit.

MSPs that present compliance as a risk-reduction service tied to specific outcomes (this is what keeps you insurable, this is what keeps you eligible for that government contract) price and retain these engagements far more successfully than those who present it as a checklist exercise.

The tooling stack for MSP compliance delivery

A complete compliance delivery stack brings together four capabilities.

Compliance management platform. Compliance Manager GRC from Kaseya provides multi-framework assessment, control mapping, evidence management, POA&M tracking, and report generation. It supports HIPAA, GDPR, CMMC, NIST, PCI DSS, SOC 2, ISO 27001, CIS Controls, NY DFS, NIS2, and other frameworks from a single interface, purpose-built for the multi-client MSP model.

Security controls implementation. The Kaseya 365 platform provides the operational tools that generate compliance evidence as a byproduct of delivering managed services: VSA for patch management and vulnerability scanning, Datto EDR for endpoint detection, Datto BCDR for backup and recovery, BullPhish ID for security awareness training, and Inky for email security. Each of these generates the evidence records that compliance frameworks require.

IT documentation. IT Glue provides policy storage, control documentation, asset records, and client-specific configuration documentation that compliance frameworks require as part of a documented programme.

Integration advantage. Evidence collected by operational tools can flow directly into Compliance Manager GRC, converting operational data into compliance evidence without manual assembly. For an MSP managing 30 or 40 clients under active compliance programmes, that integration is what makes the economics work.

Explore the Kaseya compliance and security platform