Run trust as a service —
for every client you serve.

Why MSPs sit in the spotlight: Kaseya · ~1,500 SMBs hit · 2021

On 2 July 2021, the REvil ransomware group exploited a zero-day in Kaseya VSA — a remote-monitoring-and-management tool used by hundreds of MSPs — and pushed encryptor binaries down through the supply chain. The attack hit roughly 50–60 MSPs directly, who in turn served around 1,500 downstream SMB customers. In Sweden, the Coop supermarket chain shut 800 stores because their point-of-sale systems were managed by an affected MSP. Schools, dentists, accountants and small manufacturers across more than a dozen countries lost access to their own data overnight. None of them had a contractual relationship with Kaseya. Most of them had never heard of it.

The lesson is now baked into European regulation. NIS2 explicitly names "managed service providers" and "managed security service providers" as in-scope entities (Annex I.8) — not because their clients can dodge their own NIS2 obligations through outsourcing, but because the MSP itself is a single point of cascading compromise. From 2024 onwards, an MSP's own cybersecurity posture is a regulatory matter, and SMB clients increasingly ask their MSPs to prove it before signing or renewing.

That changes the conversation. The MSP that arrives with a public trust profile, a current Article 30 register and a single export covering NIS2, GDPR and ISO 27001 wins the meeting. The MSP that arrives with a stack of Word policies and a promise to 'put together something' loses the renewal.

The job that used to take three days per client

Most MSPs we talk to run compliance the same way: one shared drive folder per client, a workbook per framework, and a senior engineer who happens to know where the last DPIA lives. It works at five clients. It cracks at fifty. By a hundred, the MSP is hiring a dedicated GRC team that the SMB margins don't really support.

The recurring problems

• Each new SMB starts compliance from zero — frameworks copy-pasted, evidence relabelled, no shared baseline.
• Audit prep eats partner-level hours at low margin: scan each folder, refresh each spreadsheet, hope nothing was renamed.
• When a client gets asked 'how do you handle NIS2?' the MSP has nothing public-facing to point at — only a shared drive nobody can read.
• An expiring ISO certificate or a missed quarterly access review surfaces the day before a renewal, not three months earlier.
• MSPs themselves are now subject to NIS2 — the same obligations they're delivering to clients now apply to their own operations.

Trust OS was built specifically for this shape of work — for the partner who serves twenty to a thousand SMB tenants, where every framework has to be tracked once and reported on per-client, and where 'doing trust right' has to scale with the business model that pays for it.

What Trust OS gives your MSP

A single multi-tenant control plane

One workspace, every SMB tenant. Switch context with a dropdown. Roll up framework scores across the portfolio for board reporting; drill into a single client when an audit starts.

Frameworks mapped once, reused everywhere

NIS2, GDPR, ISO 27001, Cyber Fundamentals and BCP/DRP come pre-mapped. New SMB clients inherit your baseline; you customise where they differ. One control update propagates to every client it touches — not 47 spreadsheets.

Evidence captured where the work happens

Pen-test reports, access reviews, policy versions, training participation logs and DPIAs land in the right per-client library, with retention rules and freshness indicators. Audit-export is a button, not a project.

A public trust profile for every client

Each tenant gets a sharable trust profile — like /trust on this site, but theirs — that they can put in front of prospects, regulators and procurement teams. The data is the same data your team already maintains. The page is generated automatically.

Reminders, drills and the expiry calendar

Quarterly access reviews, BCP drills, certificate renewals and policy refresh cycles run on a calendar Trust OS owns. Nothing surfaces at the last minute because everything has an owner and a date.

Your own NIS2 obligation, handled

MSPs are now in NIS2 scope themselves. Trust OS gives you a workspace for your own organisation — same product your clients use — so you don't have to run two parallel systems for what is fundamentally the same job.

What's in it for you

A new recurring revenue line

Trust OS is sold as a per-tenant subscription you bundle into your MSP package. Margins are healthy because the platform absorbs the work that used to require a senior engineer's time. Most partners price it as a separate line item or fold it into a 'compliance & continuity' tier.

Lower advisory hours, higher advisory margin

The work that used to be 'spend three days assembling evidence for an audit' becomes 'click export and review for an hour'. Your senior team's time goes to interpretation and decisions — the work clients pay good rates for — not to spreadsheet hygiene.

Stickier clients

Once an SMB's compliance baseline lives in Trust OS — with a year of evidence, a public trust profile, and the team's habits built around it — switching MSPs becomes a project, not a phone call. Compliance ops are some of the stickiest workloads in the SMB IT stack.

Sales leverage

Prospects increasingly arrive with security questionnaires before they sign. The MSPs who can answer 'here is the public trust profile, here is the framework breakdown, here is last quarter's pen-test summary' close more, faster, and at higher per-seat pricing.

Co-marketing and partner support

We work directly with our MSP partners on positioning, onboarding playbooks, and the awkward early conversations with SMB clients who'd rather not think about NIS2. Trust OS is what we sell; making partners successful is how we grow.