MSP Regulatory Compliance Requirements: What You Must Prove

Something changed in regulatory enforcement over the last two years, and it's easy to miss if you're heads-down managing client environments. It used to be enough to check the box. You had a firewall. You deployed antivirus. You had MFA enabled. You signed the questionnaire. That was the game. It isn't anymore.

Across healthcare, financial services, defense contracting, and increasingly state-level enforcement, regulators converged on a similar, harder standard: show us the controls are operating, continuously, and prove it with documented evidence.

If your clients can't produce it, they're exposed. If you're their MSP, that exposure is yours too.

What do regulators require from MSPs in 2026?

Regulators across HIPAA, PCI-DSS v4.0, CMMC 2.0, and the FTC Safeguards Rule now require MSPs and their clients to produce documented, timestamped evidence that security controls are actively operating, not just deployed. This includes asset inventories, MFA coverage reports, vulnerability scan results, penetration test reports, and retained SIEM logs.

Old Compliance Standard New Evidence Standard
Policies Policies documented Policies documented AND controls verified as operating
MFA MFA deployed MFA coverage report showing which systems are protected
Endpoint protection Antivirus installed Endpoint detection logs with dated activity records
Risk assessment Annual risk assessment conducted Risk assessment with documented findings and remediation actions
Penetration testing Penetration test completed Pentest report plus after-action documentation of fixes
Vulnerability management Vulnerability scans run Quarterly scan results with evidence findings were remediated
Incident response Incident response plan in place IR plan tested, with documented tabletop or simulation results
Business associate obligations Business associate agreement signed Annual technical controls verification with evidence, not attestation

How Healthcare, Finance, and Defense Are Converging on One Standard

The enforcement pattern looks different depending on which framework your clients fall under. But the underlying demand is the same across every sector: documented, verifiable evidence that cybersecurity compliance for MSPs and their clients is continuous, not just confirmed at audit time. Here's how each major framework is raising the bar.

HIPAA Compliance Requirements for MSPs and Business Associates

The Office for Civil Rights (OCR) launched its Risk Analysis Initiative in 2024, and the pattern in every settlement is the same: it's not that organizations lacked controls, it's that they couldn't demonstrate their controls were functioning.

OCR Director Paula Stannard stated it directly: "Covered entities and business associates cannot protect electronic protected health information if they haven't identified potential risks and vulnerabilities to that health information."

The proposed HIPAA Security Rule updates would go further. If finalized, with a final rule expected in 2026, they would eliminate the "addressable" category entirely, making MFA, encryption, asset inventories, semiannual vulnerability scans, annual penetration tests, and annual compliance audits all mandatory and documented. For MSP business associate agreement compliance, the stakes are significant: business associates, which includes many MSP clients, would be required to verify technical controls annually "with evidence, not just attestations."

HIPAA Security Rule 2026 updates affect every MSP managing healthcare client environments. If your business associate agreements are still written around a policy-delivery model, they need to be revisited now.

FTC Safeguards Rule: What Financial-Sector MSPs Must Document

The FTC's enforcement actions against Marriott and GoDaddy tell the same story in a different industry. Both companies were charged not just for having security gaps, but for misrepresenting their security posture. They claimed "reasonable and appropriate" or "award-winning" security they couldn't substantiate. FTC enforcement for cybersecurity misrepresentation now carries consequences that run for 20 years: both orders require biennial independent third-party assessments, quarterly vulnerability scans, and annual executive certification.

The FTC Safeguards Rule applies broadly to non-bank financial institutions, including mortgage lenders, auto dealers that arrange financing, tax preparers, and finance companies. It requires continuous monitoring or annual penetration testing combined with biannual vulnerability assessments. Non-compliance penalties can reach into the five figures per violation.

For financial-sector MSPs, the documentation requirement is specific: controls must be verifiable, not just asserted, and vendor-oversight provisions create downstream accountability for any service provider handling customer data.

PCI-DSS v4.0 Compliance: Evidence Is Now Mandatory

PCI-DSS v4.0 made the same shift, effective March 31, 2025. The standard's own language: it is "no longer enough to simply confirm you have policies in place at assessment time." Quarterly ASV scans, authenticated internal scans, and payment-page script monitoring are now mandatory evidence requirements, not recommended practices.

For MSPs managing clients in retail, hospitality, or any payment-processing environment, this changes the scoping conversation. PCI-DSS v4.0 compliance means producing scan results and script-monitoring records on a recurring basis, not pointing to a policy document at annual assessment time.

CMMC 2.0 Requirements: What Defense Contractors and MSPs Must Prove

CMMC 2.0 is also increasing expectations. While Level 1 allows for self-assessment, it demands structure, documentation, and discipline. CMMC Level 2 requirements cover 110 practices across 14 domains. Most contractors handling controlled unclassified information need a Certified Third-Party Assessor Organization (C3PAO) certification and must affirm continuous compliance on an ongoing basis.

For MSPs serving the defense industrial base, CMMC scoping rules define External Service Providers and can require MSPs to hold their own CMMC status depending on what data they touch. That's a compliance obligation that extends to the MSP's own environment, not just the client's.

Why MSPs Carry Direct Regulatory and Liability Exposure

MSPs are not outside this picture. They're pulled into it through multiple channels.

HIPAA business associate agreements extend compliance obligations to service providers handling protected health information. CMMC scoping rules define External Service Providers and can require MSPs to hold their own CMMC status depending on the data they touch. The FTC's vendor-oversight requirements create downstream accountability for any service provider handling customer data.

MSP liability in cybersecurity is also direct through errors and omissions claims. Because the MSP typically knows what controls are running in a client environment, not the client signing the insurance application, MSPs are being named in errors and omissions claims when attestations turn out to be inaccurate. The client attests that MFA is enabled. The attacker hits the one server it wasn't enabled on. The claim gets denied. The MSP gets the call.

MSP cyber insurance attestation risk is real and growing. Carriers are tightening underwriting, auditing attestations more aggressively, and denying claims where the documented control state doesn't match the actual environment. MSPs who help clients attest to controls they can't verify are carrying that exposure themselves.

The Evidence Standard: What Auditors and Regulators Are Asking For

The documentation expectation has shifted from "show me the policy" to "show me the policy is operating."

That means different things across frameworks, but the cybersecurity evidence requirements for auditors are increasingly consistent. The benchmark to hold yourself to: if a client cannot produce evidence that a control was operating on a given date, treat that control as non-existent for regulatory and insurance purposes.

Children's Hospital Colorado had MFA. Their help desk disabled it for one physician and never reactivated it. They couldn't demonstrate an adequate risk analysis had caught or tracked the gap. The settlement was $548,265. Having the control isn't enough. Knowing it's running and being able to prove it is the standard now.

MSP Compliance Evidence Checklist: 8 Artifacts Regulators Expect

  • A current, written risk assessment documenting identified vulnerabilities and what was done about them, not just that the assessment was conducted
  • An asset inventory and network map, updated at minimum annually
  • MFA coverage reports showing which specific systems MFA is enabled on, not just that MFA is deployed somewhere
  • Logging and SIEM data with retained logs that confirm a control was operating on a specific date
  • Quarterly vulnerability scans with documentation that findings were remediated
  • Annual penetration tests with after-action reports
  • Incident response plans that have been tested, with documented results
  • Signed risk-acceptance waivers when clients decline recommended controls, documenting that the decision was made and by whom

What This Changes About MSP Service Delivery

The MSPs positioned to win in this environment treat evidence generation as a core part of their service delivery, not an afterthought before a client's compliance review.

That means shifting QBR conversations from "here's what we deployed" to "here's what we can prove." It means standing up continuous controls monitoring so evidence is timestamped and mapped to frameworks before a regulator or auditor asks for it. It means running pre-renewal insurance gap assessments that map actual controls to carrier questionnaires before the client attests. And it means getting signed risk-acceptance waivers in place when clients decline controls, so the documentation of that decision exists.

Managed service provider compliance documentation is no longer a deliverable for the client's file cabinet. It's an ongoing operational output, and the MSPs who build that capability into their service stack are the ones who can answer the questions every client's insurer, board, and regulator is now asking. That's a competitive position, not just a compliance obligation.

Todyl's platform is built to support that shift. Continuous controls monitoring, prebuilt compliance packages for HIPAA, PCI-DSS, and CMMC, automated evidence collection, and GRC that centralizes the documentation auditors are asking for.

See how Todyl helps MSPs build and prove security programs.

Security Readiness Checkup

Analyze your operational readiness and get instant assessment-driven insights to strengthen your security posture.

Stay on the Cutting Edge of Security

Subscribe to our newsletter to get our latest insights.