When MSPs Should NOT Offer Compliance Services

Every GRC vendor wants you to offer compliance services. It's good for their business if you do.

But here's what they won't tell you: not every MSP should.

Compliance services require expertise you may not have, create liability you may not want, and demand operational capacity you may not be able to build. For some MSPs, offering compliance is the right move. For others, it's a mistake that will cost more than it earns.

This is the assessment nobody else will give you.

The Disqualifying Factors

Some situations should stop you from offering compliance services. Not "proceed with caution." Stop.

Factor 1: You Don't Have Compliance Expertise

Compliance isn't a checkbox exercise. It requires understanding how frameworks actually work, what auditors look for, and how to interpret requirements in the context of specific client environments.

You don't have compliance expertise if:

• Nobody on your team has worked in compliance professionally
• Your knowledge comes from vendor webinars and blog posts
• You've never read the actual framework documents (NIST 800-171, HIPAA Security Rule, SOC 2 Trust Services Criteria)
• You can't explain the difference between HIPAA's administrative, technical, and physical safeguards without looking it up
• You think "SOC 2 compliant" means something (it doesn't; there's no SOC 2 certification)

Why it matters: Clients trust you with their compliance. If your advice is wrong, they fail audits, face fines, or lose contracts. And you face liability for the bad advice.

Reading a few articles doesn't make you qualified. Neither does using a GRC platform that walks you through questions. The platform doesn't know what the auditor will actually ask or how to handle the edge cases that always come up.

The test: Could you sit across from an auditor and confidently discuss your client's compliance posture? Not read from a script. Actually discuss it. If no, you're not ready.

Factor 2: Your Clients Don't Need It

Compliance services exist to address compliance requirements. If your clients aren't in regulated industries and don't have contractual compliance obligations, there's no market.

Signs your clients don't need compliance services:

• You serve small businesses with no regulatory oversight
• Your clients aren't in healthcare, finance, defense, or other regulated sectors
• Nobody's asking about compliance
• Your clients don't have enterprise customers demanding security attestations
• "Compliance" isn't showing up in your sales conversations or QBRs

Why it matters: You can't sell what nobody needs. Building compliance capabilities for a market that doesn't exist is wasted investment.

This doesn't mean your clients wouldn't benefit from better security. But "you should care about security" is different from "you need HIPAA compliance to operate legally" or "you need SOC 2 to close this deal."

The exception: If you want to move upmarket to clients who do need compliance, building capabilities makes sense. But be honest about whether that's your actual strategy or just a rationalization.

Factor 3: You Can't Invest Before You Earn

Compliance services don't generate revenue on day one. You need:

• Training and certifications ($5,000-15,000 per person)
• GRC tooling ($3,000-12,000 annually)
• Documentation and process development (dozens of hours)
• Pilot engagements where you'll underestimate effort

This adds up to $20,000-50,000 or more before you have a scalable offering. And 6-12 months of timeline.

You can't afford this if:

• You're running month-to-month with minimal cash reserves
• You can't absorb pilot engagements that underperform financially
• Adding headcount isn't feasible in the next year
• Training investment would strain operations

Why it matters: Starting compliance services underfunded leads to bad outcomes. You'll cut corners on training (reducing quality), underprice to win deals (destroying margin), and take on clients you shouldn't (increasing liability).

Building compliance services is a real investment. If you can't make the investment, don't start.

Factor 4: You're Not Willing to Accept the Liability

Compliance services create liability exposure that managed IT doesn't. When you advise clients on compliance:

• Your recommendations can be wrong
• You can miss gaps you should have caught
• Clients can fail audits after following your advice
• Breaches can happen despite your compliance program

When things go wrong, you're in the conversation. Your MSA can limit liability, but it can't eliminate it. Your insurance can cover defense costs and settlements, but premiums will rise.

You're not ready for this liability if:

• Your MSA is a template you downloaded and never customized
• You don't have E&O insurance that explicitly covers compliance advisory services
• The idea of a client lawsuit keeps you up at night
• You don't have budget for legal counsel to review your contracts

Why it matters: Compliance liability isn't theoretical. MSPs get sued for client security incidents. If you're not prepared to manage this risk, compliance services will create anxiety disproportionate to the revenue. Read the full MSP Compliance Liability Guide to understand what's at stake.

Some people aren't wired for advisory services. The liability profile is different from operational IT. That's okay. But know yourself before you commit.

Factor 5: You Can't Say No to Bad Clients

Compliance services require client participation. The client must implement controls, enforce policies, train staff, and make risk decisions. If they won't do their part, compliance programs fail.

Some clients will be bad compliance clients:

• They want the certificate but not the work
• They refuse to fund necessary controls
• They ignore your recommendations repeatedly
• They expect you to guarantee outcomes

You have to be able to fire these clients. Or refuse them in the first place.

You can't say no if:

• You take every client who can pay
• You're afraid of losing revenue
• Conflict makes you uncomfortable
• You've never fired a client

Why it matters: Bad compliance clients destroy margins, increase liability, and demoralize your team. If you can't walk away from them, they'll drag down your entire compliance practice.

The Warning Signs Mid-Engagement

Sometimes you start a compliance engagement and realize mid-stream that it's not working. Recognize the warning signs early.

Sign 1: The Client Treats Compliance as Your Problem

"We hired you to handle compliance."

This phrase signals a fundamental misunderstanding. You can help them achieve compliance. You cannot achieve it for them. Compliance requires client actions: policy enforcement, management decisions, staff training, risk acceptance.

If the client expects you to do everything while they sign off occasionally, the engagement will fail.

What to do: Reset expectations immediately. If they don't understand after explicit conversations, exit the engagement.

Sign 2: Recommendations Go Nowhere

You identify gaps. You recommend fixes. Nothing happens.

Maybe they don't have budget. Maybe they don't prioritize it. Maybe they think you're overreacting. Whatever the reason, if recommendations aren't being implemented, you're documenting problems without solving them.

This is worse than doing nothing. You've identified risks the client is now knowingly ignoring. When something goes wrong, your documentation shows you knew about the gap.

What to do: Document refusals formally with waivers. If the pattern continues across multiple significant recommendations, exit.

Sign 3: Scope Keeps Expanding Without Price Adjustment

"Can you also look at this?" "We need help with that too." "This should be included, right?"

Scope creep is normal. Uncompensated scope creep is a problem. If you're doing work outside the original scope without adjusting price, you're training the client that your boundaries don't mean anything.

What to do: Address scope creep immediately. "That's outside our current scope. We can add it for $X." If they push back repeatedly, you have a client management problem.

Sign 4: The Client Wants Shortcuts

"Do we really need to do all of this?" "Can't we just document that we thought about it?" "What's the minimum we need to pass?"

Clients seeking shortcuts see compliance as a checkbox, not a business function. They want to do the minimum required to avoid consequences, not actually improve their security or compliance posture.

Shortcuts create liability for you. When the minimum-viable approach fails, you're attached to a compliance program that was designed to cut corners.

What to do: Explain the risks of the shortcut approach clearly. If they insist, document it, get sign-off, and consider whether you want your name on this engagement.

Sign 5: You're Losing Money

Track your actual hours against estimates. If you're consistently over, something is wrong:

• You underpriced the engagement
• Scope has crept without adjustment
• The client requires more hand-holding than expected
• The work is more complex than scoped

What to do: Identify the cause and address it. Reprice if necessary. Add scope clarification. If the economics don't work after adjustments, don't renew. See our MSP Compliance Pricing Guide for how to price these engagements correctly.

Alternatives to Full Compliance Services

If the factors above apply but you still want to participate in the compliance space, consider limited alternatives.

Alternative 1: Compliance-Adjacent Technical Services

You don't offer compliance advice. You offer technical services that support compliance.

What this looks like:

• Implementing security controls (MFA, encryption, endpoint protection) without mapping to frameworks
• Providing technical documentation clients can use for their compliance programs
• Configuring systems according to client-provided compliance requirements
• Technical audit support (providing evidence, not interpreting requirements)

Why it works: You're doing technical work, not advisory work. The liability profile is different. You're not telling clients what they need for compliance; you're implementing what they've decided they need.

What to watch: Scope clearly. "We'll implement MFA across your environment" is different from "We'll help you achieve HIPAA compliance through technical controls." The first is technical services. The second is compliance advisory.

Alternative 2: Partner with a Compliance Specialist

You handle IT. A compliance partner handles compliance advisory.

What this looks like:

• Formal referral relationship with a compliance consultancy
• Joint engagements where you own technical, they own advisory
• Revenue share or referral fees
• Your MSA covers IT services; their agreement covers compliance

Why it works: You serve client needs without building expertise you don't have. The compliance partner takes the advisory liability. You maintain the client relationship and continue earning IT revenue.

What to watch: Choose partners carefully. Their quality reflects on you. Establish clear handoff processes so clients don't fall through gaps.

Alternative 3: Security-First, Compliance-Second

Focus on security outcomes, not compliance frameworks.

What this looks like:

• "We'll secure your environment according to industry best practices"
• Security services based on your expertise, not framework requirements
• Compliance as a byproduct, not a goal
• Clients use your security work to support their own compliance efforts

Why it works: You're in your lane. Security expertise is different from compliance expertise. Many of the same controls apply, but you're not claiming compliance advisory authority.

What to watch: Don't oversell. "Our security services will help with compliance" is different from "Our security services will make you compliant." The first is accurate. The second creates liability.

Alternative 4: Framework Education and Preparation

Help clients understand their obligations without doing the compliance work yourself.

What this looks like:

• Training sessions on specific frameworks
• Documentation templates clients customize themselves
• Readiness assessments that identify gaps without recommending fixes
• Referrals to qualified compliance consultants for advisory work

Why it works: Education is lower risk than advisory. You're building client knowledge, not making recommendations they'll rely on.

What to watch: Don't slide into advisory. "Here's what HIPAA requires" is education. "Here's what you should do to comply" is advisory.

The Decision Framework

Use this framework to decide whether compliance services make sense for your MSP.

Question 1: Do you have (or can you develop) real compliance expertise?

Yes: Proceed to Question 2. No: Consider alternatives (compliance-adjacent technical services, partner with specialist).

Question 2: Do your clients (or target clients) need compliance services?

Yes, current clients need it: Strong candidate for compliance services. Yes, want to move upmarket to clients who need it: Viable, but requires intentional market shift. No: Don't build capabilities for a market that doesn't exist.

Question 3: Can you invest $20,000-50,000 and 6-12 months before meaningful revenue?

Yes: Proceed to Question 4. No: Wait until you can. Underfunded launch leads to bad outcomes.

Question 4: Are you prepared to accept advisory-level liability?

Yes, with proper protections: Proceed to Question 5. No: Consider compliance-adjacent technical services instead.

Question 5: Can you fire bad clients?

Yes: You're a candidate for compliance services. No: Work on this skill first. Bad compliance clients will destroy the practice.

If you answered "Yes" to all five questions, compliance services may be right for your MSP. Build deliberately, price appropriately, and protect yourself legally. If you answered "No" to any question, address that gap before proceeding. Or choose one of the alternatives that matches your actual situation.

The Honest Self-Assessment

Here's the part nobody else will tell you: some MSPs shouldn't offer compliance services, and that's fine.

The industry narrative is "compliance is the future, every MSP needs to offer it." That narrative serves vendors who want to sell you platforms and training.

The reality:

• Compliance services require expertise that takes years to develop
• The liability exposure is real and significant
• The investment required is substantial
• The clients who need it may not be your clients

If compliance services aren't right for your MSP, you can still build a successful business. Focus on what you're actually good at. Partner with specialists for what you're not.

The MSPs who struggle most with compliance are the ones who felt pressured into offering it before they were ready. Don't be that MSP.

What If You've Already Started and It's Not Working?

Some of you reading this have already launched compliance services and are experiencing the problems described here. Options:

Option 1: Invest to Fix It

If the issue is capability gap, invest in training and expertise. Hire someone with real compliance background. Get serious about process and documentation.

This only works if the underlying market demand exists and you're committed to the investment.

Option 2: Narrow the Scope

Maybe you tried to offer HIPAA, SOC 2, CMMC, and ISO 27001. Too much. Pick one. Get good at it. Expand later.

Or narrow by service level. Maybe you're not ready for full compliance management, but you can do compliance-adjacent technical services well.

Option 3: Partner or Refer

Find a compliance specialist and establish a referral relationship. Transition active compliance clients to the partner. Keep the technical work.

This is a graceful exit that maintains client relationships.

Option 4: Exit Cleanly

If compliance services are losing money and creating liability without viable path to profitability, stop offering them.

This is better than continuing to lose money while accumulating liability. It's also better for clients, who deserve qualified compliance support.

Transition clients professionally. Give notice. Help them find alternatives. Don't abandon them.

Bottom Line

Not every MSP should offer compliance services. The vendors won't tell you that because it's not in their interest. But it's true.

The disqualifying factors:

• No real compliance expertise
• Clients who don't need it
• Can't afford the investment
• Not willing to accept the liability
• Can't say no to bad clients

If any of these apply, compliance services aren't right for you right now. Address the gaps or choose alternatives.

If none apply, you're a candidate. Build deliberately, price appropriately, and protect yourself legally.

There's no shame in deciding compliance isn't for you. There's considerable risk in deciding it is when you're not ready.