BCDR for MSPs: the complete 2026 guide

TL;DR

Selling BCDR (Business Continuity & Disaster Recovery) as an MSP in 2026 requires three things that are *not* "vendor selection": sustainable pricing, written runbooks for each customer and a drill calendar that never slips. The rest is marketing. This guide covers the business model, contracts that hold up in court, team structure and the margin numbers you should be seeing at year-end.

What we mean by managed BCDR

Managed BCDR means the MSP owns three things:

• the correct execution of backups (and verification);
• DR execution when needed;
• periodic proof that DR works, both in drills and compliance reviews.

The common mistake is selling "managed backup" and calling it BCDR. Backup is 30% of the work. The remaining 70% is where the real margin lives.

The pricing model that works

Three models survive in the 2026 market:

1. Per VM (most common) — fixed fee per protected VM, typically €12-25/month for warm standby with a 10-minute RTO.
2. Per protected GB — good for file servers and archives, weak for heterogeneous fleets.
3. Per workload (Microsoft 365, ERP, file server) — the most transparent for the end customer.

The best model is hybrid: per-VM for servers, per-workload for Microsoft 365, per-GB for archives. Target gross margin is 45-55%. Below 40% you are working for free.

The SLA that actually protects you

A poorly written BCDR SLA is a time bomb. Four points must be in there:

• Backup platform availability (e.g. 99.9%) — not the customer's, the platform's.
• Minimum backup frequency (e.g. every 4 hours) — not the RPO, which depends on workload.
• Failover RTO target (e.g. 30 minutes from customer call) — only for documented scenarios.
• Exclusions — force majeure, nation-state attacks, intentional customer error.

Always include a mandatory quarterly drill window. Without it the customer never tests, and at the real event they will put you in the witness chair.

Minimum team structure

To manage 20-50 BCDR customers you need:

• 1 NOC or shift equivalent — checks backup jobs every morning;
• 1 dedicated sysadmin for DR — answers emergency calls, runs drills;
• 1 PM/account manager — handles monthly reports, drill windows, contracts.

Below 20 customers you can manage with one sysadmin and a shared NOC. Above 50 you need two dedicated sysadmins and a second NOC. Without structure, the third emergency collapses the service.

Multi-tenant: the difference between MSP and reseller

A BCDR vendor is only worth paying for if the multi-tenant story is serious:

• one console with per-customer, per-role, per-customer-group access;
• network segregation between tenants (Sefthy does this natively with isolated L2 tunnels);
• per-customer and aggregated reporting;
• APIs for automation (creating a new tenant should not be a ticket).

Without multi-tenant, every new customer becomes manual work and costs grow linearly.

Per-customer runbooks: the artifact that holds it together

For each BCDR customer write a 3-5 page DR runbook covering:

• list of protected systems, with priority;
• restart order (DC → file server → ERP → mail → workstations);
• credentials (in a vault, not in the runbook);
• customer contacts, third-party suppliers, ISPs;
• internal and external comms procedures;
• post-restore checks (what to verify before closing the incident).

Update the runbook every time the customer's stack changes. It is what separates a serious MSP from a reseller.

The quarterly drills that actually matter

Four drill levels, run in rotation:

• Tabletop (annual) — discussion of a scenario with the customer, nothing touched.
• Technical walkthrough (semi-annual) — the sysadmin runs the runbook against a single workload.
• Partial failover (quarterly) — boot a VM in the cloud and verify it.
• Full failover (annual) — full stack failover in a test environment.

Document every drill with measured times, issues and corrective actions. This is what ISO 27001 auditors and NIS2 inspectors will look for.

Numbers to expect at year-end

For an MSP with 30 BCDR customers and an average ticket of €600/month:

• annual revenue: ~€216k;
• vendor + cloud costs: ~€95k;
• dedicated headcount: ~€70k;
• year-1 gross margin: ~€50k (~23%);
• steady-state gross margin (year 3): ~€70k (~32%).

Margin grows after year two as onboarding costs amortise and runbooks become reusable.

Mistakes that burn the P&L

The three most common we see at MSP customers:

• selling sub-5-minute RTO without the infrastructure — at the first event you lose the customer and face civil action;
• not including drill windows in the contract — the customer refuses to test and you are still on the hook;
• not automating onboarding — each new customer costs 30+ hours without automation.

FAQ

How many BCDR customers can a 5-person MSP manage?

Realistically 40 to 70. Below 40 the revenue is too thin; above 70 you need full-time BCDR people.

White-label or visible-brand vendor?

For MSPs building their own strategic offering, white-label. For MSPs who want to ride the vendor's brand in sales (especially with regulated customers), visible.

Is it worth getting ISO 27001 certified before selling BCDR?

Yes, if you have more than 15 BCDR customers or sell to NIS2-subject customers. The cost pays back in 12-18 months.

Want to see how Sefthy fits into an MSP offering? Compare plans or read the post on how to sell DR to SMB customers.