Managed SD-WAN is a delivery model, not a product. The technology underneath is the same software-defined fabric most network teams already understand. What changes is who designs it, who runs it day to day, and who carries the on-call rota at 02:00. This post addresses both sides of that contract. If you sit inside a mid-market IT team weighing the build-or-buy question, you will find an evaluation framework. If you run a service partner business and are choosing the platform you will scale on for the next five years, you will find a different one.
What is managed SD-WAN?
Managed SD-WAN is a fully outsourced wide area network service where a service partner takes operational ownership of the network on behalf of the client. The partner provides the platform, the design, the deployment, and the ongoing operations under a service level agreement.
- A third-party service partner designs, deploys, and operates the SD-WAN on the client’s behalf.
- The partner provides the management platform, edge devices, and a 24/7 network operations centre.
- The client retains policy ownership but offloads provisioning, monitoring, patching, and incident response.
- Commercials are typically a fixed monthly fee per site or per user, with multi-year terms.
- Most managed SD-WAN propositions in 2026 include or evolve into a managed SASE service.
- The model suits mid-market organisations that lack in-house network specialists and want predictable operational cost.
What managed SD-WAN actually delivers
A managed SD-WAN service is a contract for outcomes, not a box of equipment. The partner takes ownership of the network as a system, covering the full operational lifecycle.
Design and architecture sits at the front. The partner translates business requirements into network topology, traffic steering policies, and underlay strategy. Underlays in 2026 are rarely homogeneous. A typical mid-market client runs a mix of business broadband, DIA circuits, and 4G or 5G failover.
Provisioning follows. Zero-touch provisioning is now standard. An edge appliance is shipped to the site, plugged in by a non-technical person, and pulls its configuration from the cloud. The partner validates connectivity before the site goes live.
Day-two operations is where the bulk of the work lives. This covers 24/7 monitoring of link quality, latency, jitter, and packet loss, proactive incident response under defined SLAs, change management for policy updates, capacity planning, and security patching of the edge devices. Vendor relationship management also sits with the partner. The client has one number to call.
Typically out of scope: the LAN inside each site, end-user devices, and SaaS application performance beyond what the partner can influence through policy. Good partners are explicit about these boundaries in the SLA.
The SLA model has shifted. A decade ago, uptime percentages were the headline metric. In 2026, leading partners commit to application-level performance targets. A 99.99% platform availability is table stakes. What differentiates partners is whether they will commit to specific MOS scores for voice, jitter ceilings for video, or measurable response times for ERP traffic. Mean time to repair sits in the two-to-four-hour range for severity-one incidents at most credible partners.
Why managed SD-WAN is winning over DIY in 2026
The market data is consistent across analyst houses. Fully managed deployments now account for roughly 41% of the global SD-WAN market, with managed services as a category overtaking pure software licensing in revenue terms. IDC and Gartner both project the broader SD-WAN market growing at a compound annual rate above 25% through 2030.
Four forces are doing most of the work behind that shift.
The skills shortage is the most acute. There are not enough engineers who can credibly operate a modern SD-WAN fabric, integrate it with cloud-delivered security, and stay current on a quarterly platform release cadence. For a mid-market organisation with three or four IT generalists, hiring two specialists at competitive rates is often financially impossible and operationally fragile.
Multi-cloud has reshaped the requirements. The typical 200-user organisation now consumes services from at least three public clouds, a dozen SaaS vendors, and one or two private data centres. Building secure, performant connectivity across that footprint is no longer a configuration exercise. It is an architectural one. Service partners do this work for dozens of clients in parallel and amortise the learning.
Security convergence is the third force. SD-WAN and security are no longer separable. Every credible SD-WAN deployment in 2026 either includes or roadmaps SSE components, ZTNA replacement of remote VPN, and inline traffic inspection. The integration burden of doing this DIY across three or four vendors is what pushes most organisations to a managed model.
NIS2 is the fourth, and it has changed the conversation in the boardroom. Article 21 makes supply chain risk management a board-level obligation. Outsourcing network operations to a service partner with documented compliance posture is, perversely, often easier than building the equivalent posture in-house.
DIY still has a place. Organisations with strong in-house network teams, specific data residency requirements, or unusual application profiles are sometimes better served by buying the platform and running it themselves. The point is not that DIY is wrong. It is that the default has flipped.
How service partners structure their managed SD-WAN proposition
The service partner landscape in 2026 is more diverse than it was five years ago. Four archetypes dominate.
Telco MSPs like BT, Orange Business, Proximus, and KPN operate the underlay themselves. They sell connectivity and management as a single bundle. Their advantage is end-to-end accountability across the wire and the platform. Their disadvantage is rigidity. Multi-vendor flexibility is rarely their strength, and their platforms are often locked to a single SD-WAN vendor.
Large IT-MSPs like Computacenter, SCC, and Bechtle position SD-WAN as one component of a broader managed IT estate. They are strong on integration with the rest of the client’s IT stack: identity, endpoint, collaboration. They tend to be platform-agnostic and pick whichever SD-WAN vendor fits the client.
Specialist network MSPs are the regional partners that focus only on connectivity and security. In the Benelux and DACH region these are often the most agile players, and they tend to build deep technical certifications on a single platform. Their flexibility is their commercial weapon.
Value-added resellers turned MaaS providers are the traditional Fortinet, Cisco, or Juniper resellers that have transformed into service-led businesses. They typically lead with the platform they have always sold, repackaged as a managed service. Their margin pressure is high, and the strongest of them have moved up the stack into platforms like Jimber that explicitly support a service partner delivery model.
Commercial models vary. Per-site monthly pricing remains the default for mid-market clients with stable site counts. Per-user pricing is gaining traction in deployments where remote and hybrid users dominate. Hybrid models that combine a platform fee with consumption-based add-ons for security inspection volume are becoming common. Outcome-based contracts, where pricing is tied to application performance metrics, exist but remain rare outside large enterprise deals.
For mid-market buyers: how to evaluate a managed SD-WAN provider
If you are an IT manager running a 50-to-400-user organisation, the decision is rarely about the underlying SD-WAN technology. The technology layer has commoditised. The decision is about the partner.
| Evaluation criterion | What to look for |
|---|---|
| SLA structure | Application-level commitments, not just platform uptime. Specific MTTR figures by severity. Clear penalty clauses. |
| Sector expertise | Demonstrable references in your sector. A partner with three healthcare clients understands HL7, GxP, or NIS2 healthcare specifics in a way generalists do not. |
| Geographic coverage | If you have sites in multiple countries, the partner needs proven delivery in each. Sub-contracted local hands rarely meet the same SLA. |
| Security posture | ISO 27001 and SOC 2 are minimum signals. Ask for the most recent penetration test report and audit summary. |
| Reporting transparency | Monthly reports should include incident detail, change log, capacity trends, and security events. Vague green-amber-red dashboards are insufficient. |
| Vendor lock-in | Does the partner own the platform, white-label it, or use a vendor-neutral approach? Migration cost out is the question. |
| Integration depth | Does the partner integrate with your identity provider, SIEM, and ticketing system, or do they operate a parallel stack? |
| NIS2 supply chain readiness | Can the partner demonstrate their own NIS2 compliance posture? You inherit their gaps. |
| Scalability | Specifically: how fast can they bring up a new site in a country they do not currently serve? |
| Communication model | Direct access to engineers, not a tiered call centre. The first-line filter is where most managed services break. |
A practical test: ask the prospective partner for a sample monthly report from an anonymised client of similar size. The depth and clarity of that report tells you more than any sales presentation.
For service partners: how to evaluate an SD-WAN platform
If you run a service partner business and are choosing the platform you will scale on, the criteria are different. You are not buying a solution for one client. You are buying the foundation of your operating model.
Multi-tenant architecture is the first filter. A platform that requires a separate management instance per client will collapse under operational weight at twenty clients. A platform built for multi-tenancy from day one lets you operate fifty clients from one console with strict data isolation between them. Jimber’s platform, for example, is built around a single multi-tenant management console where service partners apply baseline policies and templates across their entire client portfolio with strict logical isolation between tenants.
Templates and baseline policies determine your unit economics. If onboarding a new client requires three days of configuration work, your margin compresses with every new client. If you have golden templates for a “standard 5-site retail client” or a “single-site professional services client” that deploy in an hour, you scale. The platform either supports this or it does not.
White-label capability matters commercially. Some platforms force the vendor’s brand on the end client. Others let you operate fully under your own brand. The choice affects how defensible your client relationship is.
Training and certification load is a hidden cost. A platform that requires six weeks of certification per engineer creates hiring friction. A platform that an experienced network engineer can be productive on within a week lets you grow the delivery team faster.
The partner program economics need to make commercial sense. Margin structure, deal registration, lead-sharing, and co-marketing investment all sit in this category. Vendors that explicitly position partner-first, rather than treating partners as a side channel to direct enterprise sales, are structurally aligned with your business. Jimber operates a partner-first model rather than competing with partners through enterprise direct sales, which is a deliberate contrast with vendors like Palo Alto, Fortinet, and Cisco where direct enterprise teams often compete with the partner channel for the same accounts.
Technical support quality is the operational variable that most directly affects your reputation with end clients. When a vendor escalation takes three days, the client blames you, not the vendor. Reference calls with existing service partners are the only reliable way to assess this.
The roadmap towards security convergence is no longer optional. A managed SD-WAN platform that does not have a credible path to managed SASE is a five-year dead end. Look for ZTNA, SWG, and FWaaS already on the platform, with NIAC hardware integration available for clients with OT environments. Jimber’s NIAC hardware lets service partners onboard agentless devices, including industrial equipment, without deploying a separate platform.
European data sovereignty is increasingly a deal qualifier rather than a nice-to-have. For service partners selling into the EU, a platform with management-plane data residency in Europe is far easier to position than one that routes through US infrastructure. This matters more in the public sector, financial services, and healthcare verticals.
Finally, the platform’s own NIS2 compliance posture transfers to you. As a service partner you sit inside your client’s supply chain. If your platform vendor cannot evidence their compliance, your liability surface widens. Jimber’s NIS2-aligned posture reduces the supply chain risk that service partners would otherwise have to mitigate independently.
The multi-tenant architecture deep-dive
Multi-tenancy is one of the most abused terms in vendor marketing. In a service partner context it has a specific meaning. It is not enough that two clients can be configured on the same platform. The architecture has to enforce isolation, support delegation, and scale operationally.
Logical data isolation is the floor. Every client’s configuration, telemetry, logs, and audit trail must be cryptographically separated. A bug in tenant A’s policy engine cannot leak data to tenant B. A misconfigured query in the partner’s reporting tool cannot return cross-tenant results. This is an architectural property, not a configuration option.
Role-based access control has to operate at three layers. The service partner’s superusers see across all tenants for portfolio reporting and billing. The service partner’s delivery engineers see only the tenants they are assigned to. The end client’s IT staff, in a co-managed model, see only their own tenant. The platform has to express this hierarchy natively without workarounds.
Per-tenant customisation within a shared template model is the operational sweet spot. The service partner defines a baseline, applies it to a client, and then overrides specific policies for that client’s edge cases. When the baseline updates, the customisations persist. Without this, the partner either ends up maintaining bespoke configurations per client or forcing every client into an identical mould.
Consolidated visibility for the partner, scoped visibility for the client matters daily. The partner needs a single dashboard showing health across all clients, with drill-down to any specific tenant. The client needs a portal showing only their environment. Both views have to be derived from the same underlying data, not from parallel reporting pipelines.
Audit trails per tenant are the compliance backbone. Every configuration change, access event, and policy override has to be logged in a way that satisfies the client’s auditor without exposing other tenants’ data. Under NIS2 and GDPR, this is non-negotiable.
AIOps correlation across the portfolio is where modern platforms differentiate. When five clients in the same metro all degrade simultaneously, the platform should correlate the events to a likely upstream cause, alert the partner, and proactively reroute traffic where possible. This is what turns a managed service from reactive to proactive.
The platforms that get multi-tenancy right share one architectural property: they were built for service partners from inception, not retrofitted from an enterprise product.
From managed SD-WAN to managed SASE: the convergence path
By 2026, pure-play managed SD-WAN is rare. Most service partners now position SD-WAN as the network layer of a broader managed SASE service. The transition follows a recognisable pattern.
Phase one is SD-WAN with co-resident security. The partner deploys SD-WAN at the edge and bolts on a separate security stack for inspection, ZTNA, and CASB. Two consoles, two policy languages, two incident pipelines.
Phase two is single-platform delivery. The partner consolidates onto a platform that delivers SD-WAN, SWG, FWaaS, and ZTNA from one management plane. Policies are expressed once, applied everywhere. Incident pipelines merge.
Phase three is identity-and-application-led delivery. Connectivity decisions are made on the basis of who the user is and what application they are reaching, not on which site or VPN tunnel they are coming from.
The architectural decisions that change during this transition are concrete. Edge device specifications shift from network-only to network-plus-inspection. Backhaul patterns reverse from hub-and-spoke through a central firewall to direct-to-cloud through cloud-delivered inspection. VPN concentrators are decommissioned. Identity providers move from peripheral to central.
For service partners on a multi-vendor stack, this transition is painful. Migrating clients between platforms breaks margins. For partners on a platform that already has the convergence path built in, the transition is incremental. Each new client is born SASE-ready, and existing clients migrate module by module without a forklift upgrade. This is the strategic value of choosing the right platform at the start.
NIS2 compliance for service partners: supply chain implications
NIS2 has changed the legal posture of every service partner operating in the EU. Two effects matter most.
First, many service partners are themselves in scope. Managed service providers with sufficient size or sectoral exposure now qualify as essential or important entities under NIS2. They are subject to direct supervision by national competent authorities, mandatory incident reporting within 24 hours, and personal liability for board members. This is no longer a client-only concern.
Second, every service partner sits inside their clients’ supply chains. Article 21 obliges in-scope entities to manage the cybersecurity risk of their suppliers. In practice this means client procurement teams are now demanding evidence of the partner’s own security posture, contractual rights to audit, and breach notification commitments tighter than the regulatory floor.
The contractual implications are concrete. Managed SD-WAN contracts now routinely include audit rights, incident notification windows of 24 to 72 hours, sub-processor disclosure obligations, and explicit liability clauses for supply chain breaches. Partners who have not updated their standard contracts in the last 18 months are operating with significant exposure.
The platform underneath matters here too. A platform vendor that cannot evidence its own NIS2 alignment puts the service partner in the position of inheriting compliance gaps. A platform that builds NIS2-aligned audit trails, breach detection, and incident reporting into the service partner’s operational workflow reduces the partner’s compliance overhead. This is one of the more practical reasons to evaluate the platform vendor’s compliance documentation directly during a platform decision, alongside the technical evaluation.
Frequently asked questions
What is managed SD-WAN?
Managed SD-WAN is a service in which a third-party partner designs, deploys, monitors, and operates an SD-WAN network on behalf of a client organisation. The partner provides the management platform, edge devices, and 24/7 operations under a service level agreement. The client retains business policy authority while offloading the operational burden of running the network.
What should I look for in a good managed SD-WAN provider?
The most important criteria are application-level SLA commitments rather than vague uptime percentages, demonstrable references in your sector, transparent monthly reporting, integration with your existing identity and security stack, geographic coverage that matches your footprint, and documented NIS2 compliance posture. Direct access to engineers without tiered call-centre filtering is also a strong signal of operational maturity.
Why do service partners need SD-WAN as part of their offering?
Connectivity is the entry point to most managed IT services. A service partner without an SD-WAN proposition cannot credibly compete for mid-market deals where network and security are converging. SD-WAN is also the foundation for managed SASE, which is where the margin in mid-market managed services is heading. Partners that lead with managed SD-WAN can expand the same client into managed security, identity, and OT integration.
Managed SD-WAN versus DIY: which is right for my organisation?
DIY suits organisations with strong in-house network teams, specific architectural requirements that off-the-shelf platforms do not meet, or scale large enough to amortise specialist hiring. Managed suits the rest. The threshold for most mid-market organisations sits below 500 users. Above that, the calculation depends on the in-house skills mix and the appetite for operational burden. Most 50-to-400-user organisations are better served by a managed model in 2026.
How does multi-tenancy work in a managed SD-WAN platform?
A multi-tenant platform lets one service partner operate multiple client environments from a single management console with strict data isolation between clients. Configuration, logs, and telemetry for each client are cryptographically separated. The partner can apply shared baseline policies and templates across the portfolio while supporting per-client customisation. Role-based access controls enforce who within the partner team and who within the client team can see which tenant.
What happens to managed SD-WAN as SASE adoption grows?
Managed SD-WAN is converging into managed SASE. Service partners are extending their SD-WAN propositions to include SWG, ZTNA, FWaaS, and CASB delivered from the same platform. Clients on a managed SD-WAN today should expect their service partner to offer a security expansion path within 12 to 18 months. Partners on platforms that do not roadmap this convergence are at strategic risk.
For mid-market IT teams, the question is no longer whether managed SD-WAN is viable but which partner can credibly deliver application-level SLAs, NIS2-ready operations, and a clear path to managed SASE. For service partners, the platform decision underneath the proposition is the single largest determinant of unit economics over the next five years. Jimber’s multi-tenant management console, baseline policy templates, integrated NIAC hardware for OT-heavy clients, and partner-first commercial model are designed for both sides of that contract. Book a platform demo if you are evaluating a managed SD-WAN service for your organisation, or a partner program briefing if you are building one.
