NIS 2 Supplier Questionnaire
The questions a NIS 2 regulated entity needs to ask its suppliers. Anchored once to EU law. Free to use.
Almost every procurement team in the European mid-market is currently writing its own NIS 2 supplier questionnaire. The same fifty-ish EU-anchored questions, in slightly different forms, sent to suppliers who end up filling out five versions of the same thing. This questionnaire is the shared baseline.
Every field is anchored to an EU-level primary source: NIS 2 Art. 21(2), CIR 2024/2690, ENISA Technical Implementation Guidance, GDPR Art. 28, or the Cyber Resilience Act. Sector overlays like TISAX, VDA ISA, BSI C5 or KRITIS audit catalogues sit on top of this baseline, not in place of it.
- Version
- 3.1.0
- Last updated
- 2026-05-15
- Fields
- 59
- License
- MIT (schema) + CC BY 4.0 (content)
Supplier profile
18 fieldsLegal name
Required by CIR 2024/2690 §5.2(a) — supplier register entry.
Legal basis: ENISA TIG §5.2
Registered address
Required by CIR 2024/2690 §5.2(a) — supplier register entry.
Legal basis: ENISA TIG §5.2
Country
ISO 3166-1 alpha-2 code, e.g. DE, FR, IT.
Legal basis: ENISA TIG §5.2
Primary domain
The supplier's primary public domain.
Legal basis: ENISA TIG §5.2(b)
Tagline (one line, customer-facing)
Short summary shown to customers.
Legal basis: ENISA TIG §5.2(b)
Public description (longer)
Longer description of the supplier.
Legal basis: ENISA TIG §5.2(b)
Description of services provided
Required by ENISA TIG §5.2(b) + §5.1.4 TIPS — clear and complete description of the ICT products and services you provide. One paragraph.
Legal basis: ENISA TIG §5.2(b) + §5.1.4 TIPS
Countries / regions where customer data is processed
Required by ENISA TIG §5.1.4 TIPS — list every country / region where your customers' data is produced, processed or stored. Comma-separated.
Legal basis: ENISA TIG §5.1.4 TIPS
Security contact name
Required by CIR 2024/2690 §5.1.4(d) — incident notification chain.
Legal basis: CIR 2024/2690 §5.1.4(d)
Incident contact email
Default email used by customers for incident notifications.
Legal basis: CIR 2024/2690 §5.1.4(d)
Incident contact phone (24/7)
24/7 phone for critical incident notifications.
Legal basis: CIR 2024/2690 §5.1.4(d)
Incident notification SLA (hours)
Maximum time from incident detection to customer notification.
Legal basis: NIS2 Art. 23
BSI registration ID (only if your company is itself NIS2-regulated)
Optional. ENISA TIG §5.1.2 — if your company is itself a NIS2-regulated entity with a BSI registration, your customers can use this fact to satisfy their §5.1.2 supplier-selection criteria.
Legal basis: ENISA TIG §5.1.2
We provide SaaS / hosted services
Determines which technical questions you'll see next. Pick all that apply.
Legal basis: ENISA TIG §5.2(b)
We deliver on-prem software
Software your customers install on their own hardware.
Legal basis: ENISA TIG §5.2(b)
We provide professional services / consulting
Consulting, implementation, training, audit work.
Legal basis: ENISA TIG §5.2(b)
We provide managed services / MSP
Operating the customer's IT under contract (MSP, MSSP).
Legal basis: ENISA TIG §5.2(b)
We use, integrate or provide AI systems
Determines whether AI supply-chain disclosure questions appear next. Includes any AI / ML model the customer's data passes through, including third-party LLMs accessed via API.
Legal basis: NIS2 Art. 21(2)(d)
Security practices
26 fieldsDocumented Information Security Management System (ISMS)
Required by CIR 2024/2690 §5.1.2(a) — cybersecurity practices of suppliers.
Legal basis: CIR 2024/2690 §5.1.2(a)
Hold ISO 27001, BSI Grundschutz, or equivalent certification
Required by CIR 2024/2690 §5.1.2(b). Upload the certificate via the Certifications tab.
Legal basis: CIR 2024/2690 §5.1.2(b)
Annual security awareness training for all staff
Required by CIR 2024/2690 §5.1.4(b) — awareness, skills and training.
Legal basis: CIR 2024/2690 §5.1.4(b)
Background checks on staff with customer data access
Required by CIR 2024/2690 §5.1.4(c) — verification of staff background.
Legal basis: CIR 2024/2690 §5.1.4(c)
Documented vulnerability handling and patching process
Required by CIR 2024/2690 §5.1.4(f) — handle vulnerabilities that present a risk.
Legal basis: CIR 2024/2690 §5.1.4(f)
Accept customer right to audit (or provide audit reports)
Required by CIR 2024/2690 §5.1.4(e) — right to audit or to receive audit reports.
Legal basis: CIR 2024/2690 §5.1.4(e)
Use subprocessors / sub-suppliers
Required by CIR 2024/2690 §5.1.4(g) — subcontracting requirements.
Legal basis: CIR 2024/2690 §5.1.4(g)
List of subprocessors
List the subprocessors and what they do for you. CIR 2024/2690 §5.1.4(g).
Legal basis: CIR 2024/2690 §5.1.4(g)
Commit to return / destroy customer data on termination
Required by CIR 2024/2690 §5.1.4(h) — retrieval and disposal of information at termination.
Legal basis: CIR 2024/2690 §5.1.4(h)
Standard data processing agreement (DPA) available
GDPR Art. 28 — written data processing agreement.
Legal basis: GDPR Art. 28
Security policies reviewed at least annually
Required by CIR 2024/2690 §5.1.1(c) — security policies must be reviewed and updated regularly.
Legal basis: NIS2 Art. 21(2)(a) / ENISA TIG §1.1
Documented incident response plan
Required by CIR 2024/2690 §5.1.3 / NIS2 Art. 21(2)(b) — documented incident handling procedures.
Legal basis: NIS2 Art. 21(2)(b) / ENISA TIG §3
Documented business continuity / disaster recovery plan
Required by CIR 2024/2690 §5.1.5 / NIS2 Art. 21(2)(c) — business continuity and crisis management.
Legal basis: NIS2 Art. 21(2)(c) / ENISA TIG §4
Documented cryptography policy
Required by CIR 2024/2690 §5.1.6 / NIS2 Art. 21(2)(h) — policies and procedures regarding the use of cryptography.
Legal basis: NIS2 Art. 21(2)(h) / ENISA TIG §9
Privileged access management (PAM) for internal staff
Required by CIR 2024/2690 §5.1.7 / NIS2 Art. 21(2)(i) — access control policies for privileged accounts.
Legal basis: NIS2 Art. 21(2)(i) / ENISA TIG §11.3
MFA enforced for all internal admin / privileged accounts
Required by NIS2 Art. 21(2)(j) — multi-factor authentication for accounts with elevated privileges.
Legal basis: NIS2 Art. 21(2)(j)
Maintain an inventory of information assets
Required by CIR 2024/2690 §5.1.8 / NIS2 Art. 21(2)(i) — asset management.
Legal basis: NIS2 Art. 21(2)(i) / ENISA TIG §12.4
Annual or biennial penetration testing program
Required by CIR 2024/2690 §5.1.12 — testing of cybersecurity risk-management measures.
Legal basis: NIS2 Art. 21(2)(e) / ENISA TIG §6.5
We disclose past notifiable cybersecurity events when asked by customers
ENISA TIG §5.1.2 — selection criteria require entities to consider 'the supplier's history in relation to cybersecurity events and breaches'.
Legal basis: ENISA TIG §5.1.2
Provide incident assistance to customers at no / ex-ante cost
ENISA TIG §5.1.4 TIPS — supplier obligation to assist the customer at no / ex-ante cost during a cyber incident caused by the ICT product or service.
Legal basis: ENISA TIG §5.1.4 TIPS
Fully cooperate with competent authorities (BSI, ENISA, national CSIRTs)
ENISA TIG §5.1.4 TIPS — supplier obligation to fully cooperate with competent authorities during inspections, audits and incident handling.
Legal basis: ENISA TIG §5.1.4 TIPS
Notify customers of any material change affecting service delivery
ENISA TIG §5.1.4 TIPS — notification of any development that might have a material impact on the supplier's ability to effectively provide the ICT products or services.
Legal basis: ENISA TIG §5.1.4 TIPS
Notify customers in advance if data-processing locations change
ENISA TIG §5.1.4 TIPS — notify the customer in advance if data-processing locations envisaged to change.
Legal basis: ENISA TIG §5.1.4 TIPS
Documented exit strategy with mandatory transition period
ENISA TIG §5.1.4 TIPS — exit strategy with a mandatory adequate transition period, IP provisions and supplier responsibilities during the exit period.
Legal basis: ENISA TIG §5.1.4 TIPS
Provide an SBOM-for-AI per G7 minimum elements
G7 cybersecurity authorities (BSI, ACN, CISA et al.) and the EU Commission published 'Software Bill of Materials (SBOM) for Artificial Intelligence — Minimum Elements' on 12 May 2026. Voluntary baseline reference for AI supply-chain transparency under NIS2 Art. 21(2)(d). Covers seven clusters: metadata, models, dataset properties, infrastructure, security properties, KPIs, system-level properties.
Legal basis: NIS2 Art. 21(2)(d) / ENISA TIG §5.1.2
SBOM-for-AI document URL
Public or customer-shared URL pointing to the supplier's SBOM-for-AI document.
Legal basis: NIS2 Art. 21(2)(d) / ENISA TIG §5.1.2
SaaS-specific
5 fieldsHosting region
BSI IT-Grundschutz OPS.2.2 Cloud-Nutzung — where customer data is stored.
Legal basis: ENISA TIG §5.2
Encryption at rest
BSI IT-Grundschutz OPS.2.2.A11. AES-256 or equivalent.
Legal basis: NIS2 Art. 21(2)(h) / ENISA TIG §9
Encryption in transit (TLS ≥ 1.2)
BSI IT-Grundschutz OPS.2.2.A11. TLS 1.2 minimum, TLS 1.3 preferred.
Legal basis: NIS2 Art. 21(2)(h) / ENISA TIG §9
MFA enforced for all admin accounts
BSI IT-Grundschutz ORP.4.A23 — second-factor authentication for privileged accounts.
Legal basis: NIS2 Art. 21(2)(j) / ENISA TIG §11.3
Recovery time objective (RTO) in hours
BSI IT-Grundschutz DER.4 — maximum tolerated downtime for customer service.
Legal basis: NIS2 Art. 21(2)(c) / ENISA TIG §4
On-premise-specific
4 fieldsProvide a Software Bill of Materials (SBOM)
CRA / NIS2 supply-chain transparency. Format: CycloneDX or SPDX.
Legal basis: CRA / NIS2 Art. 21(2)(d)
Releases are cryptographically signed
BSI IT-Grundschutz CON.8 Software-Entwicklung — signed releases prevent supply-chain tampering.
Legal basis: NIS2 Art. 21(2)(e) / ENISA TIG §6.5
Published vulnerability disclosure policy
BSI IT-Grundschutz CON.10. Public security.txt or contact for vulnerability reports.
Legal basis: NIS2 Art. 21(2)(e) / ENISA TIG §3
Patch SLA for critical CVEs (hours)
Time from CVE disclosure to patch availability for critical vulnerabilities.
Legal basis: CIR 2024/2690 §5.1.4(f)
Professional services
3 fieldsBackground check scope
BSI IT-Grundschutz ORP.2.A14 — staff vetting for sensitive roles.
Legal basis: NIS2 Art. 21(2)(i) / CIR 2024/2690 §5.1.4(c)
NDA in place with all consultants
BSI IT-Grundschutz ORP.2.A2 — confidentiality agreements with all consultants.
Legal basis: NIS2 Art. 21(2)(i) / ENISA TIG §11.4
Documented customer-premises behaviour policy
BSI IT-Grundschutz ORP.3.A4 — security awareness on customer premises.
Legal basis: NIS2 Art. 21(2)(i) / ENISA TIG §11.3
Managed services
3 fieldsPrivileged access management (PAM) in place
BSI IT-Grundschutz ORP.4.A26 — PAM for administrative remote access.
Legal basis: NIS2 Art. 21(2)(i) / ENISA TIG §11.3
Admin sessions are recorded
BSI IT-Grundschutz OPS.1.2.5.A11 — recorded remote maintenance sessions.
Legal basis: NIS2 Art. 21(2)(f) / ENISA TIG §10
24/7 on-call coverage
BSI IT-Grundschutz DER.2.1 — incident detection and response coverage.
Legal basis: NIS2 Art. 21(2)(b) / ENISA TIG §3
This questionnaire covers the EU legal substance for NIS 2 supplier due diligence. It is meant as a shared baseline, not a full sector-specific template.
TISAX, VDA ISA, BSI C5, KRITIS audit catalogues, and your own risk overlays sit on top as extensions. Fork the repository, add your sector questions, or use the shared fields as the foundation for your own template.