NIS 2 Supplier Questionnaire
The questions a NIS 2 regulated entity needs to ask its suppliers. Anchored once to EU law. Free to use.
Almost every procurement team in the European mid-market is currently writing its own NIS 2 supplier questionnaire. The same fifty-ish EU-anchored questions, in slightly different forms, sent to suppliers who end up filling out five versions of the same thing. This questionnaire is the shared baseline.
Every field is anchored to an EU-level primary source: NIS 2 Art. 21(2), CIR 2024/2690, ENISA Technical Implementation Guidance, GDPR Art. 28, or the Cyber Resilience Act. Sector overlays like TISAX, VDA ISA, BSI C5 or KRITIS audit catalogues sit on top of this baseline, not in place of it.
- Version
- 3.1.0
- Last updated
- 2026-05-15
- Fields
- 59
- License
- MIT (schema) + CC BY 4.0 (content)
Supplier profile
18 fieldsLegal name
Your company's registered name, as it appears in the commercial register. Example: Müller GmbH or Acme Software Ltd.
Legal basis: ENISA TIG §5.2
Registered address
Your company's registered business address. One address is enough, even if you have several locations.
Legal basis: ENISA TIG §5.2
Country
The country where your company is legally established. Two letters, e.g. DE for Germany.
Legal basis: ENISA TIG §5.2
Primary domain
Your main domain, usually the URL of your website. Example: acmesoftware.com.
Legal basis: ENISA TIG §5.2(b)
Tagline (one line, customer-facing)
One line summarising what you offer. Customers see this on your supplier profile. Example: ERP for SME manufacturing.
Legal basis: ENISA TIG §5.2(b)
Public description (longer)
Two to three sentences about your company and what you do. This appears on your supplier profile. Sales pitch, security posture, or both.
Legal basis: ENISA TIG §5.2(b)
Description of services provided
One paragraph on what your company technically delivers to customers. Concrete products, modules, or services. Avoid pure marketing language.
Legal basis: ENISA TIG §5.2(b) + §5.1.4 TIPS
Countries / regions where customer data is processed
Every country where your customers' data is stored or processed. Comma-separated, ISO country codes. Example: DE, NL, US. If you process entirely within the EU, listing the EU countries is enough.
Legal basis: ENISA TIG §5.1.4 TIPS
Security contact name
Who customers contact when a security incident hits. In smaller companies often the managing director or IT lead. One person is enough.
Legal basis: CIR 2024/2690 §5.1.4(d)
Incident contact email
Email address customers use to report a security incident. Ideally a distribution list like security@example.com that reaches multiple people.
Legal basis: CIR 2024/2690 §5.1.4(d)
Incident contact phone (24/7)
Phone number for urgent incident reports. If you do not run 24/7 on-call, mention your business hours in brackets.
Legal basis: CIR 2024/2690 §5.1.4(d)
Incident notification SLA (hours)
Hours from incident detection to customer notification, at the latest. Realistic self-assessment, not aspirational. Common values: 24, 48, or 72 hours.
Legal basis: NIS2 Art. 23
BSI registration ID (only if your company is itself NIS2-regulated)
If your company is itself NIS 2 regulated and registered with the BSI, enter the registration ID here. Optional. Lets customers see at a glance that you meet the same obligation as a regulated entity.
Legal basis: ENISA TIG §5.1.2
We provide SaaS / hosted services
You run software for customers on your own infrastructure and deliver it over the internet. Tick more than one box if you offer several models.
Legal basis: ENISA TIG §5.2(b)
We deliver on-prem software
You deliver software that customers install and run on their own infrastructure.
Legal basis: ENISA TIG §5.2(b)
We provide professional services / consulting
Your main deliverable is human work: consulting, implementation, training, audit, or customisation.
Legal basis: ENISA TIG §5.2(b)
We provide managed services / MSP
You operate parts of your customer's IT for them, with your own staff. Typical for MSP and MSSP models.
Legal basis: ENISA TIG §5.2(b)
We use, integrate or provide AI systems
Do your products or services process customer data through an AI or ML model? Includes external models you call through an API, for example OpenAI or Anthropic.
Legal basis: NIS2 Art. 21(2)(d)
Security practices
26 fieldsDocumented Information Security Management System (ISMS)
Tick yes if you have a written information security policy with assigned roles, regular reviews, and documented incident handling. ISO 27001 or BSI Grundschutz certification implies yes.
Legal basis: CIR 2024/2690 §5.1.2(a)
Hold ISO 27001, BSI Grundschutz, or equivalent certification
Tick yes if your company currently holds an ISO 27001, BSI Grundschutz, SOC 2 Type II, or equivalent certification. Upload the certificate in the Certifications tab.
Legal basis: CIR 2024/2690 §5.1.2(b)
Annual security awareness training for all staff
Tick yes if every staff member receives at least one annual information-security awareness training. E-learning counts; phishing simulations add to it.
Legal basis: CIR 2024/2690 §5.1.4(b)
Background checks on staff with customer data access
Tick yes if you run a background check for staff with access to customer data. Common bar: a criminal record extract or equivalent document on hire.
Legal basis: CIR 2024/2690 §5.1.4(c)
Documented vulnerability handling and patching process
Tick yes if you have a written process for handling security vulnerabilities: detect, assess, prioritise, patch or mitigate. CVE monitoring and SLA-driven patching are the standard.
Legal basis: CIR 2024/2690 §5.1.4(f)
Accept customer right to audit (or provide audit reports)
Tick yes if you either grant customers an on-site audit right or provide substitute audit reports (for example SOC 2, ISAE 3402).
Legal basis: CIR 2024/2690 §5.1.4(e)
Use subprocessors / sub-suppliers
Tick yes if you use other companies to deliver your service that have access to customer data or infrastructure. Typical examples: AWS, Azure, Cloudflare, Stripe.
Legal basis: CIR 2024/2690 §5.1.4(g)
List of subprocessors
List every subprocessor with name, processing location, and what they do for you. A table or bullet list is enough. Update whenever you add or remove one.
Legal basis: CIR 2024/2690 §5.1.4(g)
Commit to return / destroy customer data on termination
Tick yes if you contractually commit to returning or destroying customer data at the end of the contract. Common practice: export and return, then delete within 30 days.
Legal basis: CIR 2024/2690 §5.1.4(h)
Standard data processing agreement (DPA) available
Tick yes if you have a standard data processing agreement under GDPR Article 28 that customers can sign. Required as soon as you process personal data.
Legal basis: GDPR Art. 28
Security policies reviewed at least annually
Tick yes if your security policies are reviewed at least once a year and updated as needed. A written note in the document is enough evidence.
Legal basis: NIS2 Art. 21(2)(a) / ENISA TIG §1.1
Documented incident response plan
Tick yes if you have a written plan for handling security incidents: who decides, who communicates, who documents. At least one tabletop exercise per year is good practice.
Legal basis: NIS2 Art. 21(2)(b) / ENISA TIG §3
Documented business continuity / disaster recovery plan
Tick yes if you have a plan that explains how you keep running or recover quickly during an outage: critical systems, fallbacks, RTO and RPO targets.
Legal basis: NIS2 Art. 21(2)(c) / ENISA TIG §4
Documented cryptography policy
Tick yes if you have written down which cryptography you use where: data in transit (TLS 1.2+), data at rest (AES-256), key management, hashing algorithms.
Legal basis: NIS2 Art. 21(2)(h) / ENISA TIG §9
Privileged access management (PAM) for internal staff
Tick yes if administrators and privileged accounts get extra controls: separate sign-in, MFA, session logging, or just-in-time access.
Legal basis: NIS2 Art. 21(2)(i) / ENISA TIG §11.3
MFA enforced for all internal admin / privileged accounts
Tick yes if every internal admin or privileged account must use MFA. Hardware tokens or authenticator apps count; SMS does not.
Legal basis: NIS2 Art. 21(2)(j)
Maintain an inventory of information assets
Tick yes if you keep a current list of every information system you use to deliver your service: servers, databases, SaaS tools, endpoints. A spreadsheet is enough.
Legal basis: NIS2 Art. 21(2)(i) / ENISA TIG §12.4
Annual or biennial penetration testing program
Tick yes if you commission an external penetration test at least every one to two years. For smaller companies, an external vulnerability scan as a minimum step is acceptable.
Legal basis: NIS2 Art. 21(2)(e) / ENISA TIG §6.5
We disclose past notifiable cybersecurity events when asked by customers
Tick yes if, on customer request, you openly disclose whether and which reportable security incidents your company had in the past. Common window: the last three to five years.
Legal basis: ENISA TIG §5.1.2
Provide incident assistance to customers at no / ex-ante cost
Tick yes if you commit to helping customers at no extra cost when an incident is caused by your product or service. If you agree a pre-defined day rate up front instead, also tick yes.
Legal basis: ENISA TIG §5.1.4 TIPS
Fully cooperate with competent authorities (BSI, ENISA, national CSIRTs)
Tick yes if you commit to fully cooperating with competent authorities like BSI, ENISA, or national CSIRTs during inspections, audits, and incident handling. Standard for serious suppliers.
Legal basis: ENISA TIG §5.1.4 TIPS
Notify customers of any material change affecting service delivery
Tick yes if you commit to notifying customers of any material change affecting your ability to deliver: acquisitions, subprocessor changes, major technical shifts.
Legal basis: ENISA TIG §5.1.4 TIPS
Notify customers in advance if data-processing locations change
Tick yes if you notify customers in advance before the processing location of their data changes. Important for data protection and for GDPR-compliant supply chain oversight.
Legal basis: ENISA TIG §5.1.4 TIPS
Documented exit strategy with mandatory transition period
Tick yes if you have a written exit strategy: how long an orderly handover takes, what data and knowledge gets transferred, what you commit to during the transition.
Legal basis: ENISA TIG §5.1.4 TIPS
Provide an SBOM-for-AI per G7 minimum elements
Optional. Tick yes if you can provide an SBOM-for-AI per the G7 minimum elements (May 2026). Documents metadata, models, training data, infrastructure, security properties, KPIs, and system behaviour. Voluntary standard.
Legal basis: NIS2 Art. 21(2)(d) / ENISA TIG §5.1.2
SBOM-for-AI document URL
Public or shared URL to your SBOM-for-AI document. Can be a PDF, a JSON file, or a project page.
Legal basis: NIS2 Art. 21(2)(d) / ENISA TIG §5.1.2
SaaS-specific
5 fieldsHosting region
The cloud region where customer data is hosted. Example: AWS eu-central-1, Azure West Europe. Name the primary region; secondary or backup regions can be added comma-separated.
Legal basis: ENISA TIG §5.2
Encryption at rest
Tick yes if customer data on disk is encrypted at rest with AES-256 or equivalent. Cloud-managed disk encryption (AWS EBS, Azure Disk Encryption) counts.
Legal basis: NIS2 Art. 21(2)(h) / ENISA TIG §9
Encryption in transit (TLS ≥ 1.2)
Tick yes if all customer-facing endpoints enforce TLS 1.2 or higher. TLS 1.3 is preferred. Plain HTTP must redirect to HTTPS.
Legal basis: NIS2 Art. 21(2)(h) / ENISA TIG §9
MFA enforced for all admin accounts
Tick yes if every internal admin account on the SaaS platform must use MFA. Same standard as your internal admin policy.
Legal basis: NIS2 Art. 21(2)(j) / ENISA TIG §11.3
Recovery time objective (RTO) in hours
Maximum number of hours your service can be unavailable before recovery. Realistic SLA value, not aspirational. Common SaaS values: 4, 8, or 24 hours.
Legal basis: NIS2 Art. 21(2)(c) / ENISA TIG §4
On-premise-specific
4 fieldsProvide a Software Bill of Materials (SBOM)
Tick yes if you ship a Software Bill of Materials with every release. CycloneDX or SPDX are the standard formats. Mandatory under the Cyber Resilience Act for products placed on the EU market from December 2027.
Legal basis: CRA / NIS2 Art. 21(2)(d)
Releases are cryptographically signed
Tick yes if every release artefact carries a cryptographic signature customers can verify. Signing keys are documented and rotated. Sigstore or PGP signatures both count.
Legal basis: NIS2 Art. 21(2)(e) / ENISA TIG §6.5
Published vulnerability disclosure policy
Tick yes if you have a publicly documented way to report security vulnerabilities. A security.txt file under your domain (per RFC 9116) or a dedicated email like security@example.com is enough.
Legal basis: NIS2 Art. 21(2)(e) / ENISA TIG §3
Patch SLA for critical CVEs (hours)
Hours from public CVE disclosure to a patched release for critical vulnerabilities (CVSS 9.0+). Realistic commitment, not aspirational. Common values: 24, 48, or 72 hours.
Legal basis: CIR 2024/2690 §5.1.4(f)
Professional services
3 fieldsBackground check scope
Describe how you vet consultants for sensitive roles. Example: criminal record extract for all consultants, plus reference checks for engagements involving classified data.
Legal basis: NIS2 Art. 21(2)(i) / CIR 2024/2690 §5.1.4(c)
NDA in place with all consultants
Tick yes if every consultant signs a confidentiality agreement before being assigned to customer work. Either as part of the employment contract or as a separate NDA.
Legal basis: NIS2 Art. 21(2)(i) / ENISA TIG §11.4
Documented customer-premises behaviour policy
Tick yes if you have a written code of conduct for consultants working on customer premises: badge handling, locked-screen rule, what to do if data leaves the site.
Legal basis: NIS2 Art. 21(2)(i) / ENISA TIG §11.3
Managed services
3 fieldsPrivileged access management (PAM) in place
Tick yes if you use a privileged access management tool for administrative remote sessions on customer systems. Examples: CyberArk, BeyondTrust, Teleport. A logged jump-host setup counts.
Legal basis: NIS2 Art. 21(2)(i) / ENISA TIG §11.3
Admin sessions are recorded
Tick yes if admin sessions on customer systems are recorded and retained for review. Common retention: 90 days to 1 year. Needed for forensic reconstruction after incidents.
Legal basis: NIS2 Art. 21(2)(f) / ENISA TIG §10
24/7 on-call coverage
Tick yes if you operate a 24/7 on-call rotation that responds to security incidents on customer systems. Business-hours-only support does not qualify.
Legal basis: NIS2 Art. 21(2)(b) / ENISA TIG §3
This questionnaire covers the EU legal substance for NIS 2 supplier due diligence. It is meant as a shared baseline, not a full sector-specific template.
TISAX, VDA ISA, BSI C5, KRITIS audit catalogues, and your own risk overlays sit on top as extensions. Fork the repository, add your sector questions, or use the shared fields as the foundation for your own template.