info.supplierQuestionnaire.title
info.supplierQuestionnaire.subtitle
info.supplierQuestionnaire.intro.p1
info.supplierQuestionnaire.intro.p2
- info.supplierQuestionnaire.meta_panel.version
- 3.1.0
- info.supplierQuestionnaire.meta_panel.lastUpdated
- 2026-05-15
- info.supplierQuestionnaire.meta_panel.fields
- 59
- info.supplierQuestionnaire.meta_panel.license
- info.supplierQuestionnaire.meta_panel.licenseValue
info.supplierQuestionnaire.sections.profile
18 info.supplierquestionnaire.meta_panel.fieldsLegal name
Your company's registered name, as it appears in the commercial register. Example: Müller GmbH or Acme Software Ltd.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2
Registered address
Your company's registered business address. One address is enough, even if you have several locations.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2
Country
The country where your company is legally established. Two letters, e.g. DE for Germany.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2
Primary domain
Your main domain, usually the URL of your website. Example: acmesoftware.com.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b)
Tagline (one line, customer-facing)
One line summarising what you offer. Customers see this on your supplier profile. Example: ERP for SME manufacturing.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b)
Public description (longer)
Two to three sentences about your company and what you do. This appears on your supplier profile. Sales pitch, security posture, or both.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b)
Description of services provided
One paragraph on what your company technically delivers to customers. Concrete products, modules, or services. Avoid pure marketing language.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b) + §5.1.4 TIPS
Countries / regions where customer data is processed
Every country where your customers' data is stored or processed. Comma-separated, ISO country codes. Example: DE, NL, US. If you process entirely within the EU, listing the EU countries is enough.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.4 TIPS
Security contact name
Who customers contact when a security incident hits. In smaller companies often the managing director or IT lead. One person is enough.
info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(d)
Incident contact email
Email address customers use to report a security incident. Ideally a distribution list like security@example.com that reaches multiple people.
info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(d)
Incident contact phone (24/7)
Phone number for urgent incident reports. If you do not run 24/7 on-call, mention your business hours in brackets.
info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(d)
Incident notification SLA (hours)
Hours from incident detection to customer notification, at the latest. Realistic self-assessment, not aspirational. Common values: 24, 48, or 72 hours.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 23
BSI registration ID (only if your company is itself NIS2-regulated)
If your company is itself NIS 2 regulated and registered with the BSI, enter the registration ID here. Optional. Lets customers see at a glance that you meet the same obligation as a regulated entity.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.2
We provide SaaS / hosted services
You run software for customers on your own infrastructure and deliver it over the internet. Tick more than one box if you offer several models.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b)
We deliver on-prem software
You deliver software that customers install and run on their own infrastructure.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b)
We provide professional services / consulting
Your main deliverable is human work: consulting, implementation, training, audit, or customisation.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b)
We provide managed services / MSP
You operate parts of your customer's IT for them, with your own staff. Typical for MSP and MSSP models.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b)
We use, integrate or provide AI systems
Do your products or services process customer data through an AI or ML model? Includes external models you call through an API, for example OpenAI or Anthropic.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(d)
info.supplierQuestionnaire.sections.security_practices
26 info.supplierquestionnaire.meta_panel.fieldsDocumented Information Security Management System (ISMS)
Tick yes if you have a written information security policy with assigned roles, regular reviews, and documented incident handling. ISO 27001 or BSI Grundschutz certification implies yes.
info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.2(a)
Hold ISO 27001, BSI Grundschutz, or equivalent certification
Tick yes if your company currently holds an ISO 27001, BSI Grundschutz, SOC 2 Type II, or equivalent certification. Upload the certificate in the Certifications tab.
info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.2(b)
Annual security awareness training for all staff
Tick yes if every staff member receives at least one annual information-security awareness training. E-learning counts; phishing simulations add to it.
info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(b)
Background checks on staff with customer data access
Tick yes if you run a background check for staff with access to customer data. Common bar: a criminal record extract or equivalent document on hire.
info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(c)
Documented vulnerability handling and patching process
Tick yes if you have a written process for handling security vulnerabilities: detect, assess, prioritise, patch or mitigate. CVE monitoring and SLA-driven patching are the standard.
info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(f)
Accept customer right to audit (or provide audit reports)
Tick yes if you either grant customers an on-site audit right or provide substitute audit reports (for example SOC 2, ISAE 3402).
info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(e)
Use subprocessors / sub-suppliers
Tick yes if you use other companies to deliver your service that have access to customer data or infrastructure. Typical examples: AWS, Azure, Cloudflare, Stripe.
info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(g)
List of subprocessors
List every subprocessor with name, processing location, and what they do for you. A table or bullet list is enough. Update whenever you add or remove one.
info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(g)
Commit to return / destroy customer data on termination
Tick yes if you contractually commit to returning or destroying customer data at the end of the contract. Common practice: export and return, then delete within 30 days.
info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(h)
Standard data processing agreement (DPA) available
Tick yes if you have a standard data processing agreement under GDPR Article 28 that customers can sign. Required as soon as you process personal data.
info.supplierQuestionnaire.field.legalBasis: GDPR Art. 28
Security policies reviewed at least annually
Tick yes if your security policies are reviewed at least once a year and updated as needed. A written note in the document is enough evidence.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(a) / ENISA TIG §1.1
Documented incident response plan
Tick yes if you have a written plan for handling security incidents: who decides, who communicates, who documents. At least one tabletop exercise per year is good practice.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(b) / ENISA TIG §3
Documented business continuity / disaster recovery plan
Tick yes if you have a plan that explains how you keep running or recover quickly during an outage: critical systems, fallbacks, RTO and RPO targets.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(c) / ENISA TIG §4
Documented cryptography policy
Tick yes if you have written down which cryptography you use where: data in transit (TLS 1.2+), data at rest (AES-256), key management, hashing algorithms.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(h) / ENISA TIG §9
Privileged access management (PAM) for internal staff
Tick yes if administrators and privileged accounts get extra controls: separate sign-in, MFA, session logging, or just-in-time access.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(i) / ENISA TIG §11.3
MFA enforced for all internal admin / privileged accounts
Tick yes if every internal admin or privileged account must use MFA. Hardware tokens or authenticator apps count; SMS does not.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(j)
Maintain an inventory of information assets
Tick yes if you keep a current list of every information system you use to deliver your service: servers, databases, SaaS tools, endpoints. A spreadsheet is enough.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(i) / ENISA TIG §12.4
Annual or biennial penetration testing program
Tick yes if you commission an external penetration test at least every one to two years. For smaller companies, an external vulnerability scan as a minimum step is acceptable.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(e) / ENISA TIG §6.5
We disclose past notifiable cybersecurity events when asked by customers
Tick yes if, on customer request, you openly disclose whether and which reportable security incidents your company had in the past. Common window: the last three to five years.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.2
Provide incident assistance to customers at no / ex-ante cost
Tick yes if you commit to helping customers at no extra cost when an incident is caused by your product or service. If you agree a pre-defined day rate up front instead, also tick yes.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.4 TIPS
Fully cooperate with competent authorities (BSI, ENISA, national CSIRTs)
Tick yes if you commit to fully cooperating with competent authorities like BSI, ENISA, or national CSIRTs during inspections, audits, and incident handling. Standard for serious suppliers.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.4 TIPS
Notify customers of any material change affecting service delivery
Tick yes if you commit to notifying customers of any material change affecting your ability to deliver: acquisitions, subprocessor changes, major technical shifts.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.4 TIPS
Notify customers in advance if data-processing locations change
Tick yes if you notify customers in advance before the processing location of their data changes. Important for data protection and for GDPR-compliant supply chain oversight.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.4 TIPS
Documented exit strategy with mandatory transition period
Tick yes if you have a written exit strategy: how long an orderly handover takes, what data and knowledge gets transferred, what you commit to during the transition.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.4 TIPS
Provide an SBOM-for-AI per G7 minimum elements
Optional. Tick yes if you can provide an SBOM-for-AI per the G7 minimum elements (May 2026). Documents metadata, models, training data, infrastructure, security properties, KPIs, and system behaviour. Voluntary standard.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(d) / ENISA TIG §5.1.2
SBOM-for-AI document URL
Public or shared URL to your SBOM-for-AI document. Can be a PDF, a JSON file, or a project page.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(d) / ENISA TIG §5.1.2
info.supplierQuestionnaire.sections.saas_technical
5 info.supplierquestionnaire.meta_panel.fieldsHosting region
The cloud region where customer data is hosted. Example: AWS eu-central-1, Azure West Europe. Name the primary region; secondary or backup regions can be added comma-separated.
info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2
Encryption at rest
Tick yes if customer data on disk is encrypted at rest with AES-256 or equivalent. Cloud-managed disk encryption (AWS EBS, Azure Disk Encryption) counts.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(h) / ENISA TIG §9
Encryption in transit (TLS ≥ 1.2)
Tick yes if all customer-facing endpoints enforce TLS 1.2 or higher. TLS 1.3 is preferred. Plain HTTP must redirect to HTTPS.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(h) / ENISA TIG §9
MFA enforced for all admin accounts
Tick yes if every internal admin account on the SaaS platform must use MFA. Same standard as your internal admin policy.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(j) / ENISA TIG §11.3
Recovery time objective (RTO) in hours
Maximum number of hours your service can be unavailable before recovery. Realistic SLA value, not aspirational. Common SaaS values: 4, 8, or 24 hours.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(c) / ENISA TIG §4
info.supplierQuestionnaire.sections.on_prem_technical
4 info.supplierquestionnaire.meta_panel.fieldsProvide a Software Bill of Materials (SBOM)
Tick yes if you ship a Software Bill of Materials with every release. CycloneDX or SPDX are the standard formats. Mandatory under the Cyber Resilience Act for products placed on the EU market from December 2027.
info.supplierQuestionnaire.field.legalBasis: CRA / NIS2 Art. 21(2)(d)
Releases are cryptographically signed
Tick yes if every release artefact carries a cryptographic signature customers can verify. Signing keys are documented and rotated. Sigstore or PGP signatures both count.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(e) / ENISA TIG §6.5
Published vulnerability disclosure policy
Tick yes if you have a publicly documented way to report security vulnerabilities. A security.txt file under your domain (per RFC 9116) or a dedicated email like security@example.com is enough.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(e) / ENISA TIG §3
Patch SLA for critical CVEs (hours)
Hours from public CVE disclosure to a patched release for critical vulnerabilities (CVSS 9.0+). Realistic commitment, not aspirational. Common values: 24, 48, or 72 hours.
info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(f)
info.supplierQuestionnaire.sections.pro_services
3 info.supplierquestionnaire.meta_panel.fieldsBackground check scope
Describe how you vet consultants for sensitive roles. Example: criminal record extract for all consultants, plus reference checks for engagements involving classified data.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(i) / CIR 2024/2690 §5.1.4(c)
NDA in place with all consultants
Tick yes if every consultant signs a confidentiality agreement before being assigned to customer work. Either as part of the employment contract or as a separate NDA.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(i) / ENISA TIG §11.4
Documented customer-premises behaviour policy
Tick yes if you have a written code of conduct for consultants working on customer premises: badge handling, locked-screen rule, what to do if data leaves the site.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(i) / ENISA TIG §11.3
info.supplierQuestionnaire.sections.managed_services
3 info.supplierquestionnaire.meta_panel.fieldsPrivileged access management (PAM) in place
Tick yes if you use a privileged access management tool for administrative remote sessions on customer systems. Examples: CyberArk, BeyondTrust, Teleport. A logged jump-host setup counts.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(i) / ENISA TIG §11.3
Admin sessions are recorded
Tick yes if admin sessions on customer systems are recorded and retained for review. Common retention: 90 days to 1 year. Needed for forensic reconstruction after incidents.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(f) / ENISA TIG §10
24/7 on-call coverage
Tick yes if you operate a 24/7 on-call rotation that responds to security incidents on customer systems. Business-hours-only support does not qualify.
info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(b) / ENISA TIG §3
info.supplierQuestionnaire.useNote.p1
info.supplierQuestionnaire.useNote.p2