info.supplierQuestionnaire.meta.title

info.supplierQuestionnaire.meta.description

info.supplierQuestionnaire.badge

info.supplierQuestionnaire.title

info.supplierQuestionnaire.subtitle

info.supplierQuestionnaire.intro.p1

info.supplierQuestionnaire.intro.p2

info.supplierQuestionnaire.downloads.heading

info.supplierQuestionnaire.downloads.description

info.supplierQuestionnaire.downloads.pdf info.supplierQuestionnaire.downloads.docx info.supplierQuestionnaire.downloads.json info.supplierQuestionnaire.downloads.schemaRepo

info.supplierQuestionnaire.meta_panel.version: 3.1.0
info.supplierQuestionnaire.meta_panel.lastUpdated: 2026-05-15
info.supplierQuestionnaire.meta_panel.fields: 59
info.supplierQuestionnaire.meta_panel.license: info.supplierQuestionnaire.meta_panel.licenseValue

info.supplierQuestionnaire.sections.profile

18 info.supplierquestionnaire.meta_panel.fields

Legal name

stringinfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.2(a) — supplier register entry.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2

Registered address

stringinfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.2(a) — supplier register entry.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2

Country

countryinfo.supplierQuestionnaire.field.required

ISO 3166-1 alpha-2 code, e.g. DE, FR, IT.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2

Primary domain

urlinfo.supplierQuestionnaire.field.optional

The supplier's primary public domain.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b)

Tagline (one line, customer-facing)

stringinfo.supplierQuestionnaire.field.optional

Short summary shown to customers.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b)

Public description (longer)

textinfo.supplierQuestionnaire.field.optional

Longer description of the supplier.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b)

Description of services provided

textinfo.supplierQuestionnaire.field.required

Required by ENISA TIG §5.2(b) + §5.1.4 TIPS — clear and complete description of the ICT products and services you provide. One paragraph.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b) + §5.1.4 TIPS

Countries / regions where customer data is processed

stringinfo.supplierQuestionnaire.field.required

Required by ENISA TIG §5.1.4 TIPS — list every country / region where your customers' data is produced, processed or stored. Comma-separated.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.4 TIPS

Security contact name

stringinfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.4(d) — incident notification chain.

info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(d)

Incident contact email

emailinfo.supplierQuestionnaire.field.required

Default email used by customers for incident notifications.

info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(d)

Incident contact phone (24/7)

phoneinfo.supplierQuestionnaire.field.optional

24/7 phone for critical incident notifications.

info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(d)

Incident notification SLA (hours)

integerinfo.supplierQuestionnaire.field.optional

Maximum time from incident detection to customer notification.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 23

BSI registration ID (only if your company is itself NIS2-regulated)

stringinfo.supplierQuestionnaire.field.optional

Optional. ENISA TIG §5.1.2 — if your company is itself a NIS2-regulated entity with a BSI registration, your customers can use this fact to satisfy their §5.1.2 supplier-selection criteria.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.2

We provide SaaS / hosted services

booleaninfo.supplierQuestionnaire.field.required

Determines which technical questions you'll see next. Pick all that apply.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b)

We deliver on-prem software

booleaninfo.supplierQuestionnaire.field.required

Software your customers install on their own hardware.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b)

We provide professional services / consulting

booleaninfo.supplierQuestionnaire.field.required

Consulting, implementation, training, audit work.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b)

We provide managed services / MSP

booleaninfo.supplierQuestionnaire.field.required

Operating the customer's IT under contract (MSP, MSSP).

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2(b)

We use, integrate or provide AI systems

booleaninfo.supplierQuestionnaire.field.required

Determines whether AI supply-chain disclosure questions appear next. Includes any AI / ML model the customer's data passes through, including third-party LLMs accessed via API.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(d)

info.supplierQuestionnaire.sections.security_practices

26 info.supplierquestionnaire.meta_panel.fields

Documented Information Security Management System (ISMS)

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.2(a) — cybersecurity practices of suppliers.

info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.2(a)

Hold ISO 27001, BSI Grundschutz, or equivalent certification

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.2(b). Upload the certificate via the Certifications tab.

info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.2(b)

Annual security awareness training for all staff

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.4(b) — awareness, skills and training.

info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(b)

Background checks on staff with customer data access

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.4(c) — verification of staff background.

info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(c)

Documented vulnerability handling and patching process

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.4(f) — handle vulnerabilities that present a risk.

info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(f)

Accept customer right to audit (or provide audit reports)

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.4(e) — right to audit or to receive audit reports.

info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(e)

Use subprocessors / sub-suppliers

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.4(g) — subcontracting requirements.

info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(g)

List of subprocessors

textinfo.supplierQuestionnaire.field.conditional

List the subprocessors and what they do for you. CIR 2024/2690 §5.1.4(g).

info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(g)

Commit to return / destroy customer data on termination

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.4(h) — retrieval and disposal of information at termination.

info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(h)

Standard data processing agreement (DPA) available

booleaninfo.supplierQuestionnaire.field.required

GDPR Art. 28 — written data processing agreement.

info.supplierQuestionnaire.field.legalBasis: GDPR Art. 28

Security policies reviewed at least annually

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.1(c) — security policies must be reviewed and updated regularly.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(a) / ENISA TIG §1.1

Documented incident response plan

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.3 / NIS2 Art. 21(2)(b) — documented incident handling procedures.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(b) / ENISA TIG §3

Documented business continuity / disaster recovery plan

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.5 / NIS2 Art. 21(2)(c) — business continuity and crisis management.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(c) / ENISA TIG §4

Documented cryptography policy

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.6 / NIS2 Art. 21(2)(h) — policies and procedures regarding the use of cryptography.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(h) / ENISA TIG §9

Privileged access management (PAM) for internal staff

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.7 / NIS2 Art. 21(2)(i) — access control policies for privileged accounts.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(i) / ENISA TIG §11.3

MFA enforced for all internal admin / privileged accounts

booleaninfo.supplierQuestionnaire.field.required

Required by NIS2 Art. 21(2)(j) — multi-factor authentication for accounts with elevated privileges.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(j)

Maintain an inventory of information assets

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.8 / NIS2 Art. 21(2)(i) — asset management.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(i) / ENISA TIG §12.4

Annual or biennial penetration testing program

booleaninfo.supplierQuestionnaire.field.required

Required by CIR 2024/2690 §5.1.12 — testing of cybersecurity risk-management measures.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(e) / ENISA TIG §6.5

We disclose past notifiable cybersecurity events when asked by customers

booleaninfo.supplierQuestionnaire.field.required

ENISA TIG §5.1.2 — selection criteria require entities to consider 'the supplier's history in relation to cybersecurity events and breaches'.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.2

Provide incident assistance to customers at no / ex-ante cost

booleaninfo.supplierQuestionnaire.field.required

ENISA TIG §5.1.4 TIPS — supplier obligation to assist the customer at no / ex-ante cost during a cyber incident caused by the ICT product or service.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.4 TIPS

Fully cooperate with competent authorities (BSI, ENISA, national CSIRTs)

booleaninfo.supplierQuestionnaire.field.required

ENISA TIG §5.1.4 TIPS — supplier obligation to fully cooperate with competent authorities during inspections, audits and incident handling.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.4 TIPS

Notify customers of any material change affecting service delivery

booleaninfo.supplierQuestionnaire.field.required

ENISA TIG §5.1.4 TIPS — notification of any development that might have a material impact on the supplier's ability to effectively provide the ICT products or services.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.4 TIPS

Notify customers in advance if data-processing locations change

booleaninfo.supplierQuestionnaire.field.required

ENISA TIG §5.1.4 TIPS — notify the customer in advance if data-processing locations envisaged to change.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.4 TIPS

Documented exit strategy with mandatory transition period

booleaninfo.supplierQuestionnaire.field.required

ENISA TIG §5.1.4 TIPS — exit strategy with a mandatory adequate transition period, IP provisions and supplier responsibilities during the exit period.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.1.4 TIPS

Provide an SBOM-for-AI per G7 minimum elements

booleaninfo.supplierQuestionnaire.field.conditional

G7 cybersecurity authorities (BSI, ACN, CISA et al.) and the EU Commission published 'Software Bill of Materials (SBOM) for Artificial Intelligence — Minimum Elements' on 12 May 2026. Voluntary baseline reference for AI supply-chain transparency under NIS2 Art. 21(2)(d). Covers seven clusters: metadata, models, dataset properties, infrastructure, security properties, KPIs, system-level properties.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(d) / ENISA TIG §5.1.2

SBOM-for-AI document URL

urlinfo.supplierQuestionnaire.field.conditional

Public or customer-shared URL pointing to the supplier's SBOM-for-AI document.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(d) / ENISA TIG §5.1.2

info.supplierQuestionnaire.sections.saas_technical

5 info.supplierquestionnaire.meta_panel.fields

Hosting region

stringinfo.supplierQuestionnaire.field.conditional

BSI IT-Grundschutz OPS.2.2 Cloud-Nutzung — where customer data is stored.

info.supplierQuestionnaire.field.legalBasis: ENISA TIG §5.2

Encryption at rest

booleaninfo.supplierQuestionnaire.field.conditional

BSI IT-Grundschutz OPS.2.2.A11. AES-256 or equivalent.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(h) / ENISA TIG §9

Encryption in transit (TLS ≥ 1.2)

booleaninfo.supplierQuestionnaire.field.conditional

BSI IT-Grundschutz OPS.2.2.A11. TLS 1.2 minimum, TLS 1.3 preferred.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(h) / ENISA TIG §9

MFA enforced for all admin accounts

booleaninfo.supplierQuestionnaire.field.conditional

BSI IT-Grundschutz ORP.4.A23 — second-factor authentication for privileged accounts.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(j) / ENISA TIG §11.3

Recovery time objective (RTO) in hours

integerinfo.supplierQuestionnaire.field.conditional

BSI IT-Grundschutz DER.4 — maximum tolerated downtime for customer service.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(c) / ENISA TIG §4

info.supplierQuestionnaire.sections.on_prem_technical

4 info.supplierquestionnaire.meta_panel.fields

Provide a Software Bill of Materials (SBOM)

booleaninfo.supplierQuestionnaire.field.conditional

CRA / NIS2 supply-chain transparency. Format: CycloneDX or SPDX.

info.supplierQuestionnaire.field.legalBasis: CRA / NIS2 Art. 21(2)(d)

Releases are cryptographically signed

booleaninfo.supplierQuestionnaire.field.conditional

BSI IT-Grundschutz CON.8 Software-Entwicklung — signed releases prevent supply-chain tampering.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(e) / ENISA TIG §6.5

Published vulnerability disclosure policy

booleaninfo.supplierQuestionnaire.field.conditional

BSI IT-Grundschutz CON.10. Public security.txt or contact for vulnerability reports.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(e) / ENISA TIG §3

Patch SLA for critical CVEs (hours)

integerinfo.supplierQuestionnaire.field.conditional

Time from CVE disclosure to patch availability for critical vulnerabilities.

info.supplierQuestionnaire.field.legalBasis: CIR 2024/2690 §5.1.4(f)

info.supplierQuestionnaire.sections.pro_services

3 info.supplierquestionnaire.meta_panel.fields

Background check scope

stringinfo.supplierQuestionnaire.field.conditional

BSI IT-Grundschutz ORP.2.A14 — staff vetting for sensitive roles.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(i) / CIR 2024/2690 §5.1.4(c)

NDA in place with all consultants

booleaninfo.supplierQuestionnaire.field.conditional

BSI IT-Grundschutz ORP.2.A2 — confidentiality agreements with all consultants.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(i) / ENISA TIG §11.4

Documented customer-premises behaviour policy

booleaninfo.supplierQuestionnaire.field.conditional

BSI IT-Grundschutz ORP.3.A4 — security awareness on customer premises.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(i) / ENISA TIG §11.3

info.supplierQuestionnaire.sections.managed_services

3 info.supplierquestionnaire.meta_panel.fields

Privileged access management (PAM) in place

booleaninfo.supplierQuestionnaire.field.conditional

BSI IT-Grundschutz ORP.4.A26 — PAM for administrative remote access.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(i) / ENISA TIG §11.3

Admin sessions are recorded

booleaninfo.supplierQuestionnaire.field.conditional

BSI IT-Grundschutz OPS.1.2.5.A11 — recorded remote maintenance sessions.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(f) / ENISA TIG §10

24/7 on-call coverage

booleaninfo.supplierQuestionnaire.field.conditional

BSI IT-Grundschutz DER.2.1 — incident detection and response coverage.

info.supplierQuestionnaire.field.legalBasis: NIS2 Art. 21(2)(b) / ENISA TIG §3

info.supplierQuestionnaire.useNote.heading

info.supplierQuestionnaire.useNote.p1

info.supplierQuestionnaire.useNote.p2

info.supplierQuestionnaire.ctaCard.heading

info.supplierQuestionnaire.ctaCard.description

info.supplierQuestionnaire.cta