norppa.io
Guides

NIS2 Guide · 9 min

NIS2 supplier questionnaire (SAQ): what to ask, how to score it, and a free template

The supplier security questionnaire is where most NIS2 Article 21(2)(d) due diligence begins, and where a lot of it quietly fails. The usual ones are too long to finish, scored by nobody, and never checked against reality. This guide covers what's actually worth asking, how to turn answers into decisions, what to do when a supplier comes up short, and the single blind spot every questionnaire shares. It ends with a template you can lift straight into your own process.

Key takeaways

  • Six decision-focused domains carry the weight: resist the urge to add boxes nobody will ever score.
  • Score the answers and read 'in progress' as a gap; a questionnaire is only worth sending if it can change a decision.
  • Every answer is the supplier grading their own homework: pair it with outside technical evidence to catch the contradictions.

What to ask: the six domains that matter

A questionnaire earns its keep by being short and pointed. Cover these six areas well and stop there; the fifty extra boxes nobody scores add length, not assurance.

1

Governance and accountability

Who actually owns security, and does leadership look at it or just sign off on it? NIS2 puts the management body on the hook, so this is the first read on whether a supplier takes the rest seriously.

2

Access control and authentication

Weak authentication is still the most common way in. Multi-factor authentication and least privilege are the floor here, not extras worth bonus points.

3

Incident response and notification

You want a supplier that can spot trouble, contain it and tell you quickly: because your own Article 23 clock can start ticking on their incident, not yours.

4

Business continuity and backups

If they go down or get ransomed, how fast does your service come back? A tested backup and a stated recovery time say more than a reassuring sentence.

5

Supply chain and fourth-party risk

Their suppliers are your risk too. Ask whether they assess their own critical subcontractors and whether they'll tell you when those change.

6

Technical and data protection

Encryption, patching cadence and where your data lives: the concrete controls an external scan can later confirm or contradict.

How to score answers: don't just collect them

A questionnaire that's filed and forgotten has cost you time and bought you nothing. The value is in scoring it:

  • Weight by criticality: a 'no' on MFA from a supplier holding your customer data matters far more than a missing policy doc from a low-tier vendor. Decide the weights before you send it, not after the answers arrive.
  • Read 'in progress' as 'no': until a control is in place and evidenced, it's a gap with a remediation date, not a pass. Good intentions don't survive an audit.
  • Mind the non-answers: vague or evasive replies are an answer in themselves. Ask for specifics or evidence rather than accepting a ticked box at face value.
  • Re-baseline on a schedule: answers go stale. A questionnaire filled in once a year describes one day, not the eleven months that follow it.

What to do when a supplier falls short

A gap isn't automatically grounds to drop a supplier, but it has to lead somewhere. Agree a remediation plan with named owners and dates, write it down, and make the material gaps contractual: a right to evidence, a fix-by date, and an escalation path for when it slips.

For critical suppliers, tie the fix to the relationship: re-assessment before renewal, security clauses in the contract, and the right to ask for evidence rather than take assurances on trust. Either way, record the decision. Accepting a residual risk is a perfectly legitimate call, but only when it's a written, owned decision and not something that fell through the cracks.

The questionnaire's blind spot: self-attestation

Every answer is a claim the supplier makes about themselves. Some are honest, some hopeful, some simply out of date by the time you read them. A questionnaire tells you what a supplier believes (or would like you to believe) about their security; it doesn't tell you what's actually exposed on the internet this morning.

That's why the strongest programmes set the questionnaire next to outside technical evidence. When a supplier writes 'yes, all traffic is encrypted' and a scan turns up an expired certificate or a plaintext login form, you have a contradiction worth a conversation. The questionnaire captures process and intent; continuous external monitoring corroborates it, or calls its bluff. The point isn't to pick one. It's to use both.

A free questionnaire template you can adapt

Lift these sections into your own process. Keep the answers to yes / no / in-progress plus an evidence field, so every claim can be backed up (or unpicked) later.

1. Governance and accountability

  • Is there a named person accountable for information security?
  • Has senior management approved a security policy in the last 12 months?
  • Do staff receive security awareness training at least annually?

2. Access control and authentication

  • Is multi-factor authentication enforced for remote and administrative access?
  • Are access rights reviewed, and revoked promptly when roles change?
  • Is least privilege applied to systems holding our data?

3. Incident response and notification

  • Is there a documented incident response plan, tested in the last 12 months?
  • Can you notify us of a relevant incident within 24 hours?
  • Have you had a reportable breach in the last 24 months? If so, what changed afterwards?

4. Business continuity and backups

  • Are backups encrypted, tested, and stored offline or immutably?
  • What is your recovery time objective (RTO) for the service you provide us?
  • Do you have a disaster-recovery plan, and when was it last exercised?

5. Supply chain and fourth-party risk

  • Do you assess the security of your own critical subcontractors?
  • Will you notify us of changes to subprocessors handling our data?
  • Do you hold relevant certifications (e.g. ISO 27001)? Can you share the scope?

6. Technical and data protection

  • Is data encrypted in transit and at rest to current standards?
  • Do you run regular vulnerability scanning and patch on a defined schedule?
  • In which jurisdictions is our data stored and processed?

Source: Directive (EU) 2022/2555 (NIS2), Article 21(2)(d): supply chain security — map your questions to the Art. 21 measures and your national transposition law.

How norppa.io helps

norppa.io sends the self-assessment questionnaire to your suppliers straight from the platform: no spreadsheets, no chasing email threads. Responses come back tracked, versioned and scored against the weighting you set.

The part that matters: each answer is set against the supplier's live technical risk profile: more than a hundred checks, refreshed daily. Where a confident 'yes' clashes with what the scan actually sees, norppa.io flags it, so you're reading not just what a supplier says but whether it holds up. That's the blind spot from the section above, closed.

Send your first SAQ, and see it cross-checked

Look at a sample supplier report, or see how the questionnaire works inside norppa.io.

View sample report About the SAQ

Last reviewed: 19 June 2026

This guide is general information about EU law, not legal advice. NIS2 takes effect through each EU Member State's national transposition law, which can differ in detail. Verify the obligations that apply to you with your competent authority or legal counsel.

Related guides

How to comply with NIS2: a step-by-step roadmap

The steps to NIS2 compliance in order: confirm scope, register, management accountability (Art. 20), the Article 21(2) measures, supply-chain security, incident reporting (Art. 23) and continuous, evidenced assurance.

Who is in scope for NIS2? Essential vs important entities, sectors and size thresholds

Determine whether NIS2 applies to you: the two tiers, the Annex I/II sectors, the size thresholds, size-independent exceptions, and how the supply chain pulls you in even if you're not designated.

NIS2 for suppliers: you're not designated, but your customers are

Most companies are never designated under NIS2, yet many must comply anyway. How a covered customer's Article 21(2)(d) supply-chain duty flows down to you, what they'll ask for, and how to respond credibly.

NIS2 and the supply chain requirement: what it means in practice

NIS2 requires essential and important entities to assess their supply chain cyber risks. Supplier tiering, 4th-party risk, Art. 23 notification, and what auditors look for.

Supplier cyber risk assessment: what automated NIS2 monitoring checks

All check categories explained: ransomware, dark web leaks, TLS/DNSSEC, cookie security, CVE/EPSS, sanctions, MX blacklists and SAQ. Finding lifecycle and NIS2 article mapping.

NIS2 Art. 21(2): supplier security checklist

Checklist for procurement and security teams: what to ask, what evidence to collect, and how to respond when a supplier falls short. Includes suggested evidence documents.

NIS2 incident reporting: the 24- and 72-hour deadlines explained

What counts as a significant incident, the Article 23 timeline (24-hour early warning, 72-hour notification, one-month final report), and when a supplier's incident becomes your obligation.

NIS2 and management responsibility: what boards and leadership must know

What NIS2 expects of the management body: approval and oversight duties, personal liability (Art. 20), training, board reporting KPIs, and the penalties under Art. 34.

ISO 27001 and NIS2: what your ISMS already covers, and the gaps it doesn't

If you hold ISO 27001, what carries over to NIS2 and what does not: statutory incident reporting, management liability, registration, and continuous supply-chain assurance: plus how to close the gap.

NIS2 vs DORA: how they differ, where they overlap, and which one applies to you

How the two EU regimes differ and overlap, why DORA is lex specialis for financial entities, which applies to you, and what both mean for third-party and supply-chain risk.

GDPR vs NIS2: how they overlap, where they differ, and when one incident triggers both

How GDPR and NIS2 differ and overlap, when one incident triggers both (GDPR Art. 33 72h to the DPA vs NIS2 Art. 23 24h/72h/1-month to the CSIRT), the Art. 35 cooperation and no-double-fine rule, and what both mean for supplier due diligence.

The EU Cyber Resilience Act (CRA): scope, timeline and what it means for your supply chain

What the CRA requires, its phased dates (in force 2024, reporting Sept 2026, full compliance Dec 2027), who is in scope and why pure SaaS often isn't, how it complements NIS2, and what it means for procurement and supplier due diligence.

The EU AI Act: risk tiers, the timeline, and what deployers must do (Article 26)

What the EU AI Act requires: the risk tiers, the phased dates (in force 2024, prohibited Feb 2025, GPAI Aug 2025, high-risk Aug 2026), the Article 26 deployer obligations, how it stacks with NIS2 and the GDPR, and what it means for AI procurement.