SaaSFort A six-person analytics SaaS in Berlin had its largest deal of the year sitting in procurement. The customer was a German manufacturer in NIS2 scope. Two weeks into the contract review, an email arrived: a 40-question security due-diligence questionnaire, with a note that vendor approval depended on it, under the customer’s NIS2 Article 21 supply-chain obligations.
The founder forwarded it to me with one line: “We have no security team. We can’t lose this deal.” This is how they answered it in a day.
The Situation: No Team, Real Pressure
Small SaaS teams hit this wall constantly. You build a good product, you win an enterprise prospect, and then their NIS2 reviewer treats you as part of their attack surface. The deal does not move until you prove your security posture.
The team had the usual setup. AWS, a Postgres database, a marketing site, an app subdomain. No CISO. No prior audit. The questionnaire asked for evidence, not assurances. Half the questions mapped directly to NIS2 Article 21(2) technical measures.
Step One: Scan, Then See the Gaps
We ran a SaaSFort scan on their primary domain and the app subdomain. 60 external checks, results in under a minute. The grade came back a C. Not a disaster, but not pass-ready.
The scan surfaced five concrete issues that mapped straight to the questionnaire:
- TLS 1.0 still enabled on the app subdomain, against Article 21(2)(h) on cryptography. The marketing site was clean; the app was not.
- An outdated JavaScript library with a known CVE on the login page, against Article 21(2)(e) on vulnerability handling.
- A staging dashboard reachable from the public internet, against Article 21(2)(i) on access control.
- Missing HSTS and two security headers, against Article 21(2)(g) on cyber hygiene.
- An exposed source map leaking internal file structure, also under 21(2)(e).
Each of these would have been a fail or a follow-up question on the DDQ. None of them was expensive to fix.
Step Two: Fix the Cheap Things First
The team spent the morning closing four of the five gaps. Disabling TLS 1.0 was a config change. Updating the JS library was a dependency bump. Putting the staging dashboard behind their VPN took an hour. Adding the missing headers was a one-line change at the edge.
The source map fix needed a build-config tweak they scheduled for the next sprint, and they documented it as a known item with a remediation date. Auditors respect a dated plan more than silence.
By lunch, a re-scan came back an A. Same domain, same 60 checks, four hours later.
Step Three: The PDF That Answered the DDQ
Here is where the one-time audit pack earned its 39 EUR. The PDF report contained the full scan result, A-graded, with every check mapped to its NIS2 Article 21 measure and its ISO 27001 Annex A control. It was dated, it named the domain, and it was readable by someone who is not an engineer.
The founder attached it to the questionnaire and answered the technical questions by citing report sections. Where the DDQ asked “describe your encryption in transit,” the answer pointed to the TLS section showing 1.2 and 1.3 only. Where it asked about vulnerability management, the answer pointed to the clean library scan plus a one-paragraph patch SLA. The mapped report did most of the work, because it spoke the auditor’s language: control, evidence, status.
For the supply-chain questions, the team paired the report with the playbook in how to prove security posture in a NIS2 vendor audit call.
The Outcome
The customer’s reviewer came back in three days with two minor follow-ups and approved the vendor. The deal closed that week. Total spend on the security side was 39 EUR plus one developer-morning of fixes.
The lesson is not that a scan replaces a security program. A growing SaaS still needs real practices over time. The lesson is that a small team can produce credible, mapped evidence on the same day the questionnaire lands, instead of stalling the deal for three weeks while they figure out what an auditor wants. If you have a fixed deadline, the 30-day NIS2 audit checklist sequences the same work.
Do This Before Your Next Enterprise Deal
If you sell into EU enterprises, the questionnaire is coming. Run the free scan now so you know your grade before a customer does. Fix the cheap gaps. Then, when the DDQ arrives, buy the mapped PDF and answer it the same day.
The audit pack is 39 EUR, one-time, no subscription, no card on the first scan. See a real example first: SaaSFort NIS2 sample audit report.
Get your NIS2 audit evidence pack for 39 EUR
FAQ
We are a tiny team with no security staff. Is this enough? For answering the technical half of a NIS2 supply-chain questionnaire, the mapped report covers what an external reviewer can observe: encryption, vulnerabilities, access exposure, and hygiene. It does not replace internal governance, but it gets a small team through the technical DDQ without a consultant.
How long does the whole thing take? The scan is under a minute. Fixing common gaps like TLS, headers, and exposed staging is usually a few hours. Generating the PDF is instant. A same-day turnaround is realistic for most small SaaS setups.
Is 39 EUR really one-time? Yes. Run the free scan, see your grade, and buy the audit pack only when you need the document. There is no recurring charge on the one-time pack.
De la lectura a la acción
Escanee su dominio gratis. Primeros resultados en menos de 10 segundos — sin registro.