SaaSFort The BSI NIS2 registration deadline passed on 6 March 2026. If you are a SaaS in scope, two groups now ask you to prove your status: the regulator, and every enterprise customer running a supply-chain review. Neither accepts “we’re working on it.” They want evidence.
This is the checklist of what to have ready before the question lands. Pull each item together once, store it where you can grab it in a meeting, and you stop scrambling every time a questionnaire arrives.
Why “Evidence” and Not “Answers”
A security questionnaire is not a quiz. The reviewer already assumes you will write “yes” next to every control. What separates an approved vendor from a stalled deal is the proof you can attach to the yes.
So the unit of work is not the answer. It is the artifact behind it. A policy line says you intend to do something. An artifact shows it is true right now. The checklist below is organised by artifact, because that is how a reviewer thinks.
The Checklist
1. NIS2 Registration Status
The first question in a 2026 supply-chain review is often the simplest: are you registered with your national authority? For German entities, that means the BSI portal.
Have ready: your registration confirmation or reference number, the date you registered, and which entity category you fall under (essential or important). If you are still unsure about your scope status, work that out first. Our walkthrough on NIS2 registration for SaaS covers the scope test and what the confirmation looks like.
If you are not yet registered, document the date you will be, and treat it as your top compliance item. An unregistered status is the one gap a reviewer cannot wave through.
2. External Security Posture
Most of a technical questionnaire maps to what an outsider can observe about your domain. The reviewer wants current proof, not a description.
Have ready: a recent external scan of your primary domain and app subdomain, showing:
- TLS 1.2 and 1.3 only, no deprecated versions or weak ciphers
- Security headers present, including HSTS
- No outdated JavaScript libraries with known CVEs on public pages
- No admin panels, staging dashboards, or source maps exposed to the internet
This is the bulk of the technical evidence, and it is the part most teams cannot produce on short notice. A scan dated this week answers four or five questionnaire items at once. For the full breakdown of what each finding proves, see what auditors actually ask for under NIS2 Article 21.
3. Control Mappings
A good reviewer does not want a raw vulnerability list. They want to know which NIS2 Article 21 measure each control satisfies, so they can tick their own compliance box.
Have ready: a mapping of your evidence to the relevant framework. TLS maps to Article 21(2)(h) on cryptography. Patch cadence maps to 21(2)(e) on vulnerability handling. Access exposure maps to 21(2)(i). If you also sell to ISO 27001 shops, map the same findings to Annex A. This translation work is what makes the difference between a reviewer who has to follow up and one who signs off.
4. Incident and Reporting Readiness
NIS2 requires an early warning inside 24 hours of a significant incident. Reviewers increasingly ask if you could meet that.
Have ready: a one-page runbook covering detection, who decides, and the notification path to the authority and to affected customers. It does not need to be long. It needs to exist and be dated.
5. The Questionnaire Response Itself
With the four artifacts above in hand, the questionnaire becomes assembly, not invention. You cite sections instead of writing essays.
Have ready: a reusable response document so you are not rewriting the same answers for every customer. If you have not built one yet, start from our guide on how to answer a vendor security questionnaire, which lays out the structure reviewers expect.
Assemble It Once, in One PDF
Here is the shortcut for the technical half of this checklist. SaaSFort scans your domain across 60 external checks, then maps each finding to its NIS2 Article 21 and ISO 27001 control. The output is a single graded PDF you attach to any questionnaire or hand to a BSI reviewer.
It covers items 2 and 3 of the checklist directly, and gives you dated evidence for the rest of the conversation. The one-time audit pack is 39 EUR. No subscription, no card on the first scan, and you see a real sample before you buy.
Get your NIS2 evidence pack for 39 EUR
FAQ
Does registering with the BSI make me compliant? No. Registration is one item on the list. It tells the regulator you exist and are in scope. Compliance is the technical and organisational measures behind it, which is what the rest of this checklist covers.
How current does my external scan need to be? Treat it as perishable. Posture drifts every time you ship. A reviewer trusts a scan from this week far more than one from last quarter, so re-scan before any audit call or major questionnaire.
Can a small team really produce all of this? Yes. The registration is a form. The external scan and its control mapping take minutes with the right tool. The runbook is a one-page document. The heavy item is the first assembly; after that, you reuse it.
Is the 39 EUR audit pack a subscription? No. It is a one-time report. Run the free scan, see your grade, and buy the mapped PDF only when you need the document for a buyer or an auditor.
De la lectura a la acción
Escanee su dominio gratis. Primeros resultados en menos de 10 segundos — sin registro.