SaaSFort
NIS2 Article 21 supply chain

Answering an NIS2 Supplier Security Questionnaire

Your enterprise customer is now required to assess the security of their supply chain under NIS2 Article 21(2)(d). That requirement lands in your inbox as a supplier security questionnaire. Most of these forms look long, but they check a small number of things. Here is what they are and how to answer them.

Get the €39 Audit Pack Run free scan (60s)

What NIS2 Article 21(2)(d) actually requires your customer to check

NIS2 Article 21(2)(d) requires essential and important entities to include cybersecurity in their supply chain management. In practice, that means your customer must demonstrate to a BSI auditor that they assessed each significant supplier's security posture. They do that by collecting evidence from you.

The evidence they need covers three areas: your external-facing security (what attackers see), your security governance (who is responsible, what policies exist), and your incident reporting capability (how you would notify them if something went wrong). External posture is the easiest to produce because it is observable and verifiable. A scan result from a recognized tool satisfies it more reliably than a self-signed attestation.

The sections a supplier questionnaire usually includes

Most NIS2-driven supplier questionnaires follow a similar structure. The external posture section asks about your TLS configuration, security headers, certificate validity, email authentication (SPF, DKIM, DMARC), and whether admin panels are exposed. The governance section asks about your security policy, ownership, and whether management has approved a cybersecurity risk framework. The incident section asks about your reporting timeline and contact details.

The external posture section is the one that blocks deals most often, because it is the one the auditor can independently verify. A clean scan result is the fastest way to close it.

How to clear the external posture section in 60 seconds

Run a free scan at saasfort.com/scan. It checks 60 controls across your domain: TLS version and cipher suites, HTTP security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy), DNSSEC, DMARC, SPF, DKIM, certificate transparency, and exposed admin endpoints. The result is an A-F grade with a per-control breakdown.

If your grade is B or above, screenshot or export the result and attach it to the questionnaire. If it is below B, the scan report tells you exactly which controls to fix and why. Fix the highest-weight items first (TLS configuration and missing security headers are usually the quickest wins) and re-scan.

For a dated, auditor-addressed PDF with the full control map tied to NIS2 Article 21 and ISO 27001 Annex A, get the €39 audit pack. One-time payment, no subscription. The PDF includes your score, the 60-control breakdown, and a cover letter you can attach to the questionnaire response.

What to say if your score is low

Do not wait to reply. Send the questionnaire back with your current scan result and a one-paragraph remediation note: which items you found, what you are fixing, and your target date. Buyers prefer a vendor who knows their posture over one who says nothing for two weeks.

For the specific NIS2 controls on the questionnaire, the security scan by use case hub maps each common scenario (SOC 2 prep, ISO 27001 audit, enterprise procurement, cyber insurance) to the relevant scan result sections.

Related use cases

The security scan by use case hub maps each common scenario to the relevant scan controls: SOC 2 prep, NIS2 registration, ISO 27001 audit, enterprise procurement, cyber insurance, and more. Pick the one that matches your situation.

Frequently asked questions

Is an external scan result enough to satisfy a NIS2 supplier questionnaire?
For the external posture section, yes, a dated scan result from a recognized tool with a per-control breakdown satisfies most questionnaires. Some buyers additionally ask for a governance attestation and an incident response contact. The scan handles the technical evidence; a one-page security policy document handles the governance question.
What is the minimum grade a supplier needs to pass a NIS2 assessment?
NIS2 does not set a numeric threshold. Buyers typically accept a B grade or above without further questions. A C grade prompts a remediation timeline request. An F grade usually blocks the deal until critical findings are fixed. The most common critical findings are missing HSTS, no DMARC enforcement, and TLS 1.0 or 1.1 still enabled.
How long does the scan take and does it require access to my infrastructure?
The scan runs in 60 seconds from the outside of your domain, with no credentials, no agent, and no access to your internal systems. It only checks what is visible from the public internet, which is exactly what a NIS2 auditor checks.
Can I use the same scan result for multiple customers?
Yes, as long as the scan is recent. Scan results over 90 days old may prompt a re-scan request. The €39 audit pack includes 90 days of re-scans so you can keep the report current across multiple procurement cycles.

Need the evidence document this week?

The free scan shows your A-F grade in 60 seconds. The €39 audit pack adds the dated PDF mapped to NIS2 Article 21 and ISO 27001 Annex A, ready to attach to a questionnaire or auditor file.

Get the €39 Audit Pack Run free scan

One-time payment, no subscription, no account on the first scan.