How do you answer a NIS2 supplier questionnaire? A practical guide for SMEs
Published on June 12, 2026
Introduction
It usually starts with an email from your largest customer's procurement department. Subject: "Vendor Security Assessment" or "Supplier information security review". Attached: a questionnaire of twenty to sometimes two hundred questions about your cybersecurity, with the friendly but urgent request to return it completed within four weeks.
That questionnaire is not distrust and not a formality. Your customer falls under NIS2 and is legally required to assess the risks in its supply chain — the supply-chain duty of care we described earlier. Your answers partly determine whether your customer can demonstrate its own compliance. And so, very practically: whether you keep that customer. Unsure what NIS2 really requires of you — and what is merely a myth? First read what the NIS2 supply-chain duty of care really requires.
This guide covers the four questions that appear in virtually every supplier questionnaire, and — more importantly — how to give an answer that a corporate auditor accepts.
Why your large customers (have to) ask these questions
NIS2 requires essential and important entities to assess the security risks of their direct suppliers and to set appropriate requirements for them. The reasoning is simple: an attacker who cannot get through the front door of the hospital or the grid operator tries it via a supplier. The regulator therefore looks not only at the organisation itself, but also at how it manages its chain. What that duty of care entails exactly is explained on NIS2 supply-chain duty of care.
For you as a supplier that means two things. First: the questionnaire is not going away — expect it annually, and as standard with new contracts. Second: your answers become part of your customer's compliance file. A vague answer ("we take security seriously") is useless to your customer's auditor and will be exposed sooner or later. A concrete, substantiated answer makes you exactly the kind of supplier procurement is happy to renew with.
The 4 most common questions in a Vendor Security Assessment
1. How is your patch management and vulnerability management organised?
What they are really asking: do you know which systems you have exposed to the internet, how quickly do you close known vulnerabilities, and can you prove it?
Weak answer: "Updates are installed regularly."
Strong answer: describe your process in three sentences and attach evidence. For example: "Our external systems are scanned for vulnerabilities monthly. We remediate critical findings within 14 days, others within 30 days. Attached: last month's scan report with remediation status." A dated report from an independent scan says more than a page of prose. Start by understanding what an attacker sees of your domain — that is exactly the same outside view your customer's auditor assesses.
2. Do you use Multi-Factor Authentication (MFA) on all systems?
What they are really asking: can a stolen or leaked password of one of your employees lead to access to systems — and thereby possibly to our data?
Strong answer: be specific about where MFA is and is not enabled. "MFA is mandatory on email, VPN, our administration system and all management interfaces. For [system X] MFA is not yet available; this system is only reachable from office IP addresses." Honesty about an exception, with a compensating measure, comes across as more credible than a blanket "yes, everywhere" — auditors see through that.
3. What is your procedure in the event of a data breach or ransomware attack?
What they are really asking: if you get hit, how quickly will we know? NIS2 organisations have tight reporting deadlines themselves (24 and 72 hours) and can only meet them if their suppliers report quickly.
Strong answer: mention your internal response plan, but above all the commitment towards the customer: "In the event of an incident that may affect your data or services, we inform your designated contact within 24 hours via [channel]. Our incident response plan is available for review on request; we rehearse it annually." If you do not have a response plan yet: the Digital Trust Center of the Dutch Ministry of Economic Affairs offers free templates that work well for SMEs.
4. How do you verify the security of your own (sub)suppliers?
What they are really asking: the chain does not stop with you. Your hosting provider, your software vendors and your IT administrator are just as relevant to our risk analysis.
Strong answer: make a simple list of your critical suppliers (hosting, email, accounting software, IT management) and describe per supplier how you safeguard security: certifications (ISO 27001, SOC 2), data processing agreements, or your own periodic checks. You do not have to audit Microsoft — referring to their certifications is exactly what the auditor expects.
How do you give an answer the corporate auditor accepts?
Three principles make the difference between a questionnaire that bounces between departments and one that is accepted in one go:
| Principle | What it means | Example |
|---|---|---|
| Claim nothing you cannot show | Every "yes" needs a document, report or setting behind it. | Scan report, MFA policy, response plan, supplier list. |
| Be honest about what is not (yet) in order | A planned improvement with a date is acceptable; an exposed overclaim is not. | "MFA on system X follows in Q3; until then IP restriction applies." |
| Provide dated, repeatable evidence | A snapshot ages; the auditor wants to see you do it structurally. | Monthly scan reports instead of one pentest from 2024. |
The pattern behind all four questions is always the same: demonstrate, don't assert. And that is exactly why it pays not to scrape the evidence together per questionnaire, but to build it up structurally. Whoever receives a dated, independent report of their external attack surface every month answers question 1 with a single attachment from now on — and for questions 2 and 4 immediately has the evidence that management interfaces are not exposed to the internet.
Conclusion
A NIS2 supplier questionnaire is not an exam you can fail, but an opportunity to stand out. Most of your competitors answer with generalities; the supplier who describes concrete processes and includes dated evidence stands out positively with exactly the people who decide on contract renewal.
Exposentry delivers that evidence as a service: monthly, independent scan reports of your domain and infrastructure that you attach directly to the questionnaire. No compliance stamp — but defensible evidence of your basic hygiene, built on OpenKAT. See the plans and pricing or start today with a first scan, so you have the report ready before the next questionnaire arrives.
Are you a large organisation receiving questionnaires back from suppliers that you want to verify? Then have a look at supplier monitoring.
Written by Edward Hasekamp, founder of Exposentry and core maintainer of the open-source OpenKAT project. See the project on GitHub and the profile at github.com/hasecon. Exposentry provides NL-sovereign, forensically substantiated vulnerability monitoring based on OpenKAT. More articles in the Knowledge base.