NIS2 Vendor Security Questionnaire 2026: 40 Questions Your Enterprise Customers Will Ask — and How to Prepare Your Answers

Post #868 in the sota.io EU Cyber Compliance Series

The BSI (Germany's Federal Office for Information Security) reported in April 2026 that only 11,500 of approximately 29,500 companies required to register under the German NIS2UmsuCG have done so. Enforcement is now active. This creates a cascading effect: NIS2-regulated companies must demonstrate supply chain security under Article 21(2)(d), which means they must audit every SaaS vendor that touches their operations. If you provide SaaS to German banks, healthcare providers, energy companies, or critical infrastructure operators — you are already receiving, or will shortly receive, a vendor security questionnaire.

This guide explains what those questionnaires contain, what they are legally grounded in, what artifacts you need to prepare, and how your hosting and infrastructure choices affect your ability to answer them.

Why NIS2 Generates Vendor Questionnaires

NIS2 Article 21 establishes a risk-based approach to cybersecurity for essential and important entities. Article 21(2)(d) specifically requires these entities to address "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."

This is not a box-ticking exercise. Under NIS2 Article 32, national competent authorities conduct proactive supervision of essential entities, including "targeted security audits." An essential entity that cannot demonstrate that it has audited its critical SaaS vendors is itself in violation of Article 21(2)(d). The consequence: the entity audits its vendors, or it faces NCA scrutiny for failing to do so.

The audit cascades downward. Your customer — the NIS2 entity — is legally required to ask you these questions. You are not legally required by NIS2 to answer them (unless you are yourself an essential or important entity), but commercially you must. Customers are already deprioritizing vendors who cannot produce adequate documentation.

The enforcement timeline has arrived:

• NIS2 Directive transposition deadline: October 17, 2024
• German NIS2UmsuCG in force: November 2024
• BSI registration deadline: March 6, 2026 (elapsed)
• BSI audit announcements: April–May 2026 (active)

NIS2-regulated enterprises that have not audited their vendors are now behind. Questionnaires are going out now.

The Five Categories of NIS2 Vendor Questions

NIS2 vendor questionnaires are typically structured around the ten risk management measures in Article 21(2):

1. Policies for risk analysis and information security (21(2)(a))
2. Incident handling (21(2)(b))
3. Business continuity, backup and DR (21(2)(c))
4. Supply chain security (21(2)(d))
5. Security in network acquisition, development, and maintenance (21(2)(e))
6. Effectiveness assessment including penetration testing (21(2)(f))
7. Basic cyber hygiene practices (21(2)(g))
8. Cybersecurity training (21(2)(h))
9. Cryptography and encryption (21(2)(i))
10. Access control and asset management (21(2)(j))
11. Use of multi-factor authentication (21(2)(k))

Most questionnaires add an eleventh category: data residency and legal jurisdiction — driven by GDPR Article 44, the CLOUD Act, and the post-Schrems II transfer impact assessment requirement. This is where EU-hosted versus US-hosted infrastructure becomes decisive.

The 40 Questions: Category by Category

Category 1: Information Security Management (NIS2 Art. 21(2)(a))

Question 1: Do you maintain a documented Information Security Management System (ISMS)? Is it certified to ISO/IEC 27001 or equivalent?

What they want to see: ISO 27001 certificate (current, with scope covering your SaaS offering), or a documented ISMS with evidence of annual reviews. SOC 2 Type II also accepted by most enterprise security teams.

Question 2: What is the date of your most recent ISMS review or audit? Who conducted it?

What they want to see: Date within the last 12 months. Internal audit report or third-party audit report. Not the certificate date — the most recent surveillance audit date.

Question 3: Do you maintain a documented risk register? How frequently is it updated?

What they want to see: Evidence of a live risk register. Quarterly review cycle is typically acceptable; annual is borderline.

Question 4: Do you have a documented information security policy accessible to all staff?

What they want to see: Policy document (redacted is fine), evidence of staff acknowledgement, version control.

Category 2: Incident Handling (NIS2 Art. 21(2)(b))

Question 5: Do you have a documented incident response plan (IRP)?

What they want to see: IRP document, version-controlled, with defined roles. Include classification criteria (minor/major/critical).

Question 6: What is your process for notifying customers of a security incident affecting their data?

What they want to see: Specific notification SLA. Best practice: 24 hours for critical incidents, 72 hours for major — mirroring NIS2/GDPR timelines. Named point of contact or security inbox.

Question 7: How many security incidents have you experienced in the past 12 months? Were any material?

What they want to see: Honest disclosure. Customers know zero incidents often means zero detection. Provide incident count + resolution summary, no customer-identifying detail. "Zero material incidents" with a definition of "material" is acceptable.

Question 8: Have you experienced any data breach in the last 24 months requiring regulatory notification under GDPR Article 33?

What they want to see: Yes/No with brief description if Yes. Supervisory authority notification reference number if applicable.

Question 9: Who is your primary incident response contact? What is the SLA for initial response to a customer-reported potential incident?

What they want to see: Named role (not just a shared inbox). Response SLA in business hours or absolute hours. Escalation path.

Category 3: Business Continuity and Backup (NIS2 Art. 21(2)(c))

Question 10: What is your documented Recovery Time Objective (RTO) and Recovery Point Objective (RPO)?

What they want to see: Specific numbers (e.g., RTO: 4 hours, RPO: 1 hour), not "we have backups." Enterprise customers often require RTO ≤ 4 hours and RPO ≤ 1 hour for critical services.

Question 11: How frequently are backups taken? Where are they stored?

What they want to see: Frequency (daily minimum, hourly preferred), storage location (separate region or AZ), retention period, encryption status.

Question 12: When was your most recent DR test? What were the results?

What they want to see: Test date within 12 months, test type (tabletop/functional/full), pass/fail status, remediation actions if failed.

Question 13: Is your backup storage geographically separate from your primary production environment?

What they want to see: Yes, with location. For EU-jurisdiction questions, backup location matters as much as primary.

Category 4: Access Control and Authentication (NIS2 Art. 21(2)(j) and (k))

Question 14: Do you enforce multi-factor authentication (MFA) for all privileged access to production systems?

What they want to see: Yes. Acceptable methods: TOTP, FIDO2/WebAuthn, hardware security keys. SMS is increasingly flagged as insufficient for privileged access by enterprise security teams.

Question 15: Do you enforce MFA for all employee access to your SaaS platform administration interfaces?

What they want to see: Same as above. Enterprise customers increasingly require MFA to be phishing-resistant (FIDO2) for administrative access.

Question 16: How do you manage privileged access? Do you use Privileged Access Management (PAM) tooling?

What they want to see: PAM tool name if applicable (CyberArk, BeyondTrust, HashiCorp Vault, Teleport). If no dedicated PAM: break-glass account procedures, session recording for privileged access.

Question 17: What is your joiner-mover-leaver process for employee access? How quickly is access revoked upon termination?

What they want to see: Same-day or 24-hour revocation SLA. Evidence of periodic access reviews (quarterly or semi-annual).

Question 18: Do you conduct regular access reviews for all production systems?

What they want to see: Frequency (quarterly minimum), scope (includes third-party access, service accounts), process (manager sign-off or automated).

Category 5: Vulnerability Management and Penetration Testing (NIS2 Art. 21(2)(f))

Question 19: Do you conduct regular penetration tests? By whom, and on what frequency?

What they want to see: Annual external penetration test by accredited third party (CREST, CHECK, OSCP-certified tester). Scope includes application and infrastructure. Report summary available under NDA.

Question 20: Do you have a responsible disclosure or vulnerability disclosure program (VDP)?

What they want to see: Published security.txt or VDP policy. Contact address for reporting vulnerabilities. Response SLA for submitted reports.

Question 21: What is your patch management SLA for critical security vulnerabilities (CVSS ≥ 9.0)?

What they want to see: Critical: 24–48 hours (for internet-facing components). High: 7 days. Medium: 30 days. Enterprise customers may fail you if critical patch SLA exceeds 72 hours.

Question 22: Do you perform regular automated vulnerability scanning of your infrastructure and application stack?

What they want to see: Tool name (Qualys, Tenable, Rapid7, Trivy for containers), scan frequency, process for triaging findings.

Category 6: Network and Application Security (NIS2 Art. 21(2)(e))

Question 23: How do you segregate your production environment from development and test environments?

What they want to see: Network-level segregation (separate VPCs, VLANs), no production credentials in dev/test, separate cloud accounts or projects for each environment.

Question 24: Do you use a web application firewall (WAF)?

What they want to see: WAF provider (Cloudflare, AWS WAF, Azure Front Door, ModSecurity), coverage (all internet-facing endpoints), OWASP Top 10 coverage.

Question 25: How do you handle DDoS protection?

What they want to see: DDoS mitigation at network or CDN layer. Provider name and SLA.

Question 26: Do you encrypt data in transit? What protocols and cipher suites are used?

What they want to see: TLS 1.2 minimum, TLS 1.3 preferred. Certificate authority. HSTS configured. No SSLv3/TLS 1.0/1.1.

Question 27: Do you encrypt data at rest? What encryption standard and key management approach?

What they want to see: AES-256. Key management: hardware security modules (HSM) or cloud KMS. Customer-managed keys: bonus points, not required.

Category 7: Subprocessor and Supply Chain Security (NIS2 Art. 21(2)(d) and GDPR Art. 28)

Question 28: Do you maintain a current list of all subprocessors (third-party services) that have access to customer data?

What they want to see: List with service name, country, data categories processed, legal basis for transfer. This is also required under GDPR Article 28(3)(d). The two requirements reinforce each other.

Question 29: How do you assess the security posture of your subprocessors?

What they want to see: Subprocessor security review process (annual minimum), evidence of ISO 27001/SOC 2 review for critical subprocessors, contractual security requirements passed down.

Question 30: What contractual security requirements do you impose on your subprocessors?

What they want to see: Security clauses in subprocessor agreements, right to audit, incident notification requirements, data processing agreements (GDPR Art. 28 DPA).

Category 8: Data Residency and Legal Jurisdiction (GDPR Art. 44 + CLOUD Act)

This category is outside NIS2's literal text but appears in every German/French/Dutch enterprise questionnaire because NIS2-regulated entities are also GDPR-regulated and because the CLOUD Act creates a specific risk to supply chain security.

Question 31: Where is customer data stored and processed? In which countries and legal jurisdictions?

What they want to see: Specific countries (not just "EU"). Frankfurt and Amsterdam data centers are not the same as US-headquartered "EU region" offerings if the parent company is subject to US law.

Question 32: Is your infrastructure subject to any non-EU law that could compel disclosure of customer data without the customer's consent? Specifically, is your parent company or hosting provider subject to the US CLOUD Act?

What they want to see: For US-headquartered providers: honest acknowledgment of CLOUD Act exposure. For EU-headquartered providers: confirmation of absence. This is increasingly a hard-fail question in German critical infrastructure procurement.

Question 33: Do you have an EU-based legal entity that is the data controller for EU customer data?

What they want to see: EU company registration. Not "our US parent has signed SCCs." A genuinely EU-controlled legal entity.

Question 34: Can you provide a Transfer Impact Assessment (TIA) or confirmation that no cross-border transfer of EU personal data occurs to third countries without adequate safeguards?

What they want to see: For EU-only infrastructure: confirmation that no transfer occurs. For US-provider-hosted infrastructure: TIA document, supplementary measures, legal analysis of CLOUD Act exposure under GDPR Chapter V.

Category 9: Logging, Monitoring and Audit (NIS2 Art. 21(2)(a) and general)

Question 35: Do you maintain security event logging for all production systems? What is the retention period?

What they want to see: Centralized SIEM or log aggregation. Retention: 12 months minimum (NIS2 entities often require 24 months for logs relevant to their security). Tamper-evident storage.

Question 36: Do you provide customer-accessible audit logs of actions taken on customer data (including administrative access)?

What they want to see: Audit log export capability, including privileged administrative operations. This feeds into NIS2 Art. 21(2)(a) (risk analysis) and GDPR Art. 32 (security of processing) for the customer.

Question 37: Do you monitor for anomalous access or behavioral indicators of compromise in real time?

What they want to see: SIEM with alerting, threat detection rules, on-call security coverage (24/7 or defined response windows).

Category 10: Physical and Personnel Security

Question 38: What background check policy do you apply to employees with access to production systems?

What they want to see: Criminal record check, identity verification, references for roles with privileged access. Frequency of repeat checks.

Question 39: What physical security controls protect your data center or office environments where production access occurs?

What they want to see: For colocation/IaaS: your provider's ISO 27001/SOC 2 covers physical. For office-based production access: clean desk policy, screen lock, badge access.

Question 40: What cybersecurity training do you provide to all staff? How frequently?

What they want to see: Annual security awareness training (minimum). Phishing simulation results. Role-specific training for developers (OWASP, secure coding) and for privileged administrators.

How to Structure Your Vendor Security Package

Enterprise security teams receive hundreds of questionnaires annually. Those who can provide a pre-prepared vendor security pack — rather than making the security team fill in a unique form per customer — significantly reduce friction. Here is the standard package:

Tier 1 — Available on request without NDA:

• ISO 27001 certificate (current, scoped to production SaaS)
• SOC 2 Type II report executive summary (if applicable)
• Penetration test executive summary (date, scope, overall result)
• Subprocessor list (without sensitive commercial details)
• Privacy Policy and Data Processing Agreement template
• Security contact information and incident notification SLA

Tier 2 — Available under NDA:

• Full penetration test report
• Detailed ISMS documentation
• DR test results
• Detailed access control architecture

Tier 3 — Customer-specific:

• Signed Data Processing Agreement (GDPR Art. 28) including subprocessor annex
• Transfer Impact Assessment if applicable
• Custom questionnaire responses for regulated sector requirements (DORA, HIPAA, KRITIS)

How Hosting Location Answers 12 Questions Automatically

The single variable that most simplifies NIS2 vendor questionnaires is where your infrastructure runs and who owns it.

For Questions 31–34 (data residency and legal jurisdiction), the architecture is decisive:

When you run on EU infrastructure with an EU-incorporated provider, Questions 31–34 take two sentences each. When you run on AWS Frankfurt, you spend weeks producing a Transfer Impact Assessment that enterprise legal teams increasingly reject.

This is not a marginal advantage. German Bundesbehörden (federal agencies) and KRITIS-sector enterprises are now issuing "must be EU-sovereign" requirements as go/no-go criteria before the questionnaire is even sent.

Preparing for Sector-Specific Variants

NIS2 vendor questionnaires vary by sector. Enterprises in regulated sectors stack additional requirements:

Banking and Finance (DORA): DORA Article 28 requires financial entities to conduct "due diligence" on ICT third-party providers, including contractual rights to audit, performance and availability SLAs (with exit provisions), and mandatory incident reporting channels. DORA questionnaires are typically longer and more technically detailed than standard NIS2 questionnaires.

Healthcare: The German Krankenhaus-Einsatz-Verordnung (KhKV-EV) adds requirements for pseudonymization and for EU-only processing of patient data. Dutch and Belgian healthcare regulators impose similar restrictions.

Energy and Critical Infrastructure: KRITIS operators under BSI Gesetz §10 must contractually require their critical SaaS vendors to notify them of incidents within 24 hours. This is stricter than NIS2's 24-hour early warning + 72-hour detailed notification structure.

Government: Federal agencies increasingly require hosting on BSI-certified cloud infrastructure. Commercial cloud offerings from US providers are excluded from many federal procurements even where SCCs are offered.

The Bottom Line: Build the Package Before the Request Arrives

The NIS2 vendor audit wave started in Q1 2026 and will intensify through 2026 and 2027. Enterprises that receive questionnaire responses within 48 hours, with pre-prepared documentation packages, will retain supplier relationships. Those that cannot answer Questions 31–34 credibly — especially on CLOUD Act and data residency — will see contract reviews.

For SaaS vendors, the action items are:

1. Audit your stack for the 40 questions above. Identify gaps before your customers do.
2. Prepare a vendor security pack (Tier 1 + Tier 2). At minimum: ISO 27001 or SOC 2 executive summary, pen test summary, incident notification SLA, subprocessor list.
3. Document your data residency. Not just "EU region" — which legal entity owns the infrastructure, which country the servers are in, whether your hosting provider is subject to non-EU law.
4. Get your DPAs signed. NIS2 questionnaires and GDPR Art. 28 DPA requests arrive together. Have the template ready.
5. Set up a security contact. security@yourdomain.com, monitored, with a published response SLA.

If your infrastructure runs in the EU with an EU-incorporated provider, Questions 31–34 become evidence of competitive advantage rather than a compliance gap. The NIS2 enforcement wave is producing real procurement criteria — and EU-hosted vendors are increasingly winning deals that US-hosted alternatives cannot close.

sota.io deploys your applications entirely within the EU, on infrastructure operated by an EU-incorporated entity not subject to the US CLOUD Act. Questions 31–34 on every NIS2 vendor questionnaire have straightforward, positive answers — documented in minutes, not weeks.