NIS2 supply chain readiness

NIS2 supplier readiness diagnostic for SMEs

Spot in 10 minutes the security gaps that can block an NIS2 procurement review: governance, backups, MFA, incidents, subcontractors and evidence expected by customers.

Start the questionnaire View templates

Crawlable FR/EN content, usable without an account, built for SME suppliers and their B2B customers.

NIS2 supplier readiness diagnostic

The kit turns NIS2 expectations into simple evidence to collect before procurement reviews, customer due diligence or cyber insurance requests.

01

Qualify exposure

Map the supplier against processed data, operational dependency and connections to customer systems.

02

Check controls

Review minimum controls: MFA, backups, patching, logging, access governance and incidents.

03

Produce evidence

Prepare a clear procurement response with policies, incident procedure and remediation email.

Supplier security questionnaire

Answer yes, partial or no. The score shows whether the supplier is presentable, needs work, or is too risky for a critical relationship.

1Is an owner or executive assigned to track customer NIS2 requirements?

Named accountability prevents vague audit answers.

2Do administrator and remote access accounts use active MFA?

MFA is expected for privileged access and cloud tools.

3Are critical backups restored regularly?

Customers expect restoration evidence, not just a configured backup.

4Is there an incident procedure with customer alert timelines?

NIS2 increases alerting and coordination expectations.

5Is critical software patched through vulnerability tracking?

A maintained spreadsheet is enough to start.

6Are subcontractors touching customer data listed and controlled?

Subcontracting chains are sensitive in NIS2 reviews.

7Do employees receive phishing and password awareness training?

Short tracked training beats an unproven intention.

8Are logs from critical systems retained and usable?

Without logs, incident analysis is fragile.

9Is sensitive customer data encrypted at rest or in transit?

Clarify flows, storage and exceptions.

10Does a continuity plan cover critical services?

Customers need to know how you remain operational during a crisis.

11Do customer contracts include cyber, notification and cooperation clauses?

Security clauses should be reviewed before signature.

12Is evidence assembled in a shared, dated folder?

A clean file accelerates procurement validation.

NIS2 minimum controls checklist

Six pragmatic measures to put in place before answering a customer questionnaire.

Privileged MFA

Mandatory MFA on administrators, email, VPN, cloud consoles and development tools.

Tested backups

Offline or immutable backups, dated restoration test and assigned owner.

Incident procedure

Severities, contacts, customer escalation timelines, evidence retention and crisis channel.

Inventory and patching

Critical asset list, CVE tracking, remediation priority and accepted exceptions.

Supplier control

Listed subcontractors, minimum clauses, data location and security contacts.

Evidence pack

Shared folder with policies, test logs, attestations, screenshots and owners.

Policy and email templates

Short texts to start supplier remediation without waiting for an external consultancy.

Policy

Minimum supplier security policy

Policy base to attach to procurement files or customer contracts.

Subject: minimum supplier security controls

We maintain MFA on privileged access, tested backups, a critical asset register and an incident procedure including customer notification. Exceptions are documented, dated and tracked until remediation.

Email

MFA remediation request

Email ready to send to a supplier before an NIS2 review.

Hello,

As part of our NIS2 review, please confirm within 10 days that MFA is active on administrator accounts, VPN, email and cloud consoles. If any scope remains excluded, please share the target date and compensating control.

Regards,

Procedure

Customer incident notification

Procedure outline for the first 24 hours.

Trigger: suspected impact on customer data or service.
Actions: isolate, log, qualify severity, notify the customer contact, preserve evidence and communicate updates until closure.

NIS2 supplier guides

SEO pages to capture supplier compliance searches and convert them into audits.

Need a quick supplier audit?

The form opens a pre-filled email to request a short NIS2 review. No secret or sensitive data is stored by the site.

Request a review
AdSense slot ready via ADSENSE_CLIENT and ads.txt Partner cyber resource placeholder