A customer sends us a NIS2 vendor questionnaire, how do I fill it in smartly?
NIS2-scoped customers must control their supply chain. Questionnaires range from light (a few pages) to heavy (full assurance report). Honest and consistent answers beat ticking yes everywhere.
Try this first
- 1Read the whole questionnaire first. Map which topics (ISMS, incident response, access control, BCM, vendor management) and at what depth.
- 2Collect evidence internally. Policy, ISMS scope, recent pen test, breach procedure, sub-processor contracts, awareness training. You reuse this every time.
- 3Answer honestly. A No with a roadmap beats a Yes without evidence. Customers probe and discrepancies hurt at audit.
- 4Keep a central NIS2 vendor file. A managed version of the most-asked answers saves time every round.
- 5Ask the customer which topics they prioritise. Sometimes only the incident-notification deadline is the cornerstone and the rest can be a growth path.
When to bring us in
If a question keeps coming back that you cannot honestly answer without an audit, be transparent and propose a joint follow-up.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.