norppa.io
Guides

NIS2 Guide · 9 min

NIS2 supplier questionnaire (SAQ): what to ask, how to score it, and a free template

A supplier security questionnaire is the backbone of NIS2 Article 21(2)(d) due diligence — but most are too long, poorly scored, and never verified. This guide covers what to actually ask, how to turn answers into decisions, how to respond when a supplier falls short, and the one weakness every questionnaire shares. It ends with a ready-to-use template you can adapt.

What to ask — the six domains that matter

A good questionnaire is short and decision-focused. Cover these six areas; resist the urge to add fifty more boxes that no one will score.

1

Governance & accountability

Who owns security, and does leadership actually oversee it? NIS2 makes management accountable, so this is the first signal of maturity.

2

Access control & authentication

Weak authentication is the most common breach vector. Multi-factor authentication and least privilege are baseline expectations, not bonuses.

3

Incident response & notification

You need a supplier that can detect, contain and tell you fast — the 24-hour clock (Art. 23) can start with their incident, not yours.

4

Business continuity & backups

If the supplier goes down or is ransomed, how quickly do you get the service back? Tested backups and a stated recovery time matter.

5

Supply chain & fourth-party risk

Your supplier's suppliers are your risk too. Ask whether they assess their own critical subcontractors and notify you of changes.

6

Technical & data protection

Encryption, patching cadence and data location — the concrete controls that an external scan can later corroborate.

How to score answers — don't just collect them

A questionnaire only adds value if the answers change a decision. Score them, don't just file them:

  • Risk-weight by criticality — a 'no' on MFA from a supplier holding your customer data outweighs a missing policy document from a low-tier vendor. Weight the questions before you send them.
  • Treat 'in progress' as 'no' — until a control is in place and evidenced, score it as a gap with a remediation date, not a pass.
  • Flag the non-answers — vague or evasive responses are themselves a signal. Require specifics or supporting evidence rather than accepting a tick-box.
  • Re-baseline on a schedule — answers expire. A once-a-year questionnaire reflects a single day, not the year that follows it.

What to do when a supplier falls short

A gap is not automatically a reason to drop a supplier — but it must lead somewhere. Agree a remediation plan with named owners and dates, record it, and make material gaps contractual: a right to evidence, a fix-by date, and an escalation path if it slips.

For critical suppliers, tie remediation to the relationship: re-assessment before renewal, security clauses in the contract, and the right to request evidence — not just assertions. Document the decision either way. Accepting a residual risk is a legitimate choice, but only when it is a recorded, owned decision rather than an oversight.

The questionnaire's blind spot: self-attestation

Every answer in a questionnaire is a claim the supplier makes about themselves. Some are honest, some optimistic, some simply out of date by the time you read them. A questionnaire tells you what a supplier believes — or wants you to believe — about their security, not what is actually exposed on the internet.

That is why the strongest programmes pair the SAQ with external technical evidence. If a supplier answers 'yes, all traffic is encrypted' but a scan finds an expired certificate or a plaintext login form, you have a contradiction worth a conversation. The questionnaire captures process and intent; continuous external monitoring corroborates — or challenges — it. Use both.

A free questionnaire template you can adapt

Copy these sections into your own process. Keep answers to yes / no / in-progress plus an evidence field, so every claim can be backed up later.

1. Governance & accountability

  • Is there a named person accountable for information security?
  • Has senior management approved a security policy in the last 12 months?
  • Do staff receive security awareness training at least annually?

2. Access control & authentication

  • Is multi-factor authentication enforced for remote and administrative access?
  • Are access rights reviewed, and revoked promptly when roles change?
  • Is least privilege applied to systems holding our data?

3. Incident response & notification

  • Is there a documented incident response plan, tested in the last 12 months?
  • Can you notify us of a relevant incident within 24 hours?
  • Have you had a reportable breach in the last 24 months? If so, what changed?

4. Business continuity & backups

  • Are backups encrypted, tested, and stored offline or immutably?
  • What is your recovery time objective (RTO) for the service you provide us?
  • Do you have a disaster-recovery plan, and when was it last exercised?

5. Supply chain & fourth-party risk

  • Do you assess the security of your own critical subcontractors?
  • Will you notify us of changes to subprocessors handling our data?
  • Do you hold relevant certifications (e.g. ISO 27001)? Can you share the scope?

6. Technical & data protection

  • Is data encrypted in transit and at rest to current standards?
  • Do you run regular vulnerability scanning and patch on a defined schedule?
  • In which jurisdictions is our data stored and processed?

Source: Directive (EU) 2022/2555 (NIS2), Article 21(2)(d) — supply chain security — map your questions to the Art. 21 measures and your national transposition law.

How norppa.io helps

norppa.io sends self-assessment questionnaires (SAQ) to your suppliers directly from the platform — no spreadsheets, no chasing email threads. Responses are tracked, versioned and scored against the risk weighting above.

Crucially, each SAQ answer is cross-validated against the supplier's live technical risk profile (100+ checks, daily). Where a positive claim contradicts what we observe, norppa.io flags it as evidence-backed — so you see not just what suppliers say, but whether it holds up. The questionnaire's blind spot, closed.

Send your first SAQ — and see it cross-validated

View a sample supplier report, or learn how questionnaires work in norppa.io.

View sample report About the SAQ

Related guides

NIS2 and the supply chain requirement — what it means in practice

NIS2 requires significant and important entities to assess their supply chain cyber risks. Supplier tiering, 4th-party risk, Art. 23 notification, and what auditors look for.

NIS2 Art. 21(2) — supplier security checklist

Checklist for procurement and security teams: what to ask, what evidence to collect, and how to respond when a supplier falls short. Includes suggested evidence documents.

Supplier cyber risk assessment: what automated NIS2 monitoring checks

All check categories explained: ransomware, dark web leaks, TLS/DNSSEC, cookie security, CVE/EPSS, sanctions, MX blacklists and SAQ. Finding lifecycle and NIS2 article mapping.

Who is in scope for NIS2? Essential vs important entities, sectors and size thresholds

Determine whether NIS2 applies to you: the two tiers, the Annex I/II sectors, the size thresholds, size-independent exceptions, and how the supply chain pulls you in even if you're not designated.

NIS2 vs DORA: how they differ, where they overlap, and which one applies to you

How the two EU regimes differ and overlap, why DORA is lex specialis for financial entities, which applies to you, and what both mean for third-party and supply-chain risk.