NIS2 is the EU's revised Network and Information Security directive. It expands the original NIS regime to a much wider set of sectors and entity types, and it sharpens the obligations on those entities to manage cybersecurity risk in their supply chain. The directive became member-state law across the EU from October 2024 onwards, with implementation varying by country.
The UK is not in scope for NIS2 directly. UK suppliers feel the impact anyway, because in-scope EU entities have to evidence supply-chain security risk management against suppliers wherever those suppliers are based. That evidence is collected through supplier questionnaires, vendor risk assessments, and contract clauses. If you sell into an EU bank, an EU energy company, an EU healthcare provider, or any of the dozens of other sectors NIS2 brings in scope, you are seeing NIS2-shaped questionnaires whether or not the directive applies to your business.
What NIS2 requires of the entities asking the questions
Three obligations sit upstream of every NIS2 supplier questionnaire:
- Risk management. In-scope entities must put in place "appropriate and proportionate" technical, operational and organisational measures to manage the risks to network and information systems they use. That includes the security of supply chains and supplier relationships.
- Incident reporting. Significant incidents must be reported to the relevant national authority within 24 hours of awareness, with follow-up reporting at 72 hours and one month. Supplier-driven incidents count.
- Management responsibility. Senior management of in-scope entities are personally accountable for compliance. Fines and personal liability are real and have started to be enforced in 2026.
The third point matters most for the supplier questionnaires you receive. The questionnaire is not a procurement formality. It is part of how an EU management board evidences personal compliance.
The questions UK suppliers are typically being asked
NIS2 supplier questionnaires vary by buyer and sector, but a common core has settled out by mid-2026. Expect to be asked about:
- Risk analysis and information system security policies. Do you have a documented information security policy, an ISMS, and a current risk register.
- Incident handling. What is your incident response process, what is your detection capability, and within what timeline can you report a confirmed incident affecting customer data.
- Business continuity. Backup management, disaster recovery, crisis management. Tested how often and when last tested.
- Supply chain security. How do you assess your own subcontractors and direct suppliers. NIS2 explicitly propagates the supply-chain obligation down at least one level.
- Vulnerability management. Patching cadence, vulnerability disclosure policy, evidence of timely action on critical CVEs.
- Encryption and cryptography. Data at rest, data in transit, key management.
- Multi-factor authentication and access control. Both for your customers' data and for your own administrative access.
- Training and awareness. Frequency, mandatory completion rates, and role-specific training for privileged access holders.
The ISO 27001 control set covers most of these. SOC 2 covers many of them. Neither covers all of them word-for-word, which is where suppliers without one or the other certification end up writing the most novel content.
What the buyer is really looking for
NIS2 questionnaires get scored against a "could we defend this to our regulator" standard rather than a strict pass-or-fail. That has two consequences for how you respond:
- Specifics beat assurances. "We patch critical vulnerabilities within 7 days based on CVSS score" beats "we have a robust patching process". Evidence, then explanation, then exception handling.
- Be straightforward about gaps. NIS2 buyers prefer a supplier who admits they do not currently meet a control and has a remediation date than one who answers in language vague enough to be deniable later. Their auditor will be sympathetic to a clear remediation plan and unsympathetic to creative wording.
How to structure your response
The structural advice mirrors broader security-questionnaire practice but with NIS2-specific calibration:
- Maintain a controls library that maps your evidence to ISO 27001 Annex A, plus a NIS2-specific overlay for the controls that NIS2 emphasises beyond ISO (incident reporting timelines, supply-chain due diligence, management responsibility).
- For each NIS2-specific control, hold a one-paragraph statement of what you do, the evidence document, and the freshness date.
- When a NIS2 questionnaire lands, the first response should be largely a retrieval exercise. The 10 to 20 per cent that does not retrieve cleanly is the work that warrants InfoSec time.
- Track the questionnaires you respond to. Many EU buyers iterate the same questionnaire annually. Your second response to the same buyer should be a delta on the first, not a fresh draft.
Where this is heading
By the end of 2026, expect three trends in NIS2 supplier questionnaires:
- Convergence on a common skeleton. The variability across questionnaires is shrinking as sector bodies publish shared templates. CAIQ-style consolidation is plausible within twelve months.
- Contractual flow-down. Buyers are increasingly attaching the questionnaire answers to the contract as supplier representations. Wording matters more than it used to.
- Annual recertification. Expect to refresh responses annually as a contract maintenance step, not only at procurement renewal.
How Bidwell helps
Bidwell drafts NIS2 supplier questionnaire responses from your existing evidence library. ISO certificate, SOC 2 report, policies, runbooks, training records, supplier register, all indexed and mapped to the NIS2-specific control overlay. New questionnaires return drafted answers with the source attached. Gaps are surfaced for InfoSec rather than guessed at by sales.
The practical move if you are seeing your first NIS2-shaped questionnaire from an EU customer: index your controls inventory first, NIS2-overlay it second, draft the response third. The next questionnaire from the next EU customer pays back the investment.
