Supplier Audit Questionnaire: 40 Questions for NIS2
TL;DR
- 40 questions in 8 sections: general security, GDPR, incident management, sub-suppliers, personnel, technical measures, recovery, audit rights
- Tier-based approach: Top-20 critical (Tier-1) annual; Tier-2 every 2 years; Tier-3 every 3-5 years
- Top 7 red flags: no certification, repeated incidents, no BCM, third-country sub-processors without safeguards, no MFA, no encryption at rest, no audit rights
- Effort for SME (small and medium enterprise) 50-250 employees: 12 person-days initial setup plus 3 person-days per year
- Retention: keep audit results for 6 years (supervisory authority practice)
1. Section A: General security (8 questions)
1. ISO 27001 certified? 2. SOC 2 Type II? 3. Last external penetration test? 4. ISMS in place? 5. Risk management framework? 6. Disaster recovery plan? 7. BCM (business continuity management) plan? 8. Cyber insurance?
2. Section B: Data protection and GDPR (6 questions)
9. DPA available and current? 10. DPO appointed? 11. Breach notification procedure with 24h escalation? 12. EU data boundary enabled? 13. Sub-processors documented? 14. Third-country safeguards (SCC/DPF) in place?
3. Section C: Incident management (5 questions)
15. Last 24 months: number of security incidents? 16. Median response time? 17. Forensic capability? 18. CSIRT or SOC available? 19. Customer escalation workflow defined?
4. Section D: Sub-suppliers (5 questions)
20. Sub-supplier list maintained? 21. Audit procedure for sub-suppliers? 22. Contractual flow-down clauses? 23. Approval workflow for new sub-suppliers? 24. Update frequency?
5. Section E: Personnel security (5 questions)
25. Background checks performed? 26. Confidentiality undertakings signed? 27. Access segregation enforced? 28. Training frequency? 29. Offboarding process documented?
6. Section F: Technical measures (6 questions)
30. Encryption (in transit and at rest)? 31. MFA enforced? 32. Patch management cadence? 33. Vulnerability scans? 34. Endpoint protection? 35. Logging and monitoring?
7. Section G: Recovery and backup (3 questions)
36. Backup strategy (3-2-1, immutable)? 37. RTO and RPO defined? 38. Restore tests — frequency and last result?
8. Section H: Compliance and audit (3 questions)
39. Last external audit and findings? 40. Right-to-audit clause for customers?
9. Tier-based prioritization and red flags
Realistic SME scope: 8-15 suppliers in Tier-1 (annual full audit), 20-40 in Tier-2 (biennial plus annual self-assessment), the rest in Tier-3 (every 3-5 years). Top 7 red flags: no security certification; more than one major incident in 24 months without structural action; no BCM/DR plan; third-country sub-processors without DPF/SCC; no MFA on admin accounts; no encryption at rest; no right-to-audit. Red-flag suppliers should not stay Tier-1 without compensating internal controls.
Summary
NIS2 supply chain due diligence is now a real requirement. A 40-question supplier audit questionnaire across 8 sections gives a defensible, repeatable basis for prioritization. Combine it with tiered cadence and clear escalation rules for non-responders, and the program becomes manageable for SMEs.
View Compliance-Kit overview →
Frequently Asked Questions
How many suppliers do I realistically need to audit?
Prioritize on a risk basis: top-20 critical suppliers = mandatory (Tier-1: critical for business continuity or with access to personal data). Tier-2 (medium importance): annual self-disclosure via questionnaire, on-site audit or ISO 27001 validation every 2-3 years. Tier-3 (low): one-time entry assessment, thereafter only on occasion. SME practice for 50-250 employees: typically 8-15 suppliers in Tier-1, 20-40 in Tier-2, the remainder in Tier-3. Effort: 12 person-days initially + 3 person-days/year.
What if a supplier does not complete the questionnaire?
Escalation levels: 1) Reminder with a 14-day deadline. 2) Escalation to the supplier's managing director with reference to the NIS2 Section 30 obligation. 3) Demand for an ISO 27001 certificate (less than 12 months old) as a substitute. 4) For critical suppliers: invoke the contract termination clause or document risk acceptance with managing director sign-off. Practical tip: anchor a 'cybersecurity information cooperation' clause in your standard contract to avoid future refusals.
Which responses should be classified as 'red flags'?
Top-7 red flags: 1) No ISO 27001 + no SOC 2 + no comparable certificates. 2) More than 1 serious incident in the last 24 months without structural measures. 3) No BCM/DR plan or no RTO/RPO defined. 4) Third-country sub-processors without DPF/SCC safeguards. 5) No MFA for administrator accounts. 6) No encryption at rest. 7) No right-to-audit or audit report inspection available. A red flag means: no Tier-1 status possible, evaluate an alternative supplier or compensate via your own technical protective measures.
How often must the supplier audit be repeated?
Tier-1 (critical): annually + ad hoc following incidents or contractual changes. Tier-2 (medium): every 2 years in full + annual update self-disclosure. Tier-3 (low): every 3-5 years. For DORA-obligated banks (DORA Article 28): annually for ICT-critical suppliers. For BSI KritisV energy providers: every 2 years + on-site inspection. Important: retain audit results for 6 years (supervisory practice).
Sources
- BSIG 2025 (Section 30(2)(4) supply chain) (As of: 2026-05-02)
- Directive (EU) 2022/2555 — NIS2 (As of: 2026-05-02)
- Regulation (EU) 2016/679 — GDPR (Art. 28 processors) (As of: 2026-05-02)