Skip to content
QubeLogix

NIS2 for Suppliers: What You Actually Need to Do When Customers Demand Security Evidence

As a supplier, you are usually not directly regulated by NIS2 — your customer is. Section 30(2) no. 4 of Germany's BSIG requires regulated companies to secure their supply chain, and they pass that obligation on to suppliers by contract. An ISO 27001 certificate is not legally required: an honestly completed security questionnaire, documented baseline measures, and an incident reporting process are enough in most cases.

By Rudolf Schwartz — Founder & Engineer at QubeLogix · Last updated July 15, 2026

Why your customer is suddenly asking for evidence

Germany's NIS2 implementation act (NIS2UmsuCG) has been in force since December 6, 2025 — with no transition period. The three-month registration deadline for companies in scope expired on March 6, 2026. Roughly 29,500 companies are now under the supervision of the BSI, Germany's Federal Office for Information Security — up from about 4,500 before. Regulated companies face fines of up to €10 million or 2% of global annual revenue.

The provision that matters for suppliers is Section 30(2) no. 4 of the German BSIG, which implements Article 21(2)(d) of the EU NIS2 Directive: entities in scope must ensure the security of their supply chain, including relationships with their direct suppliers and service providers. The law does not obligate you as a supplier directly. But your customer must ensure — and be able to show auditors and the regulator — that its suppliers do not represent an uncontrolled risk. That obligation cascades down to you by contract — even if you sit far below the NIS2 size thresholds. The questionnaire sitting in your inbox is not a request from a regulator; it is that pressure being passed along.

First, check whether you are directly in scope yourself

Before reacting to customer demands, verify your own status. As a rule, directly regulated are companies with 50 or more employees, or with both annual revenue and balance sheet total above €10 million, provided they operate in one of the 18 NIS2 sectors. Annex 1 of the BSIG lists 11 sectors of high criticality; Annex 2 adds seven more critical sectors — including manufacturing, chemicals, and food. Mid-sized manufacturers in particular fall into direct scope more often than they assume.

The BSI offers a free self-assessment for this (betroffenheitspruefung-nis-2.bsi.de): a short series of questions on sector, size, and revenue that follows the law's decision logic — the result is not legally binding, but it is a solid first orientation. If you are directly in scope, note that registration through the BSI MUK portal (muk.bsi.bund.de) was due by March 6, 2026 — complete it immediately if you missed it. The rest of this guide covers the more common situation: you are not directly regulated, but your customer is.

What customers typically demand

In practice, three standard contract clauses keep showing up: first, specific cybersecurity requirements for your product or service; second, an audit right combined with recurring evidence obligations; third, an incident notification clause — usually with a reporting window of no more than 24 hours to the customer, derived from the customer's own 24-hour initial reporting duty to the BSI.

On top of that, there is almost always a security questionnaire. The typical questions: Which of the customer's systems can you reach? Which classes of data do you process? Do you operate an ISMS or hold an ISO 27001 certification? How are backup and recovery handled? Is MFA enabled for critical access? Is there a documented incident response process?

How deeply you get audited depends on your classification. A three-tier scheme is common: tier-A suppliers with direct system or data access (cloud, ERP hosting, managed security) are typically reviewed annually; tier-B suppliers with influence on availability or integrity every two to three years; tier-C suppliers such as office supply vendors barely at all. Accepted evidence includes ISO 27001 certificates, SOC 2 reports, and TISAX labels (automotive) — but completed questionnaires and documented processes count as well. The key point: no law requires certification. Risk-based evidence is sufficient.

If you fail to deliver, the risk is not a fine but a commercial problem: longer approval processes, a weaker supplier rating, unfavorable contract addenda — up to exclusion from tenders.

Pragmatic first steps — without a certification project

For most small suppliers, the right answer is not an ISO 27001 project but a solid baseline. Concretely: record which customer systems and data classes you actually have access to — that determines your classification and the depth of scrutiny. Enable MFA for all critical access. Document and test backup and recovery. Write your incident response process down on a single page: who detects, who decides, who notifies which customer contact within 24 hours. And answer the questionnaire honestly — a documented "not yet, planned for Q4" is more credible than an embellished "yes."

As an organizing framework, the basic protection level of the German BSI IT-Grundschutz methodology works well: its baseline requirements cover exactly the topics the questionnaires ask about — access management, data backup, incident handling, patch management. The advantage over homegrown checklists: IT-Grundschutz is the standard German procurement and security departments know. If you structure your answers around it, you don't have to start from scratch with every new customer questionnaire.

What this realistically costs

For perspective, here is what the "big" credentials cost — market figures published by certifiers and consultancies, not fixed prices. An ISO 27001 certification typically runs an SME with 10–50 employees €15,000–50,000 total in the first year, with the initial audit alone at €9,000–25,000 — the largest block is building the internal ISMS, consulting included. TISAX (automotive) typically comes to €15,000–40,000 total for an SME, with the AL-3 audit alone at roughly €6,000–7,000 for smaller companies. Investments like these only pay off once several major customers explicitly demand them or tenders depend on them.

The pragmatic route is far cheaper. QubeLogix offers an information security quick check from €1,900 flat: an inventory of your current state, a comparison against the requirements typical questionnaires contain, and a prioritized action list. If you want to build things up in a structured way, ISMS foundations and NIS2 orientation run €6,000–14,000, ongoing support from €900 per month, and consulting at a day rate of €1,000–1,200. Honesty requires drawing a line: QubeLogix does not issue certificates and does not conduct accredited certification audits — the offering is orientation and implementation support, so you can answer customer questionnaires credibly and judge whether a certification project would even pay off for you.

When you don't need any of this

Not every supplier needs to act now. You can safely set the topic aside if none of your customers is NIS2-regulated — the obligation arises exclusively through the contract, never through a regulator. The same goes if you are classified as a tier-C supplier, meaning you have neither system nor data access and your outage would not endanger the customer's operations: office supplies, catering, simple merchandise. If you already hold a valid ISO 27001 certificate or TISAX label, you generally don't need additional consulting either — the existing certificate covers the usual demands. And if only a single manageable questionnaire is on your desk and your IT basics (MFA, backups, patch status) are in order, simply answer it yourself. External support only pays off once several customers demand different forms of evidence, an A or B rating is at stake, or you can't judge how honestly to answer which question.

Frequently asked questions

Frequently asked questions
I'm not directly in scope of NIS2 — do I still have to do anything as a supplier?

Yes, as soon as a NIS2-regulated customer demands evidence. Section 30(2) no. 4 of the German BSIG requires regulated companies to ensure the security of their supply chain, and that obligation is passed on to suppliers by contract — regardless of whether the supplier itself meets the NIS2 thresholds. It is a contractual requirement, not an obligation imposed by a regulator.

Do I need an ISO 27001 certificate as a supplier?

No — no law requires certification. NIS2-regulated customers may assess suppliers on a risk basis, so an honestly completed security questionnaire and documented measures (MFA, backups, an incident response process) are often enough. An ISO 27001 project typically costs an SME €15,000–50,000 in the first year and only pays off once several major customers explicitly demand it.

What happens if I don't answer my customer's security questionnaire?

You won't be fined — NIS2 fines only hit directly regulated companies. The consequences are commercial: longer approval processes, a weaker supplier rating, unfavorable contract addenda, or exclusion from tenders. For critical suppliers (tier A, with system or data access), refusing to respond can put the entire contract at risk.

How quickly do I have to report security incidents to my customer?

Contracts typically require notification within 24 hours at most. The reason: NIS2-regulated companies must file an initial report on significant incidents with Germany's BSI within 24 hours, so they pass that deadline on to their suppliers. In practice, you need a documented process defining who detects an incident, who decides, and who informs which customer contact — including outside business hours.

Is a TISAX label sufficient instead of ISO 27001?

It depends on the industry. In automotive, TISAX is the established standard and is routinely accepted as supplier evidence; outside automotive, customers tend to ask for ISO 27001 or a completed questionnaire. TISAX also covers the NIS2 requirements only partially. Cost range for SMEs: typically €15,000–40,000 total, with the AL-3 audit alone at roughly €6,000–7,000 for smaller companies.

How do I find out whether my company itself falls directly under NIS2?

Use the free self-assessment provided by Germany's BSI (betroffenheitspruefung-nis-2.bsi.de): a few questions on sector, size, and revenue; the result is not legally binding but a good orientation. As a rough rule: 50 or more employees, or both annual revenue and balance sheet total above €10 million, in one of the 18 sectors — which include manufacturing, chemicals, and food. Companies directly in scope must register via the BSI MUK portal; that deadline expired on March 6, 2026.

Which task should disappear from your week first?

Contact

Tell us what you are planning, from a first AI assistant to taking over an existing system. You will get an honest assessment within two business days.