NIS2 for Suppliers: What You Actually Need to Do When Customers Demand Security Evidence
As a supplier, you are usually not directly regulated by NIS2 — your customer is. Section 30(2) no. 4 of Germany's BSIG requires regulated companies to secure their supply chain, and they pass that obligation on to suppliers by contract. An ISO 27001 certificate is not legally required: an honestly completed security questionnaire, documented baseline measures, and an incident reporting process are enough in most cases.
By Rudolf Schwartz — Founder & Engineer at QubeLogix · Last updated July 15, 2026
Why your customer is suddenly asking for evidence
Germany's NIS2 implementation act (NIS2UmsuCG) has been in force since December 6, 2025 — with no transition period. The three-month registration deadline for companies in scope expired on March 6, 2026. Roughly 29,500 companies are now under the supervision of the BSI, Germany's Federal Office for Information Security — up from about 4,500 before. Regulated companies face fines of up to €10 million or 2% of global annual revenue.
The provision that matters for suppliers is Section 30(2) no. 4 of the German BSIG, which implements Article 21(2)(d) of the EU NIS2 Directive: entities in scope must ensure the security of their supply chain, including relationships with their direct suppliers and service providers. The law does not obligate you as a supplier directly. But your customer must ensure — and be able to show auditors and the regulator — that its suppliers do not represent an uncontrolled risk. That obligation cascades down to you by contract — even if you sit far below the NIS2 size thresholds. The questionnaire sitting in your inbox is not a request from a regulator; it is that pressure being passed along.
First, check whether you are directly in scope yourself
Before reacting to customer demands, verify your own status. As a rule, directly regulated are companies with 50 or more employees, or with both annual revenue and balance sheet total above €10 million, provided they operate in one of the 18 NIS2 sectors. Annex 1 of the BSIG lists 11 sectors of high criticality; Annex 2 adds seven more critical sectors — including manufacturing, chemicals, and food. Mid-sized manufacturers in particular fall into direct scope more often than they assume.
The BSI offers a free self-assessment for this (betroffenheitspruefung-nis-2.bsi.de): a short series of questions on sector, size, and revenue that follows the law's decision logic — the result is not legally binding, but it is a solid first orientation. If you are directly in scope, note that registration through the BSI MUK portal (muk.bsi.bund.de) was due by March 6, 2026 — complete it immediately if you missed it. The rest of this guide covers the more common situation: you are not directly regulated, but your customer is.
What customers typically demand
In practice, three standard contract clauses keep showing up: first, specific cybersecurity requirements for your product or service; second, an audit right combined with recurring evidence obligations; third, an incident notification clause — usually with a reporting window of no more than 24 hours to the customer, derived from the customer's own 24-hour initial reporting duty to the BSI.
On top of that, there is almost always a security questionnaire. The typical questions: Which of the customer's systems can you reach? Which classes of data do you process? Do you operate an ISMS or hold an ISO 27001 certification? How are backup and recovery handled? Is MFA enabled for critical access? Is there a documented incident response process?
How deeply you get audited depends on your classification. A three-tier scheme is common: tier-A suppliers with direct system or data access (cloud, ERP hosting, managed security) are typically reviewed annually; tier-B suppliers with influence on availability or integrity every two to three years; tier-C suppliers such as office supply vendors barely at all. Accepted evidence includes ISO 27001 certificates, SOC 2 reports, and TISAX labels (automotive) — but completed questionnaires and documented processes count as well. The key point: no law requires certification. Risk-based evidence is sufficient.
If you fail to deliver, the risk is not a fine but a commercial problem: longer approval processes, a weaker supplier rating, unfavorable contract addenda — up to exclusion from tenders.
Pragmatic first steps — without a certification project
For most small suppliers, the right answer is not an ISO 27001 project but a solid baseline. Concretely: record which customer systems and data classes you actually have access to — that determines your classification and the depth of scrutiny. Enable MFA for all critical access. Document and test backup and recovery. Write your incident response process down on a single page: who detects, who decides, who notifies which customer contact within 24 hours. And answer the questionnaire honestly — a documented "not yet, planned for Q4" is more credible than an embellished "yes."
As an organizing framework, the basic protection level of the German BSI IT-Grundschutz methodology works well: its baseline requirements cover exactly the topics the questionnaires ask about — access management, data backup, incident handling, patch management. The advantage over homegrown checklists: IT-Grundschutz is the standard German procurement and security departments know. If you structure your answers around it, you don't have to start from scratch with every new customer questionnaire.
What this realistically costs
For perspective, here is what the "big" credentials cost — market figures published by certifiers and consultancies, not fixed prices. An ISO 27001 certification typically runs an SME with 10–50 employees €15,000–50,000 total in the first year, with the initial audit alone at €9,000–25,000 — the largest block is building the internal ISMS, consulting included. TISAX (automotive) typically comes to €15,000–40,000 total for an SME, with the AL-3 audit alone at roughly €6,000–7,000 for smaller companies. Investments like these only pay off once several major customers explicitly demand them or tenders depend on them.
The pragmatic route is far cheaper. QubeLogix offers an information security quick check from €1,900 flat: an inventory of your current state, a comparison against the requirements typical questionnaires contain, and a prioritized action list. If you want to build things up in a structured way, ISMS foundations and NIS2 orientation run €6,000–14,000, ongoing support from €900 per month, and consulting at a day rate of €1,000–1,200. Honesty requires drawing a line: QubeLogix does not issue certificates and does not conduct accredited certification audits — the offering is orientation and implementation support, so you can answer customer questionnaires credibly and judge whether a certification project would even pay off for you.
When you don't need any of this
Not every supplier needs to act now. You can safely set the topic aside if none of your customers is NIS2-regulated — the obligation arises exclusively through the contract, never through a regulator. The same goes if you are classified as a tier-C supplier, meaning you have neither system nor data access and your outage would not endanger the customer's operations: office supplies, catering, simple merchandise. If you already hold a valid ISO 27001 certificate or TISAX label, you generally don't need additional consulting either — the existing certificate covers the usual demands. And if only a single manageable questionnaire is on your desk and your IT basics (MFA, backups, patch status) are in order, simply answer it yourself. External support only pays off once several customers demand different forms of evidence, an A or B rating is at stake, or you can't judge how honestly to answer which question.