NIS2 increases pressure on ICT suppliers even when the direct obligation sits with the regulated customer. Procurement, security and audit teams ask for demonstrable evidence on cyber governance, incident management, business continuity and supply-chain security.
1. Map requests to reusable controls
Avoid treating every questionnaire as a separate project. Normalize incoming questions into recurring controls: incident reporting, access management, vulnerability management, backup, business continuity and supplier governance.
2. Assign owners and expiry dates
Every control needs an owner, review frequency and evidence expiry date. This prevents stale answers and makes the work required before a new submission visible.
3. Build a supplier pack
The customer does not need your entire internal repository. Prepare a controlled package with policies, attestations, reports, open remediation and context notes for audit or procurement.
Minimum checklist
- NIS2 control register with owner and status.
- Approved evidence with version and expiry date.
- Incident procedure with escalation timing.
- Continuity plan and recent test results.
- Critical supplier list and monitoring criteria.