Clarify your scope
Directly in scope, or bound only by contract? That sets the scale.
Check your scopeSupply-chain evidence
NIS2 reaches suppliers too.
Who asks, what they want — and when.
| Who asks | What's required | When |
|---|---|---|
| OEM / major customer | Structured supply-chain security questionnaire | At tender or onboarding |
| Cyber insurer | Evidence for underwriting and renewal | At policy renewal |
| Contract clause | Assurance + ongoing proof of measures | At contract signing |
| Audit request | Evidence on demand, often on a short deadline | As triggered |
What an OEM questionnaire actually asks.
Questionnaires differ in the detail, but nearly all cover the same eight areas — the same themes as the ten §30 measures: information security organised and documented · access control and multi-factor authentication · patch and vulnerability management · backup and recovery · incident detection and reporting · security of your own sub-suppliers · staff awareness and training · physical and environmental security. For each area, customers don't want a statement of intent — they want evidence: what's true at your company, where it's documented, since when, and who owns it.
What happens if you can't deliver.
No fine from the regulator — but real commercial consequences: you drop out of the tender, onboarding stalls, insurance gets more expensive, or you breach a contract clause. Increasingly, evidence is what decides whether you stay a supplier.
The minimum evidence package.
Not an 80-page security concept. A short, auditable package is enough — and more convincing: a structured overview of your §30-relevant measures · one concrete piece of evidence per measure · a date · a named contact. Kept current, not filed once and forgotten.
Prepared in four steps.
Map the measures
Match the §30 themes to what your Microsoft 365 already does.
See the obligations matrixGather evidence
One artefact per measure, with a date and an owner.
Keep it current
One standing slot per quarter is enough.
Effort and cost.
For most suppliers the main cost is internal time, not external fees — the evidence comes from systems you already run. Budget a few person-days across your IT and quality teams for a first package. External help only pays off for genuine edge cases.
Next step.
First clarify your own scope, then map the relevant §30 measures in the obligations matrix.
FAQ
Do I owe evidence if I'm not directly in scope?
Yes, if a regulated customer requires it by contract. The contractual duty applies regardless of your own direct scope.
Is a one-time questionnaire enough?
Rarely. Contracts increasingly require ongoing proof — the status has to stay current, not just be true at onboarding.
Do I need a certification (ISO 27001, TISAX)?
Not necessarily. Some customers accept structured self-assessments backed by evidence. Ask what's specifically required before starting a certification project.
What if I have sub-suppliers of my own?
Then you pass the relevant requirements down — the same logic applies one tier deeper.