The bank that gives you forty percent of your revenue just sent a supplier security questionnaire with NIS2 stamped on every page. Your company is not a NIS2 essential or important entity. You checked. Your sector annex does not list you, your headcount is below the threshold, and you have the email from your lawyer in 2024 to prove it. None of that matters this morning, because your customer is in scope, and Article 21(2)(d) makes them responsible to their regulator for managing the cybersecurity risk your security posture creates for them. That makes their auditor your auditor, by contract.
NIS2 has a defined scope: Essential and important entities across sectors like energy, healthcare, financial services, and digital infrastructure. Article 21(2)(d) gives it a longer reach. It requires every in-scope entity to assess and manage the cybersecurity risks of its supply chain, including direct suppliers and service providers. The mechanism is simple. Your customer is responsible to their auditor for your security posture. They will collect that responsibility from you, through a questionnaire, a contract clause, or a request for evidence. The only open question is whether you are ready when it does.
You are not in NIS2 scope. The questionnaire still found you.
April and May 2026 are the months when this became operational rather than theoretical. The first formal essential-entity audit deadline in Denmark falls on June 30, 2026, under Lov om foranstaltninger til sikring af et højt cybersikkerhedsniveau, the Danish transposition of NIS2. Essential entities must demonstrate their security posture to their sector's competent authority in Denmark, with central coordination by Styrelsen for Samfundssikkerhed and CFCS as the national CSIRT. Before they do, they are collecting evidence from their supply chain. The questionnaires are arriving now.
In the Nordic and EEA markets I work in, across IT, security, cloud, and governance engagements, the volume of supplier security questionnaires has risen sharply since Q1 2026. Financial services buyers, healthcare software groups, multi-site industrial operators. They are all in scope. Their procurement teams are all, right now, trying to answer the auditor's question: How do you know your suppliers are secure?
If you sell to any of them and are not yourself in NIS2 scope, their obligation under Article 21(2)(d) still flows through the contract to you. That is the mechanism, and understanding it changes how you respond. For companies that are actually in NIS2 scope and need to address their own direct obligations, the practical steps look different. NIS2 readiness for Danish SaaS covers that side. This article is for the growing company that is not in scope but is dealing with the consequences of its customers being in scope.
What does NIS2 Article 21(2)(d) require your customer to do about you?
Article 21 of NIS2 sets out the risk-management measures that essential and important entities must implement. Subsection (2)(d) covers supply chain security: The entity must take measures to address the security of supply chain relationships, including the security-related aspects of their relationships with direct suppliers or service providers.
In plain language: Your customer cannot outsource their cybersecurity risk to you and then look away. They must actively assess what your security posture is, what access you have to their systems or data, and whether the controls you have in place are adequate. When their NIS2 auditor asks “how are you managing supplier risk?”, the answer must be specific and documented. Not “we trust our suppliers.” Not “we have standard contract clauses.” Documented, assessed, and current.
ENISA guidance and the Danish Erhvervsstyrelsen confirm the same point: The supply chain assessment is auditable, not advisory, and the supplier is the primary source of the evidence the customer needs to produce. Twenty of the twenty-seven EU member states have completed NIS2 transposition as of May 2026; the remaining seven faced Commission reasoned opinions in May 2025 for incomplete transposition. Across the jurisdictions where transposition is in force, every essential and important entity is now closing this evidence gap with its suppliers.
Your customer's auditor is now your auditor, by contract
Here is the reframe that matters. You did not become NIS2-regulated. Your customer did. But because your customer is regulated, they need to produce evidence about you to satisfy their regulator. The audit chain transmits through contract, not through NIS2's scope determination.
This is not hypothetical. Nordic legal practice over the last six months has converged on explicit audit rights and security-assessment obligations in supplier contracts. The clause typically requires the supplier to provide evidence of its information security posture on request, within a defined number of business days, in a format sufficient for the customer to fulfil its NIS2 Article 21(2)(d) obligations. You may have signed that clause. It may have been buried in a framework agreement you reviewed in 2023. It is active now.
The pattern I see in practice: At a PE-backed services group of around 1,800 staff where I served as interim CIDO/CIO, the first NIS2 supplier questionnaires from regulated buyers arrived in January 2026. The group was not itself a direct NIS2 entity but sold into multiple regulated sectors. Within six weeks, more than ten enterprise buyers had sent questionnaires. No two questionnaires had identical structure. All of them were asking, in different formats, for the same six categories of evidence.
The cost of answering each questionnaire separately, from scratch, was significant. The cost of building one well-designed supplier-evidence pack and routing it was an order of magnitude less. That pack, built once in February, became the answer to every incoming questionnaire, with minor customisation per buyer.
The supplier-evidence pack is the artifact your customer's auditor needs to see
Most growing-company CTOs treat the NIS2 supplier questionnaire as the artifact they need to produce. The questionnaire is actually the customer's procurement format. The artifact their auditor needs to see is the supplier-evidence pack. Build the pack on purpose, and the questionnaire becomes a routing exercise: Which section of the pack answers which question. Some items will still need a per-question answer the pack does not pre-format, but the pack reduces those from twenty per questionnaire to two or three.
A supplier-evidence pack is not a new security programme. It is a document that assembles existing artifacts under a single cover, framed to answer what an NIS2 auditor needs. The six components:
| Artifact | What it needs to contain | Typical owner |
|---|---|---|
| Information-security policy | Signed by CEO. Scope, risk approach, review cadence. Two pages maximum. | CTO / Head of Security |
| Penetration test summary | Most recent test (within 12 months). Findings, severity, remediation status. Executive summary only. | Security lead or external vendor |
| Incident response plan | Classification, response roles, escalation path, notification timelines for customers. Tabletop exercise log. | CTO / Head of Security |
| Sub-processor list | Every third party with access to customer data. Their own security attestations where available. | Legal / DPO |
| Business continuity plan | RTO and RPO by service. Last successful test result and date. | CTO / Operations |
| Certification letters | ISO 27001 certificate (if held), SOC 2 Type II report (if held), any sector-specific attestations. | CTO / compliance function |
The cover document is a single page that references each artifact, explains the scope of your information security program, and includes a short paragraph mapping your security controls to the NIS2 Article 21(2) risk-management headings. It is not a legal document. It is a navigation guide for someone reading it under audit pressure.
On certification: ISO 27001 is the strongest single signal available to a non-regulated supplier. It covers most of what Article 21(2) requires for risk management, access control, encryption, business continuity, and supplier security. It is not a complete substitute, because NIS2 has explicit obligations around incident-reporting timelines and management accountability that ISO 27001 does not directly address. The pack still needs a bridging paragraph. A company with ISO 27001 certification and the five other artifacts above is in a materially stronger position than one answering questionnaire questions from memory. If you are considering the ISO 27001 path, the supplier-evidence pack is a useful intermediate deliverable to have while the certification process runs.
SOC 2 Type II is a useful complement for US-headquartered suppliers, but it does not map as cleanly to Article 21(2) headings as ISO 27001 does. In an EU regulatory context, ISO 27001 remains the cleaner single signal. If you hold both, list both in the pack and use the cover document to explain which controls each certificate addresses.
How to build a NIS2 supplier-evidence pack in three weeks
Three weeks is achievable. The work is not building a security programme from scratch. It is locating what you already have, filling the gaps, and assembling it into a format a buyer's legal team can review quickly.
In the first week, take stock. Pull every artifact in the table above and assess its current state: Exists and current, exists but dated, does not exist. For most growing companies, the information-security policy exists but has not been signed by the CEO, the penetration test is more than 18 months old, the incident response plan is a draft nobody has tested, the sub-processor list is accurate, and the business continuity plan ranges from good to nonexistent. Knowing the gap is the prerequisite for fixing it.
In the second week, close the most critical gaps. If the security policy is unsigned, fix it in a day. If the incident response plan has never been tested, run a two-hour tabletop exercise, document it, and attach the log. If the penetration test is dated, decide whether to commission a new one or write a risk-acceptance note explaining the delay and your interim compensating controls. Do not let perfect block progress. If the starting state is materially worse than the picture above (no policy at all, no penetration test ever, no IR plan), three weeks is not the timeline. Be honest about the baseline before you commit to a deadline.
In the third week, write the cover document and the NIS2 mapping paragraph. This is a 90-minute writing task that transforms a pile of PDFs into an artifact an auditor can read under pressure. Name a single person who owns the pack and is responsible for updating it when any component changes. This is not a committee job. Who actually owns this workmatters as much as what goes into it: If it is nobody's explicit responsibility, the next questionnaire will find it in the same state as the last one.
One structural point worth making plain. The pack does not exist to pass a questionnaire. It exists because your security posture is a real thing your customers depend on. The Verizon 2025 Data Breach Investigations Report found that third parties were involved in 30% of breaches, double the prior year's 15%. In April 2026, a ransomware attack on ChipSoft disrupted the vendor whose patient-record platform serves around 70 to 80 percent of Dutch hospitals. Weeks earlier, in March 2026, a breach traced to a compromised open-source security scanning tool in the supply chain affected European Commission cloud infrastructure. The supplier-evidence pack earns trust. The auditor is just the reason it arrives on a deadline.
The cascade is here
NIS2 was written with a scope. Article 21(2)(d) gave it a longer reach than its scope. The growing company that builds a supplier-evidence pack on purpose in May 2026 keeps its enterprise deals. The one that improvises through Q3 discovers that questionnaire fatigue is a polite name for losing the renewal.
The three-week plan above is the do-it-yourself path. If you want a second pair of eyes on it, the supplier-readiness assessment covers the evidence gap, the artifact quality, and the cover document in one scoped engagement, priced as a fixed-fee assessment so you know the cost before you start.