Not on the NIS2 list? Your customers will hold you to it anyway

· by IDE Solutions

A message lands in your inbox from one of your biggest customers. Attached is a security questionnaire — three pages of questions about how you protect data, whether you have a backup plan, and how quickly you would report a breach. It was not there last year. If you supply a mid-sized or large German company, this is how a European law called NIS2 reaches your desk, even though your own company was never named in it.

Most owners of smaller firms have been told, correctly, that NIS2 does not directly apply to them. That is true — and it is also why the questionnaire catches them off guard. NIS2 does not only regulate large companies; it makes those large companies responsible for the security of everyone who supplies them. This article explains, in plain terms, how a law you are not subject to still lands on your desk, exactly what your customers will ask, and what to have ready before they do. Getting ahead of it is the whole purpose of our IT governance and compliance service.

First, what NIS2 actually is — without the jargon

NIS2 is a European Union law about cybersecurity. The name stands for the second Network and Information Security Directive, and its job is to raise the baseline of digital security across the sectors a modern economy depends on — energy, transport, healthcare, water, banking, digital services, food, manufacturing and more. It replaces an older, narrower rule and casts a far wider net: where the first version covered a handful of "critical infrastructure" operators, NIS2 pulls in an estimated 29,000 companies in Germany alone.

Each EU country writes the directive into its own national law. In Germany that is the NIS2-Umsetzungsgesetz, which sets out who is covered, what they must do, and what it costs to get it wrong. For a company that falls directly under it, the obligations are substantial: formal risk management, incident reporting within tight deadlines, and — the part that matters for everyone else — a duty to secure their supply chain.

Are you directly covered? Probably not — and that is the trap

NIS2 sorts regulated companies into two buckets, "essential" and "important", and uses size as a rough filter. As a rule of thumb, a company can fall directly in scope if it operates in one of the named sectors and has at least 50 employees or more than 10 million euros in annual turnover. Below that line, most small businesses are not directly regulated at all.

So far, so reassuring — and this is exactly where the misunderstanding sets in. Owners hear "under 50 people, does not apply" and file the whole topic away. What they miss is that being outside the law's direct scope does not put you outside its reach. The reach comes through your customers.

The clause nobody warned you about: supply-chain security

Buried in the security measures every in-scope company must adopt is a requirement to manage the risks in their supply chain — to take responsibility not only for their own systems, but for the security of the suppliers and service providers they depend on. The law makes a large regulated company answerable for a weakness that lives inside one of its vendors.

There is only one practical way for that company to comply: push the requirement down. It cannot audit the world, so it sends suppliers a questionnaire, adds security clauses to contracts, and makes passing that review a condition of doing business. If you sell to a hospital, a manufacturer, an energy company or a bank — or to anyone who in turn sells to them — you are part of their supply chain, and their legal duty quietly becomes your commercial problem. A 15-person software firm, a logistics contractor, a payroll bureau, an IT provider: none are named in NIS2, all get the questionnaire.

This is not hypothetical or years away. Large German companies are already working through their supplier lists, because their own compliance depends on it. The supplier that answers clearly and quickly keeps the contract; the one that cannot is a risk the customer is now legally motivated to replace. Knowing where you genuinely stand before that conversation is a core part of a proper cloud security review.

What your customers will actually ask you

The questionnaires vary, but they test the same handful of areas — the security measures NIS2 expects regulated companies to have, mirrored onto their suppliers. Expect questions on:

  • Risk management. Do you have a written information-security policy? Do you know what data you hold and where the real risks sit?
  • Access control and identities. Is multi-factor authentication switched on? How do you manage who can log in to what, and how quickly is a leaver's access removed?
  • Incident handling. If you were breached, would you notice? Do you have a plan to respond, and could you tell an affected customer within 24 hours?
  • Backup and recovery. Do you have tested backups, and how fast could you restore after an attack? For the detail, see our guide to backup and disaster recovery.
  • Patching and vulnerabilities. Are systems kept up to date, and do you actually know what software you are running?
  • Staff awareness. Are people trained to spot phishing, the entry point for most real attacks?
  • Your own suppliers. How do you manage the security of the tools and providers you depend on — because their weakness is now the customer's problem too.

None of these require an enterprise security team. Most are things a well-run 20-person company can put in place in weeks, not months. But "we'll sort it when the form arrives" is the wrong moment to start — you end up answering under time pressure, in front of a customer, with a contract on the line.

What it costs to be unprepared

For the regulated company, the penalties for getting NIS2 wrong are severe — fines of up to 10 million euros or 2 percent of worldwide annual turnover for the most serious failures, and, unusually, personal accountability for senior management. That severity is precisely why they will not take a supplier's security on trust. The downside of ignoring your weaknesses is now measured in millions and in their own directors' liability.

Your own risk is not a regulator's fine; it is lost revenue. A supplier who cannot complete the security review, or who answers it badly, becomes the weak link the customer is obliged to address — and the cleanest way to address it is to move the business to a supplier who can. Contracts increasingly make security compliance a condition, so the questionnaire is no longer paperwork; it is a gate. Firms that walk through it confidently are already winning work from competitors who cannot, turning a compliance chore into a genuine sales advantage.

What to put in place before the questionnaire arrives

You do not need to become "NIS2-certified" — there is no such thing for a supplier. You need to demonstrate, credibly, that you take security seriously and have the basics covered. Work through this and most questionnaires become straightforward:

  • Turn on multi-factor authentication everywhere. Email, remote access, key applications. It is the single most effective control and the first thing a serious questionnaire checks.
  • Write down your basics. A short information-security policy, an access list, an outline of what data you hold. Not a binder — a few pages that show you have thought about it.
  • Get your Microsoft 365 in order. Most SMB security lives in one tenant, and its default settings leave real gaps. An independent Microsoft 365 security assessment tells you exactly what a customer's auditor would find.
  • Make your backups real and tested. Not just running — restorable, recently, with a known recovery time.
  • Have an incident plan. One page: who to call, how to contain it, how fast you would notify a customer. The 24-hour notification expectation is real.
  • Keep systems patched. Know what you run and keep it current. Unpatched software is the hole attackers use most.
  • Train your people. A short, regular phishing-awareness habit closes the gap that technology alone cannot.

Done in advance, this is a modest project with a real payoff: you keep the customers you have, you become the easy "yes" for the ones evaluating suppliers, and you sleep better knowing an incident would not end the business. Our governance and compliance team runs exactly this readiness check and hands you the evidence pack customers ask for.

Where Germany stands right now

Germany's implementation of NIS2 has taken longer than Brussels intended, and the exact wording has moved through several drafts. That has led some owners to conclude they can wait. It is the wrong conclusion, for a simple reason: your customers are not waiting. Large companies plan their compliance well ahead of any deadline, and their supplier reviews are already in motion regardless of the precise date the national law lands. The commercial pressure — the questionnaire, the contract clause — arrives before the legal one, and it arrives whether or not the ink is dry.

The sensible posture is to treat the underlying security expectations as settled, because they are. Multi-factor authentication, tested backups, an incident plan and basic governance are not going to be dropped from any future version of the law, and they are exactly what your customers are asking for today. Building them now is not a gamble on a deadline; it is the baseline of running a credible business in 2026.

Quick answers

Does NIS2 apply to my small business directly? Usually not — most companies under 50 employees in non-critical sectors are outside its direct scope. But if you supply a company that is in scope, its supply-chain obligations reach you through contracts and questionnaires.

Do I need to be NIS2-certified? There is no supplier certification. What customers want is evidence that you have the security basics in place — policies, MFA, tested backups, an incident plan — not a certificate.

What if I just ignore the questionnaire? The customer is legally required to manage supplier risk, so an unanswered or weak questionnaire makes you the risk they must remove. In practice that means losing the contract to a supplier who can answer it.

How long does it take to get ready? For a typical small business with reasonable IT, weeks rather than months — provided you start before the form arrives rather than after.

We get you ready for the security questions your customers are already asking

Our IT governance and compliance service runs a straight readiness check against the security measures NIS2 pushes down the supply chain: where you stand today, what a customer's auditor would flag, and exactly what to fix first — in plain language, prioritised by what actually matters.

You come away with the basics genuinely in place and a clear evidence pack you can hand to any customer's questionnaire — turning a compliance demand into a reason they keep buying from you.

More Articles