---
name: "NIS2 Supplier Evidence Request Checklist"
version: "1.0"
updated: "2026-07-03"
source: "https://www.orbiqhq.com/templates/nis2-supplier-evidence-request-checklist"
license: "Free to use; attribution appreciated"
legal_basis:
  - "https://eur-lex.europa.eu/eli/dir/2022/2555/oj"
  - "https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj"
---

# NIS2 Supplier Evidence Request Checklist

A working register for requesting, tracking, and escalating security evidence from
direct suppliers and service providers under NIS2 (Directive (EU) 2022/2555),
Article 21(2)(d) and Article 21(3). An AI agent or a human reviewer can run a full
supplier evidence request from this file alone: (1) register the supplier,
(2) score its criticality tier, (3) request the evidence rows applicable to that
tier, (4) track status and cadence, (5) escalate on non-response.

---

## 1. Supplier Identification

Complete one block per direct supplier or service provider.

| Field | Value | Notes |
|---|---|---|
| Supplier legal name | _____ | As it appears in the contract |
| Service(s) provided | _____ | Describe the service you consume, not the supplier's catalogue |
| Contract reference | _____ | MSA/SOW/DPA identifiers |
| Internal commercial owner | _____ | Who owns the relationship |
| Internal security reviewer | _____ | Who reviews the evidence |
| Supplier security contact | _____ | Named person + email for evidence requests |
| Supplier incident contact | _____ | 24/7 contact for incident notification |
| Countries of operation / data location | _____ | Note EU / UK / EEA / third-country split |
| Access level | `none` \| `network` \| `data-readonly` \| `data-readwrite` \| `production` | Highest level that applies |
| Data categories handled | _____ | e.g. customer personal data, credentials, telemetry |
| Subcontractors disclosed? | `yes` \| `no` \| `requested` | Cross-check against section 4, row E6 |
| Criticality tier | `T1` \| `T2` \| `T3` | Score with section 2 before requesting evidence |
| Date registered | YYYY-MM-DD | |
| Last full assessment | YYYY-MM-DD | |
| Next review due | YYYY-MM-DD | Derived from tier cadence (section 3) |

---

## 2. Criticality-Tier Rubric

Score each dimension, then assign the tier from the decision rule below.
This operationalises NIS2 Article 21(3): the vulnerabilities specific to
*each* direct supplier, assessed proportionately.

| Dimension | Question | Score 3 | Score 2 | Score 1 |
|---|---|---|---|---|
| Service dependency | Would supplier failure disrupt delivery of your essential/important service? | Immediate disruption (< 24h) | Degradation within days | No material impact |
| Access & data | What can the supplier reach? | Production systems or sensitive/large-scale personal data | Internal systems or limited data | No system access, no meaningful data |
| Substitutability | How quickly could you replace the supplier? | Months+ (deep integration, few alternatives) | Weeks (alternatives exist) | Days (commodity) |
| Incident exposure | Would a supplier compromise plausibly trigger a NIS2 Article 23 reportable incident for you? | Yes, directly | Indirectly / uncertain | No |

**Decision rule:**

- Total 10–12, or any single dimension scored 3 for *both* "Service dependency" and "Incident exposure" → **T1 (Critical)**
- Total 7–9 → **T2 (Important)**
- Total 4–6 → **T3 (Standard)**

**Tier definitions (enum values):**

- `T1` — Critical: directly supports essential/important service delivery, or holds production access / sensitive data. Full evidence set; annual reassessment; quarterly monitoring; event-triggered re-requests.
- `T2` — Important: moderate access or operational impact. Core evidence set; annual review.
- `T3` — Standard: minimal access and impact. Attestation-level evidence; review at onboarding, then every 3 years or at contract renewal.

Re-score the tier whenever the service scope, access level, or subcontractor
chain changes, and after any supplier security incident.

---

## 3. Evidence Cadence per Tier

Calendar cadence is the floor. Event triggers override the calendar for the
affected categories: supplier incident, new or changed subcontractor,
certificate expiry or scope change, change of service scope or hosting,
merger/acquisition, adverse findings in coordinated EU risk assessments
(NIS2 Article 22(1)).

| Tier | Full reassessment | Monitoring between assessments | Event-triggered re-request |
|---|---|---|---|
| T1 | Annually | Quarterly: certificate validity, vuln/patch metrics, subcontractor register | Always, within 10 business days of trigger |
| T2 | Annually | Certificate-expiry and incident news alerts | Always, within 20 business days of trigger |
| T3 | Every 3 years or at contract renewal | Certificate-expiry alert only | On material trigger |

---

## 4. Evidence-Category Checklist

Request each row applicable to the supplier's tier. Record `status` per row:
`not-requested` \| `requested` \| `received` \| `reviewed-accepted` \| `reviewed-rejected` \| `overdue` \| `escalated` \| `not-applicable`.

| # | Category | What to request | Acceptable evidence types | Cadence T1 / T2 / T3 | NIS2 anchor |
|---|---|---|---|---|---|
| E1 | Security governance / ISMS | Overview of the supplier's information security management system and risk process covering your service | ISMS scope statement; security policy index; Statement of Applicability extract | Annual / Annual / Onboarding | Art. 21(2)(a), (f) |
| E2 | Certifications & independent assurance | Current certificate or attestation whose scope covers the service you buy | ISO/IEC 27001 certificate with scope + expiry; SOC 2 Type II report (+ bridge letter if report end is > 12 months old); TISAX / C5 where relevant | Annual + expiry alerts / Annual / Every 3 years | Art. 21(3) — overall quality of cybersecurity practices |
| E3 | Penetration testing | Most recent penetration test executive summary | Summary showing scope, methodology, date, findings by severity, remediation status. Full exploit detail not required | Annual / Annual / Self-attestation | Art. 21(2)(e), (f) |
| E4 | Vulnerability & patch management | Patching SLAs and performance metrics | Vulnerability management policy; time-to-patch metrics for critical vulnerabilities over the last 6–12 months; CVD/disclosure policy | Quarterly metrics / Annual / Onboarding attestation | Art. 21(2)(e) |
| E5 | Secure development (software suppliers) | Evidence of secure development lifecycle | Secure development policy; SAST/DAST usage evidence; dependency management; SBOM for critical software components | Annual / Annual / n/a | Art. 21(3) — secure development procedures |
| E6 | Subcontractor / fourth-party disclosure | Current subcontractor or subprocessor register plus a change-notification commitment | Register with entity names, locations, services; contract clause flowing security obligations down to subcontractors; notification mechanism | Quarterly or on change / Annual / Onboarding | Art. 21(2)(d) |
| E7 | Incident notification SLA | Contractual commitment to notify you of security incidents affecting your service | Signed clause stating the notification window in hours, named contacts, escalation path; description of the supplier's incident response capability | Verify at onboarding + annually; test the contact path semi-annually / Annual / Contract review | Art. 21(2)(b); supports your Art. 23 24h/72h/1-month timeline |
| E8 | Business continuity & disaster recovery | BCP/DR plan covering your service, with recovery objectives and test evidence | Plan extract naming your service; stated RTO/RPO; most recent test report with date, scenario, and corrective actions; availability history | Annual test evidence / Annual plan confirmation / Attestation | Art. 21(2)(c) |
| E9 | Access control & cryptography | IAM and encryption posture for systems touching your data | Access control policy incl. MFA and privileged access management; sample access-review output; encryption standards in transit and at rest, key management summary | Annual / Annual / Attestation | Art. 21(2)(i), (j) |
| E10 | Personnel security & awareness | HR security and training practices for staff with access to your service | Screening policy summary; security awareness training completion rates | Annual / Every 2 years / n/a | Art. 21(2)(g), (i) |

**Tier applicability:** T1 = E1–E10. T2 = E1, E2, E3, E4, E6, E7, E8. T3 = E2 (or a signed security self-attestation where no certification exists), E6, E7.

**Review guidance for the assessor:**

- Check certificate **scope**, not just existence — the certified scope must cover the service and locations you consume.
- Reject evidence older than the row's cadence window; mark `reviewed-rejected` with a reason and re-request.
- Log a gap (with a remediation date) rather than silently accepting partial evidence; gaps feed the risk decision in section 5.

---

## 5. Escalation Workflow

Apply per outstanding evidence row. Log every step with a date and actor —
the escalation trail is itself compliance evidence.

| Stage | Trigger | Action | Owner |
|---|---|---|---|
| 1. Reminder | No response 10 business days after request | Re-send request to supplier security contact; copy commercial owner | Security reviewer |
| 2. Commercial escalation | No response at 20 business days | Commercial owner raises with supplier account manager; deadline restated in writing | Commercial owner |
| 3. Formal notice | No response at 30 business days | Written notice invoking the contract's audit / evidence / cooperation clause; status set to `escalated` | Security reviewer + legal |
| 4. Risk decision | No response at 45 business days, or evidence materially inadequate | Documented decision: accept risk (with expiry date), apply compensating controls, restrict the supplier's access, or open termination/replacement review. For T1 suppliers, decision is made or countersigned by management — NIS2 Article 20 places approval and oversight of risk-management measures on management bodies | Management / risk owner |

---

## 6. Register Maintenance

- Keep one evidence-checklist instance per supplier; keep superseded evidence versioned, never overwritten.
- Recompute `next review due` after every accepted evidence row.
- Review the tier assignment (section 2) at least annually and on every trigger event.
- Where a coordinated EU security risk assessment under NIS2 Article 22(1) covers a supplier's product class, record its findings against that supplier and adjust the tier or controls accordingly.

---

*NIS2 Supplier Evidence Request Checklist v1.0 — updated 2026-07-03.
Published by Orbiq (https://www.orbiqhq.com/templates/nis2-supplier-evidence-request-checklist).
Free to use; attribution appreciated. This template is general information, not legal advice.*
