Free Vendor Security Questionnaire Template (2026) — Excel
Published Jul 13, 2026
By Orbiq Team

Free Vendor Security Questionnaire Template (2026) — Excel

Free EU vendor security questionnaire (XLSX, PDF, MD): 67 tiered questions covering GDPR Art 28, NIS2 supply chain, DORA and data residency. No email gate.

Vendor Security
Security Questionnaire
GDPR
NIS2
DORA
Templates

Download this template

Version 1.0 · Updated Jul 13, 2026 · Free, no email required

EU Vendor Security Questionnaire: Free Template

A vendor security questionnaire is the structured question set a buyer sends to suppliers to evaluate their security posture — and for European buyers in 2026 it has to ask more than the US-authored standards do. This free template contains 67 questions in 10 sections, tiered by vendor criticality, covering GDPR Article 28 processor terms, NIS2 Article 21(2)(d) supply-chain evidence, DORA ICT-provider fields, and the data-residency and CLOUD Act questions that SIG and CAIQ don't ask.

Most questionnaire templates are written from the US compliance universe: SOC 2-first, silent on Article 28(3), blind to data sovereignty. But if you buy software as a European company, you carry the legal accountability — for your processors under GDPR, for your direct suppliers under NIS2, for your ICT providers under DORA. This template — available as XLSX, PDF, and a machine-readable Markdown file for AI agents — asks exactly what those obligations require, alongside the security fundamentals every questionnaire needs. It is the outbound companion to our security questionnaire guide, which covers the responder's side of the same exchange.

Key Takeaways

  • 67 questions, 10 sections, 3 tiers — critical vendors (T1) answer everything, standard vendors (T2) answer 46, low-risk vendors (T3) answer a 23-question light set. Proportionality is built in.
  • EU-native by design: Article 28(3) DPA clauses, EU/EEA-only hosting options, transfer mechanisms, CLOUD Act / FISA 702 exposure, NIS2-compatible incident-notification windows, and a DORA addendum for financial-entity buyers.
  • Every question names its evidence. Certificates with scope, pentest executive summaries, DPA clauses, subprocessor registers — answers without artefacts are self-declarations, not assurance.
  • The incumbents don't cover this ground: SIG is licensed and US-framed; CAIQ v4 is free but cloud-scoped (261 questions). Neither asks what European regulators hold you accountable for.
  • A questionnaire is one input, not the decision. Pair it with a scoring framework — our vendor risk assessment template — and with evidence tracking over time.

What's Inside the Template

The XLSX contains four sheets: a Vendor Register (vendor, jurisdiction, parent company, tier, review outcome), a Tier Rubric (four scored dimensions with a decision rule), the Questionnaire itself (67 questions with per-question evidence requests, Yes/Partial/No/N.A. answer dropdowns, and a reviewer-assessment column), and Instructions. The PDF mirrors the question bank for review meetings; the Markdown variant carries the full structure with YAML metadata and enums so an AI agent can run a vendor review end to end.

The ten sections, with a sample question from each:

SectionQuestionsSample question
A — Company & Governance6Do you hold a current ISO/IEC 27001:2022 certificate covering the service we buy?
B — GDPR & Data Protection (Art 28)10Do you offer a DPA containing all Article 28(3) mandatory clauses?
C — Data Residency & Sovereignty8Is your corporate structure subject to non-EU jurisdiction that could compel disclosure under the US CLOUD Act?
D — Access Control & Identity7Is MFA enforced for all staff access to production and customer data?
E — Infrastructure & Operations8Is the service penetration-tested annually, and will you share the executive summary?
F — Incident Management6What is your contractual window (in hours) for notifying us of incidents affecting our service or data?
G — Business Continuity & DR5Are backups encrypted, geographically separated, and restore-tested?
H — Secure Development6Is code scanned (SAST/DAST/dependency) before production deployment?
I — Subcontractors & Supply Chain6Will you notify us of subcontractor changes in advance, with a right to object?
J — DORA Addendum (financial entities)5Can you provide the fields we need for our DORA Register of Information?

How to Use It

Step 1 — Tier the vendor. The rubric scores four dimensions: data sensitivity, system access, service criticality (including whether vendor failure would create NIS2 or DORA exposure for you), and substitutability. Critical vendors get the full set; a commodity tool with no data access gets 23 questions. Sending 850 questions to a newsletter provider is how procurement stalls and answer quality collapses.

Step 2 — Send the tier subset, demand evidence. Every question names the artefact to attach. This is the single biggest quality lever in vendor security review: ENISA's supply-chain guidance stresses assessing the quality of a supplier's practices, not the existence of a completed form — the same principle behind our NIS2 supplier evidence checklist, which is the evidence-tracking sibling of this questionnaire.

Step 3 — Assess, decide, and record. Mark each answer Adequate, Follow-up required, or Deficient; log the follow-ups; record the outcome on the register. The questionnaire collects; the decision belongs to your vendor risk management process, where responses combine with independent verification and risk scoring.

Step 4 — Re-run on cadence. T1 annually, T2 every 12–18 months, T3 at renewal — with event triggers (a vendor incident, a subcontractor change, an expiring certificate) overriding the calendar. Point-in-time questionnaires age fast; the cadence and triggers are what turn a form into oversight.

Legal Basis

Three European regimes shape the question set. GDPRRegulation (EU) 2016/679 — makes processor relationships contractual by law: Article 28(3) prescribes the mandatory DPA content (documented instructions, confidentiality, Article 32 security measures, sub-processor authorisation, data-subject-rights assistance, breach support, deletion or return at exit, audit rights), and section B of the questionnaire verifies each one. Because Article 33 gives you 72 hours to notify your supervisory authority of a breach, question B7 checks that the vendor's own notification window leaves you room to comply.

NIS2Directive (EU) 2022/2555 — makes supply-chain security a mandatory risk-management measure under Article 21(2)(d), assessed per direct supplier under Article 21(3). Section F checks that a supplier incident reaches you fast enough to honour your own Article 23 24-hour early warning, and question I6 secures the evidence pass-through your supply-chain documentation duties require. DORARegulation (EU) 2022/2554 — adds the financial-entity layer: Articles 28–30 govern ICT third-party risk, from the Register of Information (with fields specified in ITS (EU) 2024/2956) to the mandatory contractual provisions of Article 30 and exit strategies under Article 28(8). Section J asks the five questions that make those obligations workable with a vendor — and pairs with our DORA ICT provider evidence checklist for the ongoing register.

The sovereignty section reflects the post-Schrems II reality: the US CLOUD Act reaches data held by US-controlled providers regardless of where it is stored, and FISA Section 702 was central to the CJEU's invalidation of Privacy Shield — which is why questions C4–C5 ask about corporate jurisdiction and transfer impact assessments, not just server locations.

Beyond the EU: UK and Norway

The same question set serves UK and Norwegian buyers with minor reweighting. In the UK, UK GDPR retains Article 28 in substance, so section B applies unchanged, and the Cyber Security and Resilience Bill — before the House of Lords as of mid-2026 — will bring managed service providers and designated critical suppliers into a NIS-style regime with 24-hour initial reporting, making section F's notification questions directly relevant. In Norway, the digitalsikkerhetsloven (in force since 1 October 2025, supervised by NSM) implements NIS-style duties while NIS2 awaits EEA incorporation, and Datatilsynet enforces GDPR Article 28 as EEA law — one questionnaire covers the supplier base across all three jurisdictions.

From Questionnaire to Continuous Assurance

A questionnaire is a snapshot; vendor risk is a stream. Chasing responses, re-scoring answers, and noticing the certificate that lapsed eight months after the form came back — that is where spreadsheet programmes quietly fail. Orbiq's vendor assurance platform runs the same tiering, question sets, and evidence collection continuously, with AI-evaluated responses and an audit trail generated as a by-product of the work. And if you are on the receiving end of questionnaires like this one, our guide to security questionnaire automation covers the response side.


Sources & References

  1. Regulation (EU) 2016/679 (GDPR) — full text — Articles 27, 28, 32, 33.
  2. Directive (EU) 2022/2555 (NIS2) — full text — Articles 21(2)(d), 21(3), 23.
  3. Regulation (EU) 2022/2554 (DORA) — full text — Articles 19, 26–30.
  4. Commission Implementing Regulation (EU) 2024/2956 — ITS on the DORA Register of Information.
  5. CSA — CAIQ v4 (STAR Level 1 security questionnaire) — the free cloud-focused questionnaire, 261 questions.
  6. ENISA — Good Practices for Supply Chain Cybersecurity — supplier assessment practices.
  7. UK Government — Cyber Security and Resilience Bill collection — UK supplier-regime status.

Related Reading

Download this template

Version 1.0 · Updated Jul 13, 2026 · Free, no email required

Frequently Asked Questions

What is a vendor security questionnaire?

A vendor security questionnaire is a structured set of questions a buyer sends to a supplier to evaluate its security posture before and during a business relationship. It covers areas like certifications, data protection terms, access control, incident notification, business continuity, and subcontractors — and each answer should be backed by evidence such as an ISO 27001 certificate or a penetration test summary, not just a self-declaration.

What questions should a vendor security questionnaire include?

A complete questionnaire covers ten areas: company and governance (certifications, security leadership), GDPR Article 28 processor terms, data residency and sovereignty, access control and identity, infrastructure and operations, incident management and notification SLAs, business continuity and disaster recovery, secure development, subcontractors and supply chain, and — for financial-entity buyers — DORA ICT-provider fields. This template ships all ten sections as 67 tiered questions with the evidence to request per question.

How is this different from SIG and CAIQ?

SIG (Shared Assessments) is a licensed US-authored library — the scoped SIG Core set runs to roughly 850 questions and requires an annual fee. CSA's CAIQ v4 is free but cloud-focused (261 questions) and US-framed. Neither asks the questions EU buyers are legally accountable for: Article 28(3) DPA clauses, EU/EEA-only hosting options, CLOUD Act and FISA 702 exposure, NIS2-compatible notification windows, or DORA Register of Information fields. This questionnaire is EU-native, free, and tiered so small vendors get 23 questions rather than 850.

How many questions should I send to each vendor?

Tier your vendors first. This template uses three tiers: critical vendors (T1) answer all 67 questions including the DORA addendum where relevant; standard vendors (T2) answer 46; low-risk vendors (T3) answer a 23-question light set. Sending the full set to every vendor slows procurement and produces worse answers — proportionality gets you better assurance faster.

What evidence should I request with a security questionnaire?

Every material question should name its artefact: an ISO 27001 certificate with scope statement, a SOC 2 Type II report with bridge letter, the latest penetration test executive summary with remediation status, the DPA with Article 28(3) clauses, the public subprocessor list, a contractual incident-notification clause with hours, and BCP/DR test results. Answers without evidence are self-declarations, not assurance.

Is a security questionnaire the same as a vendor risk assessment?

No. The questionnaire is the outbound question set — what you send the vendor to collect self-reported controls and evidence. A vendor risk assessment is the broader internal process that combines those responses with independent verification, risk scoring, and a formal acceptance decision. Use this template to collect; use a vendor risk assessment framework to score and decide.

Free Vendor Security Questionnaire Template (2026) — Excel