NIS2 Supplier Evidence Request Checklist (Free XLSX & PDF)
Published Jul 3, 2026
By Orbiq Team

NIS2 Supplier Evidence Request Checklist (Free XLSX & PDF)

Free NIS2 supplier evidence request checklist (XLSX, PDF, MD): evidence categories, criticality tiers, and cadences mapped to Article 21(2)(d) and 21(3).

NIS2
Supply Chain
Vendor Assurance
Templates
Compliance

Download this template

Version 1.0 · Updated Jul 3, 2026 · Free, no email required

NIS2 Supplier Evidence Request Checklist: Free Template

A NIS2 supplier evidence request checklist is a structured register of the security evidence you request from each direct supplier and service provider — certifications, penetration test summaries, incident-notification SLAs, subcontractor disclosures, and business continuity test results — mapped to Directive (EU) 2022/2555 Article 21(2)(d) and Article 21(3). Each evidence row carries acceptable evidence types and a review cadence tied to the supplier's criticality tier, so your supply-chain oversight is demonstrable at any point an authority asks.

Most teams already run a NIS2 supplier questionnaire. What NIS2 actually tests is whether you can produce evidence: which suppliers are critical, what artefacts you hold for each, when they were last refreshed, and what happens when a supplier goes silent. This free template — available as XLSX, PDF, and a machine-readable Markdown file for AI agents — turns those questions into a working register. It is the operational companion to our guides on vendor assurance under NIS2 and NIS2 supply chain security, which explain why continuous oversight is required; this page gives you the artefact that does it.

Key Takeaways

  • NIS2 Article 21(2)(d) makes supply-chain security a mandatory risk-management measure, covering the security-related aspects of relationships with each direct supplier and service provider — not the supplier base in aggregate.
  • Article 21(3) tells you what to look at: the vulnerabilities specific to each direct supplier, the overall quality of their products and cybersecurity practices — explicitly including secure development procedures — and the results of coordinated risk assessments under Article 22(1).
  • Evidence beats self-declaration. ENISA's supply-chain guidance calls for assessing the quality of suppliers' security practices, and its June 2025 technical implementation guidance names supplier vetting, contractual security clauses, and ongoing monitoring as core expectations.
  • Cadence follows criticality. The template's three-tier rubric assigns each evidence category a refresh frequency per tier, plus event triggers — incident, subcontractor change, certificate expiry — that override the calendar.
  • The stakes are concrete: essential entities face fines up to €10 million or 2% of worldwide annual turnover, important entities up to €7 million or 1.4%, and supervisory authorities can request supply-chain evidence at any time.

What's Inside the Template

The XLSX contains four sheets: a Supplier Register, the Evidence Checklist itself, a Criticality Rubric, and an Instructions sheet. The PDF mirrors the checklist for print and review meetings; the Markdown variant carries the full structure with YAML metadata so an AI agent can run an evidence request end to end.

The core of the template is the evidence checklist — in effect a NIS2 supply chain requirements checklist, row by row. Here is a preview of the actual rows:

Evidence categoryWhat to requestAcceptable evidence typesCadence (Tier 1 / 2 / 3)NIS2 anchor
Certifications & independent assuranceCurrent certificate or attestation covering the service you buyISO 27001 certificate with scope + validity; SOC 2 Type II report (+ bridge letter if >12 months)Annual + expiry alerts / Annual / Every 3 yearsArt. 21(3) — quality of cybersecurity practices
Penetration testingMost recent pentest executive summarySummary with scope, methodology, findings severity, remediation status — not the full exploit reportAnnual / Annual / Self-attestationArt. 21(2)(e), (f)
Vulnerability & patch managementPatching SLAs and time-to-patch metricsVulnerability management policy; metrics for critical CVEs over the last 6–12 monthsQuarterly metrics / Annual / OnboardingArt. 21(2)(e)
Secure developmentSDLC security practices for software suppliersSecure development policy; SAST/DAST evidence; SBOM for critical softwareAnnual / Annual / n/aArt. 21(3) — secure development procedures
Incident notification SLAContractual commitment to notify you of incidents affecting your serviceSigned clause with notification window (hours), named contacts, escalation pathVerify at onboarding + annually / Annual / Contract reviewArt. 21(2)(b); feeds your Art. 23 timeline
Subcontractor disclosureCurrent subcontractor/subprocessor register + change-notification commitmentRegister with entities, locations, services; flow-down security clause evidenceQuarterly or on change / Annual / OnboardingArt. 21(2)(d)
Business continuity & DRBCP/DR covering your service, with RTO/RPO and test evidencePlan extract; most recent test report with date, scenario, corrective actionsAnnual test evidence / Annual confirmation / AttestationArt. 21(2)(c)
Access control & encryptionIAM and cryptography posture for systems touching your dataMFA/PAM policy; sample access review; encryption standards in transit and at restAnnual / Annual / AttestationArt. 21(2)(i), (j)

Each row in the XLSX also carries workflow fields — date requested, date received, status, reviewer — so the register doubles as your audit trail.

How to Use It: Tiering, Cadence, Escalation

Step 1 — Tier every supplier. The Criticality Rubric scores each direct supplier on three dimensions: service dependency (would an outage disrupt your essential or important service?), access (production systems, sensitive data, network connectivity), and substitutability. Tier 1 suppliers get the full evidence set; Tier 2 a core set; Tier 3 a lightweight attestation. This is how you honour Article 21(3)'s "vulnerabilities specific to each direct supplier" without drowning in paperwork — proportionality is built into the directive's "appropriate and proportionate" standard.

Step 2 — Run the evidence cadence. Each checklist row states its refresh frequency per tier. Calendar cadence is the floor, not the ceiling: event triggers — a supplier incident, a new subcontractor, an expiring certificate, a change in service scope — override the schedule and prompt an immediate re-request for the affected categories only. That event-driven pattern is exactly what separates vendor oversight from point-in-time assessment.

Step 3 — Escalate on silence. The template ships with a four-stage escalation workflow: reminder at 10 business days, escalation to the commercial owner at 20, formal notice invoking the contract's audit/evidence clause at 30, and a documented risk decision — acceptance, compensating controls, or termination review — at 45. Every stage is logged, because an escalation trail is itself evidence that your oversight operates. Authorities supervising essential and important entities can require proof of Article 21 measures at any time, and auditors increasingly ask for exactly this kind of documentation.

Legal Basis

The checklist is anchored in Directive (EU) 2022/2555 (NIS2), in force since 16 January 2023 with a transposition deadline of 17 October 2024. Article 21(2)(d) lists "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers" among the minimum risk-management measures. Article 21(3) requires entities to take into account the vulnerabilities specific to each direct supplier and service provider, the overall quality of their products and cybersecurity practices — including their secure development procedures — and the results of coordinated security risk assessments of critical supply chains under Article 22(1).

The incident-notification SLA row ties into Article 23, which obliges you to file an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours, and a final report within one month. You cannot meet those windows if a supplier incident reaches you late — which is why the supplier's notification clause is an evidence item, not a nice-to-have. Our guide to Articles 21 and 23 together covers this dependency in depth.

For digital-infrastructure and ICT-service entities, Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 specifies the technical and methodological requirements, and ENISA's Technical Implementation Guidance (June 2025) details supplier vetting, contractual clauses, and ongoing monitoring as implementation expectations. ENISA's earlier Good Practices for Supply Chain Cybersecurity (June 2023) recommends maintaining a documented supplier list, defining risk criteria per supplier type, and periodically reviewing suppliers' ability to meet security requirements — the template's register and rubric implement those practices directly. Transposition is still uneven — the Commission escalated infringement proceedings to reasoned opinions against 19 member states in May 2025, and by mid-2026 most but not all member states have national laws in force (Germany's NIS2UmsuCG, for instance, took effect on 6 December 2025). Your obligations bind once your member state's law applies — but your suppliers' customers are asking now. See the NIS2 directive overview for the full transposition picture.

Beyond the EU: UK and Norway

The same checklist logic extends across the European map. The UK is replacing its NIS 2018 regulations through the Cyber Security and Resilience Bill, introduced to Parliament on 12 November 2025 and before the House of Lords as of mid-2026, with Royal Assent expected late 2026. It brings managed service providers, eligible data centres, and regulator-designated "critical suppliers" into direct scope, with 24-hour initial and 72-hour full incident reporting — so UK suppliers should expect evidence requests of exactly this shape. Norway applies the original NIS Directive through the digitalsikkerhetsloven, in force since 1 October 2025 and supervised by NSM (which also runs the national CSIRT), while NIS2 awaits incorporation into the EEA Agreement. If your supplier base spans the EU, UK, and EEA, one evidence register with jurisdiction-aware notes — as this template provides — beats three parallel spreadsheets.

From Checklist to Continuous Assurance

A spreadsheet proves you have a process; it cannot chase suppliers, re-score responses, or alert you when a certificate lapses. When the register outgrows manual upkeep, Orbiq's vendor assurance platform runs the same tiering, evidence collection, and escalation workflow continuously — with AI-evaluated responses and an audit trail generated as a by-product of the work.


Sources & References

  1. Directive (EU) 2022/2555 (NIS2) — full text — Articles 21(2)(d), 21(3), 22, 23, and 34.
  2. Commission Implementing Regulation (EU) 2024/2690 — technical and methodological requirements for digital-infrastructure entities.
  3. ENISA — Technical Implementation Guidance on Cybersecurity Risk Management Measures — June 2025, version 1.0.
  4. ENISA — Good Practices for Supply Chain Cybersecurity — June 2023.
  5. European Commission — NIS2 Directive policy page — transposition status and infringement actions.
  6. UK Government — Cyber Security and Resilience Bill collection — bill documents and factsheets.
  7. NSM — Norwegian National Cyber Security Centre — Norway's national CSIRT and supervisory context.

Related Reading

Download this template

Version 1.0 · Updated Jul 3, 2026 · Free, no email required

Frequently Asked Questions

What is a NIS2 supplier evidence request checklist?

A NIS2 supplier evidence request checklist is a structured register of the security evidence an essential or important entity requests from each direct supplier and service provider — certifications, penetration test summaries, incident-notification SLAs, subcontractor disclosures, and BCP/DR test results — mapped to NIS2 Article 21(2)(d) and Article 21(3), with a review cadence tied to each supplier's criticality tier.

What evidence should I request from suppliers under NIS2?

Core categories include: a valid ISO 27001 certificate with scope statement (or SOC 2 Type II report with bridge letter), the latest penetration test executive summary with remediation status, vulnerability management and patching SLAs, secure development evidence (Article 21(3) explicitly names secure development procedures), a contractual incident-notification SLA aligned to the Article 23 timeline, a current subcontractor/subprocessor register, and BCP/DR plans with the most recent test report.

How often should suppliers re-submit evidence under NIS2?

NIS2 sets no fixed interval — measures must be appropriate and proportionate. In practice, mature programmes reassess Tier 1 (critical) suppliers annually with quarterly monitoring of certificates and metrics, Tier 2 suppliers annually, and Tier 3 suppliers at onboarding and every three years or at contract renewal — plus event-triggered re-requests for all tiers after incidents, subcontractor changes, or certificate expiry.

Does NIS2 require evidence from every supplier?

Article 21(2)(d) targets the security-related aspects of relationships with each entity's direct suppliers and service providers, and Article 21(3) requires taking into account the vulnerabilities specific to each direct supplier. Proportionality applies: a criticality-tier rubric lets you request the full evidence set from suppliers that support essential services and a lightweight attestation from low-risk vendors.

Is a supplier questionnaire the same as an evidence request?

No. A questionnaire collects self-declarations; an evidence request collects verifiable artefacts — certificates, audit reports, test summaries, contract clauses. ENISA's supply-chain guidance stresses evaluating the quality of a supplier's security practices, not just the existence of documentation, so questionnaire answers should be backed by evidence for anything material.

Does this checklist apply to UK and Norwegian suppliers?

Yes, with adjustments. The UK's Cyber Security and Resilience Bill (before the House of Lords as of mid-2026) will bring managed service providers, data centres, and designated critical suppliers into a NIS-style regime, and Norway's digitalsikkerhetsloven (in force 1 October 2025) implements NIS1 while NIS2 awaits EEA incorporation — so the same evidence categories serve suppliers across the EU, UK, and EEA.

NIS2 Supplier Evidence Request Checklist (Free XLSX & PDF)