Article 21 of the NIS2 Directive requires essential and important entities to take technical and organisational measures to manage cybersecurity risks in their supply chains. This is not a recommendation: it is a regulatory obligation affecting over 160,000 entities across Europe according to ENISA estimates. Those entities must evaluate and, in many cases, demand formal security evidence from their ICT and digital service suppliers.

For companies selling to that universe of entities, this changes the rules of the market. Cybersecurity compliance has moved from being an internal matter to becoming a selection criterion in tenders, procurement processes and customer due diligence. Ignoring it now has a direct commercial cost.

Why NIS2 creates procurement pressure on suppliers

Article 21(2)(d) of NIS2 lists supply chain security as one of ten mandatory security measures. This explicitly includes “security in the acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure” and aspects relating to “the relationships between the entity and its direct suppliers or service providers”.

In practice, NIS2 entities must:

  • Identify which ICT and digital service suppliers are critical to their operations.
  • Assess the security level of those suppliers before and during the contractual relationship.
  • Include contractual clauses allowing them to verify supplier compliance and require incident notification.
  • Document that assessment before their national supervisory authorities.

The result is a cascade effect: each NIS2 entity converts into a selection criterion what was previously just an IT department question. If a supplier cannot demonstrate an acceptable security level, the NIS2 entity cannot include them in its supply chain without assuming regulatory risk.

What NIS2 entities actually require from their suppliers

Procurement departments and security teams at NIS2 entities do not always have a standardised process, but the requirements that appear repeatedly in supplier approval processes are:

  • Current ISO 27001 certification or, alternatively, a recent security audit report conducted by an independent third party.
  • Penetration test results no older than 12-24 months, accompanied by the findings remediation plan.
  • Information security policy documented and approved by management.
  • Business continuity plan and disaster recovery plan covering cyberattack scenarios.
  • Incident notification procedure: the supplier must commit to notifying the client within specific timeframes if it suffers an incident that could affect the services provided.
  • Security questionnaires (CAIQ, SIG, or client-specific questionnaires) completed and up to date.
  • DPA (Data Processing Agreement) when the service involves access to personal data.

The demand for each of these elements varies depending on the type of NIS2 entity, its sector and the criticality of the service the supplier provides. However, a supplier arriving at an approval process without any of these evidences has little chance of passing the technical due diligence phase.

2 distinct positions in the market

Not all companies relate to NIS2 in the same way. There are two commercially relevant positions:

  • Position 1: you are an NIS2 entity yourself. If your company operates in a sector covered by NIS2 (energy, transport, health, digital infrastructure, managed ICT services, among others) and exceeds the size thresholds, you are likely an important or essential entity. In that case, NIS2 compliance is mandatory, but it is also a market signal: you are subject to regulatory supervision, you must demonstrate an audited security level and your customers can cite it as a reason for trust. It is the equivalent of what it means for a financial services company to be regulated by the ECB or a national financial authority.
  • Position 2: you sell to NIS2 entities without being one yourself. Here the argument is not “we comply with NIS2 because it obliges us” but “our security program is aligned with the requirements your regulation requires you to verify in your suppliers”. For SaaS companies selling to regulated sectors, this position is the most common and, well articulated, is a real differentiator against competitors who have not formalised their security.

What evidence B2B buyers ask for

The question that most confuses sales teams is: “what exactly proves NIS2 compliance?”. The honest answer is that NIS2 does not have its own certification scheme. There is no “NIS2 certified” seal issued by any accredited body. What exist are:

ISO 27001: The most globally recognised information security standard and the one with greatest acceptance as evidence of NIS2 alignment in European procurement processes. A current ISO 27001 certification covers most of the controls in Article 21 of NIS2 and is understood by buyers across all sectors. For a detailed comparison with other audit standards, the analysis of ISO 27001 vs SOC 2 for EU companies explains the recognition differences in the European market.

SOC 2 Type II: More common in US-origin companies. Recognised in the EU but with less specificity with respect to NIS2. Works well as complementary evidence but rarely satisfies the due diligence requirements of a European NIS2 entity on its own.

Own NIS2 compliance documentation: If the company is an NIS2 entity, it can provide documentation from its compliance program: security policy, risk assessment, audit results. This is the most direct evidence but also the least standardised.

Completed standard questionnaires: The CAIQ (Cloud Security Alliance Cloud Controls Matrix) or SIG (Standardized Information Gathering Questionnaire) are recognised instruments that many buyers accept as due diligence evidence.

The practical point for a sales team: arriving with the evidence folder prepared, without waiting for the client to ask for it, shortens the enterprise sales cycle by weeks and eliminates one of the most frequent reasons for stalling in procurement.

How to use NIS2 as a sales argument without overclaiming

The line between a solid argument and an overclaim that can create legal or reputational problems is thinner than it appears. Here are the formulations that work and those to avoid:

What can be said with substance:

  • “We operate as an important entity under NIS2 and are subject to regulatory supervision in cybersecurity matters.”
  • “Our security program is designed to meet the requirements of Article 21 of NIS2, documented and audited by [name of auditor].”
  • “We hold ISO 27001 certification, which covers the security controls that NIS2 requires to be verified in suppliers of in-scope entities.”
  • “We include in our contracts the incident notification clauses and audit rights that your NIS2 program requires you to include in contracts with critical suppliers.”

What to avoid:

  • “We are NIS2 certified” (that certification does not exist).
  • “We comply with NIS2” as an unsupported declaration: it can be interpreted as a contractual representation if the client includes it in the contract.
  • Equating ISO 27001 fully with NIS2 compliance, ignoring that there are NIS2 aspects (incident notification to authorities, specific management governance) that ISO 27001 does not cover directly.

5 Common mistakes when using compliance as a commercial argument

Based on what we see in approval and tender processes, these are the mistakes that most often prevent compliance from becoming a real commercial advantage:

1. Not knowing whether the client is an NIS2 entity: The argument is completely different if the buyer is an essential entity under NIS2 (with due diligence obligations over its suppliers) versus a mid-sized company outside scope. Entering the conversation without that data makes the argument generic and unconvincing.

2. Confusing obligation with differentiation: For buyers who have already matured their security requirements, ISO 27001 is a minimum threshold, not a differentiator. The real differentiator is the quality of the documentation, transparency about findings and remediations, and the ease of the questionnaire response process.

3. Presenting outdated evidence: A three-year-old penetration test or an expired ISO 27001 certification creates more doubt than confidence. Sophisticated buyers check dates and ask for the findings remediation plan, not just the report.

4. Not having a prepared technical contact: In advanced stages of enterprise procurement, buyers want to speak with the CISO or security manager, not just the sales team. If that contact is not aligned with the commercial narrative, the process loses consistency.

5. Treating compliance as a destination rather than a process:  Telling a client that “we already comply with NIS2” implies the program is finished, which no auditor or supervisor will validate. The correct framing emphasises the continuous process: active risk management, periodic audits, documented improvement.

How PrivaLex helps

Most compliance programs are designed with the supervisory authority as the only audience in mind. PrivaLex works with companies that also need their compliance program to be readable and convincing for their B2B clients, without that implying overclaiming or creating contractual risks.

The specific work we do in this context includes:

  • Current position audit. We assess what evidence the company has today (certifications, audit reports, policies, pen test results) and compare it against what the most demanding NIS2 buyers in the sector require. The result is a clear gap map: what is missing, what is outdated and what exists but is not documented in a format that works in procurement.
  • Evidence package design. We build or update the security documentation in the format actually used in enterprise due diligence: executive security summary, controls sheet aligned with NIS2 Art. 21, predefined responses to the most common questionnaires (CAIQ, SIG, major client sector-specific questionnaires).
  • Commercial narrative alignment. We work with the sales team to define what can be said, how to say it and which documentation backs each statement. The goal is for the sales team to have the confidence to discuss security in early conversations and know how to escalate correctly when the process reaches the technical phase.
  • Preparation for client audits. When an NIS2 client exercises its audit rights over a supplier, prior preparation makes the difference between an audit that strengthens the commercial relationship and one that puts it at risk. We support the NIS2 audit preparation process both when the client is the one being audited and when it is the one conducting the audit.
  • Contractual clauses. We review service contracts to ensure they include the clauses that NIS2 clients need to incorporate (incident notification, audit rights, subcontracting, service continuity) and that those clauses are operationally manageable for the service provider.

Conclusion

NIS2 has turned cybersecurity into a purchasing criterion for tens of thousands of European companies. Companies selling to that market have two options: wait until clients demand evidence at the worst possible moment in the sales cycle, or build that package proactively and use it as a commercial tool. The difference between the two positions is not only operational: in sectors where procurement cycles are long and selection criteria increasingly include supplier security, arriving prepared shortens timelines and eliminates obstacles that in some cases mean losing contracts to better-documented competitors.

If you want to know exactly where your company stands in relation to what your NIS2 clients are going to ask for, request your free risk assessment or book a session with our team.

Frequently Asked Questions

No official certification called “NIS2” exists. NIS2 is a European directive that establishes obligations for entities within its scope, but does not create a certification scheme with its own seal the way ISO 27001 does. What exists is the obligation to comply with the requirements of Article 21 and demonstrate that compliance before national supervisory authorities. The standard most widely recognised as evidence of NIS2 alignment in procurement processes is ISO 27001, complemented by specific documentation of the aspects that ISO 27001 does not cover directly (incident notification to authorities, management governance).

Yes, especially if you sell to companies that are in scope. NIS2 requires essential and important entities to verify the security of their critical ICT and digital service suppliers. If you are that supplier, the fact that your company is not formally an NIS2 entity does not exempt you from having to demonstrate an acceptable security level to your clients. In practice, companies that voluntarily align their security program with NIS2 have an advantage in supplier approval processes of energy companies, healthcare organisations, digital infrastructure operators and the financial sector, all NIS2 sectors.

ISO 27001 is the most recognised evidence and the one that best satisfies most of what NIS2 buyers ask for. However, it is not sufficient on its own in all cases. The aspects that ISO 27001 does not cover directly, and which demanding NIS2 clients typically ask for additionally, are: the documented incident notification procedure with specific timelines toward the client, the supplier’s own supply chain management policy (what it requires from its own sub-suppliers), and in some cases recent penetration test results. A supplier with ISO 27001 plus those complements is well positioned to pass the due diligence of virtually any NIS2 entity.

“NIS2 compliant” implies the company is formally within the directive’s scope and meets its regulatory obligations, including supervision by the national competent authority. Only entities that are genuinely essential or important under NIS2 and have their compliance program in order can say this rigorously. “Aligned with NIS2” indicates the company’s security program is built following Article 21 requirements, even without a direct regulatory obligation. This second formulation is appropriate for companies that are not formally NIS2 entities but have designed their security according to that framework. The distinction matters because using “compliant” without being so can create contractual liability if the client includes it in the contract.

The starting point is sector: Annexes I and II of NIS2 list the highly critical sectors and the important sectors. If your client operates in energy, transport, health, digital infrastructure, banking, water or public administration, they are almost certainly an NIS2 entity. If they operate in waste management, chemicals, food or postal services, they are likely an important entity. Size also matters: generally only medium and large companies apply (over 50 employees and €10M turnover), though there are exceptions for critical infrastructure regardless of size. When in doubt, you can ask your client directly which category they fall into, which also opens a commercially relevant conversation about how you can help them with their supplier management requirements.

The clauses that NIS2 clients routinely incorporate in contracts with ICT and digital service suppliers are: obligation to notify security incidents affecting the services provided within specific timeframes (generally 24-72 hours from detection), the client’s right to conduct or commission security audits of the supplier, restrictions or requirements for subcontracting (the supplier must disclose critical sub-suppliers and assume responsibility for their security), obligation to maintain valid ISO 27001 or equivalent certification throughout the contract term, and cooperation protocols in case of an incident affecting the client. Including these clauses proactively in the contract drafts the supplier sends accelerates negotiation and is a sign of maturity that NIS2 buyers value.

It depends on the starting point. A company that already has documented security policies, basic incident management processes and a recent penetration test can have an evidence package acceptable for most due diligence processes in 4-8 weeks, mainly by documenting and structuring what it already has. A company starting from scratch needs between 3 and 6 months to build a minimum credible program: risk assessment, management-approved policies, business continuity plan, penetration test and standard questionnaire responses. Full ISO 27001 certification typically takes 6 to 18 months depending on organisational complexity, though it is possible to have a program in line with NIS2 without having completed the formal certification.