The problem: NIS2 obliges ~160,000 EU entities across 18 sectors to manage supply-chain security (Article 21) — roughly tenfold the scope of NIS1 (European Commission). Those entities push requirements down to their suppliers, regardless of the supplier's size. The measurable result: the average vendor now responds to 37.3 assessment requests per month, consuming ~179 hours — a full-time workload (Whistic 2025 TPRM Impact Report).
Where transposition stands (verified July 2026)
22 of 27 member states have transposed NIS2. Denmark: Act no. 434, in force 1 July 2025 (retsinformation.dk). Sweden: Cybersäkerhetslagen, in force 15 January 2026. Germany: NIS2UmsuCG, in force 6 December 2025 (~29,500 entities per BSI). The Netherlands: Cyberbeveiligingswet expected in force mid-August 2026, pending the Senate vote of 7 July 2026 (Eerste Kamer). If your customers are in any of these markets, the cascade has already started.
Your options as a supplier
1. GRC subscription platforms (Vanta, Drata, Secureframe, Sprinto). Strong if you need continuous certification automation; typical contracts run ~$4,000–$80,000/year depending on scope. Overkill if you only need to answer attestation requests.
2. Trust-center / questionnaire tools (SafeBase, Conveyor). Deflect repeat questionnaires well once you have evidence to publish; Conveyor publishes pricing from $9,600/year plus a free tier. They organise your answers — they do not write your NIS2 evidence for you.
3. Free templates (e.g. GitHub nis2-sme-toolkit). €0 and a real starting point, but everything is DIY: no source-citation against the legal text, no verification layer, and your customer's auditor knows a generic template when they see one.
4. Consultancies. Highest quality ceiling, hourly or project pricing (often €10,000+ for a documented supplier-security package), lead times in weeks. The right choice for complex, regulated setups.
5. Fixed-price, signed attestation packs (PowerQuant). A middle path we built for the SMB vendor who was just asked for evidence in a deal: fixed price (from EUR 1,499, 5 business days), self-serve, EU-hosted, every claim source-cited to the regulation text, and Ed25519-signed so the requesting party can verify the evidence cryptographically — no vendor trust required.
How to choose
Continuous certification requirements from most of your customers → option 1. Lots of repeat questionnaires and existing evidence → option 2. Time-rich, budget-poor → option 3. Complex/regulated environment → option 4. One or a handful of concrete requests blocking deals right now → option 5.
PowerQuant ApS (CVR 46274067, Copenhagen) provides technical documentation, not legal advice or certification. Figures verified against linked sources, July 2026.