Security questionnaires from customers: how to pass them
More and more B2B deals hinge on a document you never asked for: the customer's security questionnaire. It arrives late in the sales cycle, it is long, and it has to be answered quickly, or the deal stalls or dies. For software and IT vendors it is now one of the most recurring and underestimated bottlenecks in sales.
Why do we get security questionnaires at all?
Because your customers are legally required to ask. NIS2 (Directive (EU) 2022/2555) obliges essential and important entities to manage security across their entire supply chain. National transposition is largely complete across the EU, with dates varying by member state (Denmark 1 July 2025, Sweden 15 January 2026; the Netherlands expected around mid-2026 pending final approval).
So even if you are not directly in scope, the cascade reaches you through your customers: a regulated customer must require documentation, contract clauses and ongoing evidence from its suppliers, regardless of the supplier's size. That makes the real addressable group far larger than the directly regulated set.
What NIS2 Article 21 requires of you as a vendor
- Supply-chain security: the customer must be able to document your security as a subprocessor, including data access, hosting region and a security contact.
- Incident handling: the customer has 24-hour early warning and 72-hour incident notification to the authority, so they often require a contractual 12-24 hour vendor-to-customer SLA.
- Continuity: can your service keep running, and is there an exit plan?
- Cyber hygiene and training: documented security training for staff who touch customer data.
Fines reach up to EUR 10 million or 2% of global turnover for essential entities.
Where the EU AI Act comes in
If your product contains AI, extra fields appear:
- Article 50 transparency: AI that interacts with people or generates content must be disclosed or labelled. Applies 2 August 2026. Fines up to EUR 15 million / 3%.
- Article 4 AI literacy: in force since 2 February 2025. The Digital Omnibus proposes softening the wording (Council green light 29 June 2026), but it is not yet published in the Official Journal and is not yet law.
- High-risk (Annex III), e.g. recruitment AI: operative 2 August 2026 under current law; the Omnibus proposes deferral to 2 December 2027 (not in force).
Which questionnaires are we talking about?
SIG (Standardized Information Gathering), CAIQ (Consensus Assessment Initiative Questionnaire), the customer's own bespoke form, and a growing expectation of a public trust center for self-service.
How to answer fast without starting over every time
- Build a reusable answer bank linked to the underlying evidence.
- Collect audit-ready evidence, an answer without documentation is not provable in practice.
- Make the proof verifiable: cryptographically signed evidence with clear dating and named human sign-off clears the customer's doubt faster than a spreadsheet.
How PowerQuant helps
PowerQuant delivers your compliance evidence as a cryptographically signed package (Ed25519), hosted in the EU, with named human sign-off, built to attach directly to a security questionnaire or a trust center.
- Take the free 2-minute scope check to see exactly which NIS2 and AI Act requirements apply to you.
- Quick Scan (fixed price): a signed readiness report you can send to the customer.
Frequently asked questions
Are we in scope if we are just a small SaaS vendor? Maybe not directly, but if you supply customers in regulated or critical sectors, NIS2 reaches you through their supplier requirements, regardless of your size.
Does an ISO 27001 or SOC 2 certification replace the questionnaire? It helps a lot but rarely replaces it entirely. Customers often ask for both plus evidence specific to their requirements.
Does the AI Act apply to us if we only use AI internally? Article 4 on AI literacy already applies to organisations that use AI, including internally.
Indicative overview, not legal advice. Dates and amounts verified against Regulation (EU) 2024/1689, Directive (EU) 2022/2555 and national transposition as of 1 July 2026. Digital Omnibus changes are marked as proposals and are not yet published in the Official Journal.