Blog — sota.io

2026-05-05·13 min read·

NIS2 changed the accountability equation. Before NIS2, a European enterprise that suffered a supply chain breach could point to its vendor's contract and claim it had taken reasonable steps. After NIS2, that argument no longer holds. Art.21 paragraph 2(d) makes essential and important entities directly responsible for the security of their supply chain — including the SaaS tools their employees use every day. That shift from contractual comfort to direct regulatory accountability is what is driving a new wave of vendor security demands arriving in procurement conversations across Germany, France, the Netherlands, and every other member state where NIS2 has been transposed. Your enterprise customers are not being difficult. They are managing their own NIS2 liability by pushing it upstream to you. This guide covers exactly what enterprise buyers are now requiring from SaaS vendors, why the legal basis is stronger than ever, and what your contracts, certifications, and incident processes need to look like to survive a serious NIS2 procurement review in 2026. ## Why 2026 Is the Year This Escalates NIS2 took effect in EU law in January 2023. Member states had until October 2024 to transpose it into national law. Most did, though with varying degrees of delay. Germany's NIS2UmsuCG — the national implementation act — came into force with its first compliance deadlines hitting in early 2026. BSI, Germany's federal cybersecurity authority, has been conducting active audits. The numbers are uncomfortable: only 39% of assessed essential entities in Germany demonstrate full NIS2 compliance. That means 61% are exposed to fines reaching €10 million or 2% of global annual turnover — whichever is higher. Management liability is personal. Under §38 of the German NIS2UmsuCG, company management can be held personally liable if they fail to implement required security measures. This is not a theoretical risk. German prosecutors have issued personal liability notices in related regulatory areas before. For a CISO or managing director of an essential entity, delegating security oversight to a vendor without proper contractual safeguards is no longer professionally defensible. That personal liability is why procurement teams have become so much more demanding. It is not your enterprise customer being obstructive — it is their managing director refusing to sign a vendor contract that does not give them audit visibility into your security posture. ## The Five Demands Now Arriving in Your Inbox ### 1. Contractual Audit Rights The most common new clause enterprise buyers are adding to SaaS vendor contracts is a right to audit. The language typically reads: "Vendor shall permit Customer or Customer's designated auditor to assess Vendor's information security controls, policies, and practices upon reasonable notice, no more than once per calendar year absent a security incident." This is a direct response to NIS2 Art.21(2)(d), which requires essential entities to assess the security measures taken by suppliers as part of their supply chain risk management program. What "audit right" means in practice varies considerably. At minimum, enterprise buyers want: **Questionnaire responses:** Security questionnaires modelled on CAIQ (Cloud Security Alliance) or BSI C5 criteria, completed annually. This is the table-stakes requirement. If you cannot complete a structured security questionnaire with documented evidence, you will fail the first filter. **Third-party assessment reports:** SOC 2 Type II is the baseline certification most enterprise buyers will accept. ISO 27001 is its European equivalent and increasingly preferred by German buyers who find BSI-familiar frameworks more legible. A fresh report, no older than 12 months, delivered to enterprise customers on request. **On-site or virtual audit rights for critical integrations:** For enterprise buyers who classify your SaaS as critical to their NIS2 scope, they may invoke the right to a walkthrough of your security controls — either virtually via evidence packages or on-site for genuinely critical infrastructure integrations. If your current vendor agreements do not include an audit right clause, new enterprise customers will add one before signing. If your existing customers are renewing, expect this to arrive at the next renewal cycle. **What to prepare:** Document your security controls in a vendor security overview that can be shared under NDA. Engage a SOC 2 or ISO 27001 auditor if you do not already have a report. Agree to questionnaire-based audit rights in contracts — they are operationally manageable and demonstrate good faith. ### 2. Software Bill of Materials and Dependency Transparency NIS2 supply chain security requirements are pushing software transparency demands that were previously confined to government procurement into commercial enterprise contracts. Art.21(2)(d) requires entities to assess the security of their supply chain, including "the security aspects of the relationships between each entity and its direct suppliers or service providers." For your enterprise customers, your SaaS platform is a node in their supply chain. They need to understand what your supply chain looks like. This translates practically into SBOM demands. An SBOM (Software Bill of Materials) is a structured list of all software components, their versions, their licenses, and their known vulnerabilities. The Cyber Resilience Act, which applies to software products sold in the EU, will require SBOMs for covered products by September 2026. Enterprise NIS2 buyers are starting to ask for them now, ahead of the regulatory mandate. What enterprise buyers want to see in your SBOM program: **Current SBOM availability:** Can you produce a CycloneDX or SPDX-format SBOM for your production software on request? This is the baseline. Buyers are not expecting you to publish it publicly — they want to know it exists and that you understand your own dependency graph. **Vulnerability notification process:** When a critical CVE hits a library you depend on (log4shell-style events), what is your process for assessing impact and notifying customers? Enterprise NIS2 buyers need to understand this for their own incident management and supply chain risk workflows. **Dependency update cadence:** How quickly do you patch critical and high vulnerabilities in your dependencies? Enterprise buyers with NIS2 obligations will want to see a policy — not just assurances. For SaaS vendors deployed on European infrastructure and built with modern dependency management (npm, pip, go.mod, Cargo), SBOM generation is a solved technical problem. The tooling — Syft, CycloneDX, Trivy — is free and well-maintained. The gap is usually operational: making SBOM generation part of your build process and having a process for what to do with the output. ### 3. Incident Notification SLAs That Match NIS2 Art.23 This is where contracts are changing most sharply. NIS2 Art.23 establishes a three-stage notification timeline for essential and important entities: - **Early warning:** within 24 hours of becoming aware of a significant incident - **Incident notification:** within 72 hours with initial assessment - **Final report:** within one month Your enterprise customers, as essential or important entities, must meet these timelines with their national authorities. To do that, they need to know about incidents affecting your platform within their own notification windows. That means they need you to notify them before their own 24-hour clock runs out. The contractual language enterprise buyers are now inserting reads approximately: "In the event of a security incident that affects Customer's data or use of the Service, Vendor shall notify Customer within 4 hours of becoming aware of the incident. Initial notification shall include: nature of the incident, estimated scope, affected systems, and immediate containment measures. Vendor shall provide a detailed incident report within 72 hours." Four hours is aggressive. It is also becoming standard in NIS2-driven enterprise contracts. The reasoning is simple: your customer needs 24 hours to file with their NCA. If you take 12 hours to tell them, they have 12 hours left. If you take 20 hours, they are already in breach. **What to prepare:** Your incident response process needs a customer notification step that occurs within 4 hours of containment or assessment decisions — not at the end of your internal investigation. Most startup SaaS vendors have incident response processes designed for internal engineering coordination. They do not have a customer notification step that would satisfy a 4-hour NIS2 commitment. Build a customer notification template now. A short initial notice covering: what we know happened, what data/functionality is affected, what we have done immediately, and when the next update will arrive. This template should be the output of your first incident response step, not the last. Your status page should reflect this. If you do not have a public status page with historical incident records, enterprise NIS2 buyers will flag this. They need documented evidence that you have a functioning incident communication process. ### 4. Management Liability Acknowledgement This one is newer and reflects the personal liability dimension of NIS2. Enterprise procurement teams are inserting representations into vendor contracts that require vendor management to acknowledge awareness of the customer's NIS2 obligations and confirm that the vendor's security posture is consistent with those requirements. The clause typically reads: "Vendor represents that its authorized representative has reviewed Customer's NIS2-related security requirements as set forth in this Agreement and confirms that Vendor's information security management system is consistent with those requirements." This is not about making your CEO sign a legal document. It is about creating a paper trail that shows your enterprise customer's management team did not simply accept vendor assurances — they obtained a vendor representation. If the managing director of an essential entity is personally liable for security failures, their defense requires evidence of due diligence. A vendor representation is one piece of that evidence. What this means for you: be prepared for someone in your management chain to sign a representation clause. Understand exactly what your actual security posture is before you sign. If you claim SOC 2 compliance in a vendor representation and then fail a breach investigation that reveals the SOC 2 was aspirational rather than certified, you have compounded a security incident with a contractual misrepresentation. Be specific. "Consistent with NIS2 requirements as they apply to a SaaS provider serving essential entities" is more defensible than a vague blanket statement. Know which NIS2 obligations apply to you as a supplier (supply chain transparency, incident notification, vulnerability management) versus which apply to your customer as the entity (direct authority notification, management liability, risk management program). ### 5. Certification Baselines: SOC 2 Type II or ISO 27001 Before any of the above four demands arrive in contract language, they are preceded by a certification gating question: "Do you have SOC 2 Type II or ISO 27001 certification?" If the answer is no, an increasing number of enterprise NIS2 buyers will not proceed to contract negotiation at all. Certification has become the entry ticket to serious enterprise conversations. The distinction between Type I and Type II matters. SOC 2 Type I audits your controls as described at a point in time. SOC 2 Type II audits whether those controls actually operated effectively over a period of 6-12 months. Enterprise buyers under NIS2 scrutiny have learned that Type I reports provide limited assurance about operational effectiveness. They are asking for Type II specifically. ISO 27001 is the European-origin alternative. German enterprise buyers often prefer it because BSI guidance explicitly references ISO 27001 as a recognized framework for NIS2 compliance. An ISO 27001 certification, especially one from a German or European accredited certification body, carries weight in NIS2 vendor assessment conversations. For early-stage SaaS companies, the certification path is daunting but manageable: **Scoping:** Your initial certification scope does not need to cover your entire company. A scoped certification covering your core SaaS product and its supporting infrastructure is legitimate and achievable. **Timeframe:** SOC 2 Type II requires a minimum audit period, typically 6 months. With preparation, you can have a Type II report within 9-12 months of starting the process. **Cost:** For a focused scope, SOC 2 Type II from a mid-market auditor runs €15,000-€40,000 annually. ISO 27001 certification from a European body is similar. This cost is recoverable through a single major enterprise contract that would otherwise be blocked by certification requirements. **Platform hosting advantage:** Hosting your infrastructure on certified EU-native platforms simplifies your own certification scope. A platform that already provides documented security controls, transparent incident processes, and GDPR-compliant data processing eliminates one layer of complexity from your auditor's assessment. ## The Practical Vendor Readiness Checklist Enterprise NIS2 buyers are assessing you against a vendor security profile. Here is what that profile needs to contain: **Documentation:** - Information security policy (publicly available or available under NDA) - Incident response process with customer notification SLAs - Vulnerability management policy with patching timelines - Business continuity and disaster recovery documentation - SBOM generation process and delivery mechanism - Sub-processor list with DPAs (for GDPR overlap) **Certifications:** - SOC 2 Type II or ISO 27001 (ideally both, minimum one) - Report freshness under 12 months - Named auditor and audit period clearly documented **Contracts:** - Audit right clause (questionnaire + third-party report delivery) - Incident notification SLA (4-hour initial, 72-hour detailed) - Management representation capability - SBOM delivery on request - Sub-processor change notification process **Operations:** - Public status page with historical incident log - Documented on-call and incident response process - Named security contact for enterprise customers ## What the Supply Chain Security Requirement Means for Infrastructure One dimension of NIS2 vendor assessment that is increasingly prominent: where does the vendor's own infrastructure run? Enterprise NIS2 buyers are conducting not just first-tier but second-tier supply chain assessments. If you are a SaaS vendor running on AWS, your enterprise customer may ask about AWS's own NIS2 posture — specifically, the CLOUD Act exposure that affects any US-operated cloud service. This is the same question that has driven the interest in EU-native cloud providers for enterprise NIS2 compliance purposes. The answer you can give if you host on EU-native infrastructure: your platform is operated by a European entity subject to European law. No CLOUD Act jurisdiction. Your data processing chain is entirely under EU regulatory oversight. For enterprise NIS2 buyers whose legal counsel has flagged US-operated cloud services as a supply chain risk, this is a material differentiator. If you are currently hosting on AWS, Azure, or Google Cloud, this supply chain concern is increasingly appearing in enterprise vendor assessments. The question is not yet universal, but it arrives with predictable frequency in contracts with German essential entities and French operators of essential services who have received ANSSI guidance on supply chain security. ## The Timeline: When to Prepare If you are already in enterprise sales cycles, the NIS2 vendor requirements described here are arriving now. The procurement teams reviewing new vendor agreements in Q2 and Q3 2026 have been instructed by their legal and compliance teams to add these clauses. If you are targeting enterprise expansion in 2026 or 2027, the time to prepare is before you are in the middle of a deal. Starting a SOC 2 Type II audit in the middle of a live enterprise negotiation means you will miss that contract. The sequencing that works: 1. **Now (Q2 2026):** Engage an auditor for SOC 2 Type II or ISO 27001. Scope your initial certification. Begin the observation period. 2. **Q3 2026:** Build your vendor security documentation package. Update your contract templates to include audit right and incident notification clauses. Build your status page if you do not have one. 3. **Q4 2026:** Receive your first certification report. Begin using it in enterprise sales conversations. 4. **2027:** Renew certifications on the annual cycle. Add SBOM delivery to your build process as CRA requirements approach. NIS2 vendor requirements are not a future problem. They are the present procurement reality for any SaaS company selling into European enterprises. The companies that have prepared are winning deals that require this documentation. The ones that have not are watching those deals close without them. --- *sota.io is a European PaaS platform operated entirely under EU jurisdiction, with no US parent company and no CLOUD Act exposure. For SaaS vendors building their NIS2 vendor compliance documentation, hosting on EU-native infrastructure eliminates the supply chain risk question before it arrives in enterprise procurement reviews. [Learn how sota.io supports NIS2 supply chain requirements](/features).*

EU-Native Hosting

Ready to move to EU-sovereign infrastructure?

sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.

Start free — no credit card View pricing