When your customer asks for your security evidence.
If your customer is using Supply Chain Assurance to assess you, you'll receive request packs from them via the platform. This page explains what to expect, how to navigate it, and how to make next year's assessment easier than this year's.
Microsoft Azure, EU regions only.
Read the long-formFull list, updated on every change. DPA template available before the deal.
Read the long-formHash-anchored, signed, decision-traced. Stands up six months later, unchanged.
Read the long-formYour customer is preparing for NIS2 — and you're in their supply chain.
Most likely your customer is preparing for NIS2 compliance, or another framework like DORA, ISO 27001 supplier provisions, or their own internal risk programme. They need documented evidence of how their suppliers — including you — manage cybersecurity.
Article 21(2)(d) of NIS2 specifically requires regulated entities to assess the cybersecurity posture of their suppliers and document the evidence behind those decisions. This isn't bureaucracy for its own sake — it's a real shift in how supply chain assurance works in the EU, and it's affecting every supplier of every regulated business.
A clear list of what's being asked — and when it's due.
- Evidence items your customer has requested (e.g. ISO 27001 certificate, sub-processor list, privileged-access policy)
- Clear deadlines for each item
- Upload directly, or link a URL where the evidence already lives
- A note field for context the reviewer should know
- Save as draft — your progress is kept if you get interrupted
You see only what's been requested of you. You don't see other suppliers' submissions.
Your submission. Their review. Both sides in sync.
Your customer's reviewers see only your submission — not anything you've sent to other customers. They work through the evidence you've uploaded, mark items approved or send them back for clarification, and you see every update in your dashboard.
No more chasing email threads. No more wondering if your documents arrived. The review is tracked, both sides see the same status, and you get notified when something needs attention.
It gets easier every time.
Answer once, reuse across customers.
When you upload evidence to one customer's pack, the platform remembers. Next time another customer asks for the same artefact, you reuse it with one click. No more re-keying the same answers across five different vendor questionnaires.
Predictable review loop.
You see when your customer reviewed each item, what they approved, and what they sent back for clarification. No more "did they get my email?" loops.
Build a posture portfolio.
Over time, your evidence library becomes a reusable asset — useful for new customer assessments, audit prep, and your own internal review. The same artefact, defended once, defending you everywhere.
Your customer invites you. You click through.
You'll receive an email invitation from your customer. Click through, set up your account, and their request pack will be waiting for you. Suppliers aren't onboarded proactively — your customer initiates the relationship.
If you're expecting requests but haven't received an invitation, ask your customer's compliance contact to invite you, or get in touch directly.
Get in touchCommon questions
Do I have to pay to use this?+
No. Suppliers don't pay anything. Your customer is the one running the platform; you receive request packs, upload evidence, and respond. There's no charge to suppliers.
What if I don't have a SOC 2 or ISO 27001 certificate?+
That's normal. Most mid-market suppliers don't, and the platform is designed for that. Your customer's request pack will be tailored to your size and the criticality of what you provide — for many suppliers it's policies, sub-processor lists, and incident-response contacts, not formal certifications.
Does my customer see what I sent to other customers?+
No. Each customer sees only your submission to them. Your evidence library is private to you — it pulls forward into your next response, but it does not expose what you have sent elsewhere.
Where is my data stored?+
Microsoft Azure, EU regions only. The platform is EU-built and EU-hosted; no evidence leaves the EU without explicit configuration. Sub-processor list is published and updated on every change.
Who owns the evidence I upload?+
You do. Evidence stays under your control — your customer reviews it, but they do not take ownership of it. If you ever stop using the platform, you can export everything in machine-readable format.
How long does responding to a request pack take?+
Depends on what your customer asks for. A typical first request — policies, sub-processor list, incident contacts, a privileged-access summary — runs about 2–4 hours of effort if your evidence is to hand. Subsequent customers reuse most of the same library, so re-keying drops sharply.
What if I disagree with my customer's decision on an evidence item?+
You can respond directly in the platform — every item has a context note field, and your customer's reviewer sees the back-and-forth. The decision and its rationale are timestamped on both sides, so disagreements are surfaced rather than lost in email.
Is this required for me to keep my customer's business?+
It is not legally required of you specifically — NIS2 puts the obligation on your customer, who then assesses you. But if your customer is regulated, expect the assurance request volume to keep growing. The platform exists to make answering them faster and reusable rather than starting from scratch each time.
You sit on both sides of NIS2.
MSPs and MSSPs occupy a distinctive position under NIS2. You are very likely regulated yourself as a digital-infrastructure or ICT-services entity under Annex I — with all the buyer-side supplier obligations that implies. And you are supplier-side to regulated buyers, fielding an increasing volume of assurance questionnaires from your customers as their NIS2 programmes mature.
Both surfaces fit. The supplier-side experience above lets you do the work once, reuse it across buyers — a single evidence library answers every customer's questionnaire without re-keying the same posture five different ways. The buyer-side platform handles your own supplier portfolio against the same NIS2 control set.
Your own NIS2 obligations as an Annex I regulated entity.
Read the sector pageCo-delivery economics for taking the Assessment to your client base.
See partner mechanicsHonest framing: the supplier-side surface is intentionally light at pilot stage. The reusable-evidence library and per-customer request-pack workflow are in. Deeper supplier features — reusable customer-questionnaire mappings, automated sub-processor change notifications, multi-buyer evidence freshness dashboards — are on the roadmap for production-ready and beyond. We would rather under-promise here than ship a half-built supplier surface.
Many buyers started as suppliers.
If you also run your own supplier-assurance programme — managing the risk in your own supply chain — the same platform serves the buyer side too. The companies that answer assessments today are often the ones sending them tomorrow.