The conventional reading of NIS2 was that it would primarily affect large critical infrastructure operators: energy companies, financial institutions, healthcare networks, and similar entities at the top of the operational food chain. That reading was correct in terms of direct regulatory obligation. It was wrong about how the regulation would actually propagate through the economy.
What is happening in practice is a cascade. Large regulated entities, now required to demonstrate their own NIS2 compliance to regulators, are discovering that a significant portion of their risk surface lives in their supply chains: their distributors, their software providers, their logistics partners, their data processors. And because those suppliers are not always directly covered by NIS2, the large entities are doing something the regulation did not explicitly mandate but that market logic made inevitable: they are turning supplier compliance into a commercial requirement.
The questionnaire is the instrument. Suppliers are receiving compliance questionnaires from their major clients that ask, in technical detail, about access management, incident response capability, data flow segmentation, encryption posture, audit logging, and supply chain risk management. The questionnaires can run to dozens of pages. They arrive without warning. They have deadlines. And failing to answer them satisfactorily is not a regulatory fine. It is a commercial consequence: the client may reduce volume, move to a more compliant supplier, or simply not renew.
What changed and when
NIS2 entered into force across EU member states in late 2024 and into 2025. The first wave of direct compliance work consumed much of 2025 for large entities in covered sectors: mapping operations to the directive, running gap analyses, implementing required controls. By early 2026, many of those large entities had reached a level of internal compliance that allowed them to turn their attention outward: to the third parties that carry their operational risk.
The result is that mid-sized suppliers across Southern Europe, including pharmaceutical distributors, logistics operators, medical device suppliers, and technology service providers, began receiving supplier compliance questionnaires at scale during late 2025 and into 2026. Some had received lighter versions before. The new questionnaires were different in kind: technically detailed, legally framed, and consequential in a way that previous assessments had not been.
The cascade in practice
Understanding why this is happening requires understanding the incentive structure facing large regulated entities.
A pharmaceutical manufacturer that has invested significantly in its own NIS2 compliance program needs to demonstrate to its regulator that its entire operational perimeter is compliant, not just its internal systems. If a data breach or operational disruption originates with a distributor, the manufacturer's own compliance posture is called into question. The regulatory risk of having a non-compliant supplier is therefore the manufacturer's problem, not just the distributor's.
The cheapest way to manage that risk is to push compliance requirements downstream and make supplier compliance a condition of commercial relationship. This costs the manufacturer relatively little: a questionnaire template, a review process, and a procurement policy update. It transfers significant cost to the supplier, who must either invest in genuine compliance or produce documentation that describes compliance they do not yet have.
The latter is more common in the short term and more dangerous in the medium term. A supplier that answers a compliance questionnaire inaccurately to preserve a commercial relationship has not resolved the underlying risk. It has added documentary evidence that, if an incident subsequently occurs, can make the resulting legal exposure significantly worse.
What mid-sized suppliers are actually doing
The pattern is consistent enough to describe in aggregate. The first questionnaire typically arrives as a surprise. The organization does not have a designated recipient for it, so it circulates before someone takes ownership. The timeline for response is typically two to four weeks, which is insufficient to implement any substantive changes but sufficient to produce a written response.
The written response is usually a combination of accurate description of existing controls and optimistic description of controls that are planned or partially implemented. This is not deception in the legal sense. It is the natural result of asking an organization to self-assess against a framework it has not previously been required to implement, under commercial time pressure, without external validation.
The second questionnaire, which typically arrives six to twelve months after the first and is more detailed, is where the gap between the written response and the operational reality becomes visible. Some organizations use the interval to close the gap genuinely. Most do not, because closing the gap requires budget and organizational commitment that a questionnaire alone does not generate.
What comes next
The cascade is not yet complete. Based on patterns across the sectors we cover, the compliance pressure that started at Tier 1 suppliers is beginning to propagate to Tier 2 suppliers, who are receiving questionnaires from Tier 1 suppliers who are themselves under pressure from large entities. The compliance pressure is propagating downward through the supply chain at a pace that is slower than the initial wave but structurally irreversible.
The implication is that organizations which have not yet received a compliance questionnaire from a major client are not exempt from the cascade. They are earlier in the sequence. The practical question is not whether the questionnaire will arrive but what state the organization will be in when it does.
Our first sector study covers the compliance gap in pharmaceutical distribution in detail. The NIS2 cascade is the commercial mechanism by which the gap described in that study becomes an immediate operational and commercial risk rather than a deferred one.