Supplier & vendor risk

NIS2 Article 21(2)(d) makes supply-chain security an explicit measure. Reglyze gives you a supplier register, a review cadence, and a questionnaire workflow to evidence it.

The supplier register — each vendor classified by criticality with risk scores and review dates

The supplier register

Record each supplier with an audit classification (critical / important / standard) and the NIS2 contractual clauses that matter — right to audit, incident notification, data protection, sub-processor controls, right to substitute. The register is the backbone of your supply-chain evidence.

Review cadence

Each supplier has a review cadence (default 12 months) and a computed next-review-due date. Overdue and never-reviewed critical suppliers are surfaced first — and for MSPs they roll up into the portfolio action center.

Security questionnaires

Send suppliers a security questionnaire via a magic-link portal, collect their responses, and score residual risk across the register. Reglyze can draft responses from your evidence base when you are the one being assessed.

Inbound questionnaires

When one of your customers sends you a security questionnaire, Reglyze can draft answers from your existing evidence and export them in the original format (PDF / DOCX / XLSX) — turning a recurring chore into a review-and-send.