What Procurement Teams Are Now Asking Irish Suppliers About Cybersecurity
A Donegal food processing company received a supplier security questionnaire from a Dublin-based retail group in January 2026. They had been supplying the retailer for six years without any formal security review. The questionnaire ran to twelve questions, asked for evidence rather than declarations, and included a deadline of two weeks. The food processing company had no documented security policy, had never completed a formal security assessment, and had not tested their backup recovery process. They lost the contract renewal.
If you supply goods or services to larger Irish or multinational companies, you have probably noticed a change in the last twelve months. Procurement teams are now asking cybersecurity questions as part of their standard supplier onboarding and renewal processes. And they are not accepting vague answers.
This is not a trend that will pass. NIS2 explicitly requires regulated organisations to manage cybersecurity risk in their supply chain. If your customer is in scope for NIS2, they are legally obligated to assess your security posture — and they will choose suppliers who can demonstrate it over those who cannot[^1].
Why This Is Happening Now
Three forces are driving the change. First, NIS2 supply chain requirements. Article 21 of the NIS2 Directive requires essential and important entities to implement supply chain security measures, including security-related aspects of their relationships with direct suppliers. In plain English: your customers are now legally required to assess your cybersecurity. Second, cyber insurance policy conditions. Insurers are increasingly requiring policyholders to demonstrate that key suppliers meet minimum security standards. If your customer cannot evidence supply chain oversight, their premiums increase — or coverage is denied. Third, high-profile supply chain attacks. The SolarWinds attack, the MOVEit breach, and numerous smaller incidents have demonstrated that attackers routinely target smaller suppliers to reach larger organisations. Procurement teams have learned that their weakest supplier is their weakest link.
Have you received a supplier security questionnaire in the past 12 months? Book a free 20-minute strategy call — we help Irish SMEs prepare the documentation and evidence needed to answer these questionnaires confidently.
The 12 Questions You Will Be Asked
Based on our direct experience helping Irish SMEs respond to supplier security questionnaires, these are the questions that appear most frequently:
| # | Question | What They Want to See |
|---|---|---|
| 1 | Do you have a cybersecurity policy? | A documented, board-approved policy |
| 2 | Is multi-factor authentication enabled on all accounts? | Evidence that MFA is enforced, not optional |
| 3 | Do you encrypt data at rest and in transit? | Confirmation that sensitive data is encrypted |
| 4 | Do you have a tested backup and recovery process? | Evidence of regular backup testing |
| 5 | Do you conduct regular security awareness training? | Training records showing frequency and coverage |
| 6 | Do you have an incident response plan? | A documented plan with roles and responsibilities |
| 7 | When was your last security assessment or penetration test? | Date and summary of findings — "never" disqualifies |
| 8 | Do you comply with ISO 27001, Cyber Essentials, or CyFUN? | Evidence of certification or formal alignment |
| 9 | How do you manage access control and privileged accounts? | Evidence of least-privilege access and regular reviews |
| 10 | Do you have cyber insurance? | Policy details and coverage limits |
| 11 | How do you manage vulnerabilities and patching? | Evidence of a regular patching cycle |
| 12 | How do you manage third-party risk in your own supply chain? | Evidence that you assess your own suppliers' security |
The NCSC Ireland has noted that supply chain security is one of the most significant emerging gaps for Irish businesses across all sectors[^2].
The Three Answers That Win Contracts
You do not need ISO 27001 certification to answer these questions well. You need three things.
First, a recognised framework. Align your security practices to CyFUN — Ireland's national cybersecurity framework — or Cyber Essentials. These frameworks provide a structured, proportionate approach that procurement teams recognise and accept.
Second, evidence, not assertions. "We take security seriously" is not an answer. "We completed a CyFUN Level 1 assessment in January 2026, identified twelve gaps, and have remediated nine with the remaining three scheduled for Q2" is an answer. Procurement teams want dates, numbers, and documentation.
Third, a named security contact. Procurement teams want to know who is responsible for cybersecurity in your organisation. If the answer is "nobody specifically," that is a red flag. A vCISO gives you a named, qualified security leader without the cost of a full-time hire.
Irish SMEs that can demonstrate strong cybersecurity practices are winning contracts their competitors cannot. Security documentation is now a competitive differentiator in Irish supply chains.
An Garda Síochána has confirmed that supply chain compromise attacks — where attackers breach a smaller supplier to reach a larger target — are a growing threat pattern affecting Irish businesses[^3].
How to Prepare Before the Questionnaire Arrives
The worst time to start thinking about cybersecurity is when a procurement questionnaire lands in your inbox with a two-week deadline.
Run a baseline assessment first. Use a structured security assessment tool — or engage a qualified practitioner — to understand where you stand today. This gives you a score across key security domains and a clear list of gaps to address.
Document what you already do. Most Irish SMEs have more security controls in place than they realise — they just have not documented them. Write down your password policy, your backup process, your patching schedule, and your training records. If it is not written down, it does not exist for procurement purposes.
Address the critical gaps. Focus on the controls that appear in every questionnaire: MFA, tested backups, patching, and incident response. These are the non-negotiable baseline that procurement teams expect from every supplier, regardless of size.
Get a formal assessment. A structured security assessment from a qualified practitioner gives you a defensible artefact you can attach to every questionnaire. It demonstrates due diligence and saves you from answering the same questions differently each time.
What Next
Pull out any supplier questionnaires you have received in the last 12 months. Review the questions you could not answer confidently. That list is your security roadmap for the next quarter.
Document your existing controls this week. Your backup process, your patching schedule, your password policy, who is responsible for security. Getting it written down is the first step to being able to evidence it.
Check whether the Enterprise Ireland Cyber Security Review Grant applies to your business. This grant covers up to 80% of the cost of a professional cybersecurity assessment — meaning you can build your security credentials for as little as €600 out of pocket.
Related Reading
- Vendor Contracts and SLAs: Building Security Into Irish Business Agreements
- What Is DORA and Why Does It Affect Donegal Businesses?
- What Your Cyber Insurer Wants to See — and How to Get There Fast
[^1]: NCSC Ireland — Advice for Organisations [^2]: Data Protection Commission Ireland [^3]: An Garda Síochána — Cyber Crime
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.