Skip to main content
EU · NIS2

NIS2 Supplier Email-Auth Questionnaire

Paste or upload a supplier list and get a NIS2 §21(2)(d) supply-chain readiness report in seconds. Each supplier's DMARC, SPF, and MTA-STS posture is scored and the gaps named in auditor language. Downloadable as CSV evidence.

Why this exists

NIS2 Article 21 §2(d) makes supply-chain security a board-level technical measure. Primes across the EU started pushing email-auth questionnaires down to their suppliers in late 2025 — the standard format is "send us proof that your DMARC, SPF, and MTA-STS records meet the Article 21 baseline." NIS2 is in force EU-wide (transposition deadline was 17 Oct 2024) and national enforcement is tightening through 2026 — Germany's NIS2UmsuCG went live 6 December 2025.

Filling out one questionnaire by hand is annoying. Filling out 40 of them — or producing the evidence that 40 of your own suppliers comply — is a project. This tool batches the check: paste the supplier list, get a structured report, download the CSV evidence pack, attach it to the response.

What gets checked per supplier

Three blocking controls and two informational, scanned in parallel via Cloudflare DoH:

ControlNIS2 anchorBlocks compliance?
DMARC at p=quarantine or stricterArt. 21 §2(g) cyber hygieneYes
SPF with ~all or -all qualifierArt. 21 §2(g) cyber hygieneYes
MTA-STS publishedArt. 21 §2(h) cryptography in transitYes
TLS-RPT publishedArt. 21 §2(h) visibility layerNo (informational)
DNSSEC validatedArt. 21 §2(d) supply-chain integrityNo (informational)

Input formats accepted

  • One domain per line — copy-paste from a notepad or text editor.
  • Comma-separated on a single line — copy-paste from a CSV cell.
  • CSV file upload — first-column header rows like "domain" / "supplier" / "vendor" are auto-skipped.
  • Up to 200 domains per run; split larger lists into batches.

What the CSV export contains

One row per supplier, plus the header. Columns: supplier_domain, status (compliant / partial / noncompliant / error), controls_passed, controls_total, blocking_gaps (the gaps the supplier needs to close), and one column per protocol with the human-readable scan summary. Drop the file straight into a prime's questionnaire response or attach it to your Article 21 evidence pack.

Privacy & ethics

Every scan is a public DNS query — the same query any mail server in the world does when it receives a message. We do not log the domains you submit, we do not store the results, and every request originates from your browser via Cloudflare's open DoH endpoint. The CSV download happens entirely client-side; the data never leaves your machine.

What this tool does not cover

Article 21 §2(d) supply-chain security is broader than email-auth. Sub-controls around incident notification timelines, security- contact endpoints, encryption-at-rest, and onboarding / offboarding processes are organisational measures that DNS cannot speak to. Use this batch check as the email-auth slice of a supplier audit, not as the audit itself. The English NIS2 Readiness Scorecard runs the same checks with deeper rubric language for any single domain.

Read the complete EU · NIS2 guide to learn more.

Related Tools

EU · NIS2 NIS2 Readiness Scorecard Single-domain version with deeper Article 21 §2 rubric. DE · BSI BSI NIS2 E-Mail-Sicherheitscheck German edition mapped to BSI-Grundschutz building blocks. EU · DORA DORA ICT Email Control Mapper FS-sector supplier checks under DORA Article 9 instead of NIS2.

Get the full picture with DMARCguard

Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.

Start Free