Your customer sent a NIS2 supply-chain questionnaire. How do you answer the training question?

Your customer sent a NIS2 supply-chain questionnaire. How do you answer the training question? What a weak answer looks like, what a strong one looks like, and a copy-ready example that survives a security review.

Three people in hard hats stand with arms crossed in a factory setting. The person in front wears a white hard hat and a dress shirt with a tie. The other two wear orange hard hats and workwear.

The training question on a supply-chain questionnaire is rarely "do you train people?" It is "demonstrate that the people performing our work are trained, and show how you keep that current." A good answer names the curriculum, the population covered including temporary workers, the assessment, the expiry and refresher cycle, and the form of evidence you can attach.

Why are these questionnaires arriving now?

Organisations in scope of NIS2 must address security in their supply chains as part of their risk-management measures. The German implementation has been in force since December 2025, and the Dutch Cyberbeveiligingswet follows in 2026, so procurement and security teams are operationalising that duty the only way they can: by asking their suppliers structured questions.

What does a weak answer look like?

"All employees receive periodic security awareness training." It fails three ways: "employees" silently excludes the agency workers on your floor, "periodic" is unverifiable, and there is nothing attached. Reviewers read hundreds of these; vagueness is scored as absence.

What does a strong answer look like?

Something you can copy: "All persons with access to our systems and sites, including temporary and contracted workers, complete cyber hygiene training in their own language with an assessment. Each person holds an individually verifiable credential with a 12-month validity; a current register with expiry dates is attached, and individual credentials can be verified online." Every clause in that sentence is checkable, which is the point. The attachment does the persuading.

Can a supplier turn this into an advantage?

Yes, and the fastest movers already are. When two quotes are otherwise equal, the supplier whose workforce evidence is verifiable wins the security review without a meeting. Staffing agencies are starting to make the same move one level down: candidates who arrive already credentialed are easier to place. That mechanism is exactly what EdXactly Pass packages.

Last reviewed: June 2026. This article is general information and is not legal advice.