All Tools/Live

Am I In Scope? Obligation Diagnostic

Two minutes to know exactly what your customers can actually demand of you.

Most SMEs genuinely don't know what security obligations land on them — and this uncertainty is what gets them in trouble when a large customer sends a questionnaire or a contract clause they don't understand. This diagnostic identifies your role in the supply chain and produces a plain-English summary of what applies to you: directly via legislation, or indirectly through your customer's contracts.

No statutory jargon. Just a clear answer and a starting point.

Start the diagnosticOur cyber security services

How it works

A short diagnostic that produces a plain-English obligation profile.

01

Describe your supply chain role

Answer a short set of questions about what you supply, to whom, and the nature of your contractual relationships. Takes around two minutes.

02

Get your obligation profile

The tool identifies which legislative routes and contractual flows apply to your situation, and summarises what each one realistically requires you to do.

03

Know what to prepare for

You get a plain-English summary of your obligations, a list of the questions your customers are likely to ask, and guidance on where to focus first.

What the tool covers

The diagnostic identifies which of these supply chain roles best describes your situation, then maps the obligations that flow from it.

MSP or IT Service Provider

High obligation

You manage or operate IT systems on behalf of other businesses, including potentially CNI operators.

  • NIS2 may apply to you directly as a "managed service provider"
  • Customers will likely require Cyber Essentials as a minimum
  • Incident notification obligations run in both directions
  • Supply chain risk assessments from your customers are expected

Data Centre or Hosting Provider

High obligation

You provide physical or virtual infrastructure that other businesses — including CNI operators — rely on.

  • Likely directly in scope under NIS2 as digital infrastructure
  • Strict security requirements apply to physical and logical access
  • Business continuity and redundancy requirements are mandatory
  • Regular independent audits will be expected by customers

Critical Supplier Candidate

Medium obligation

You supply a specialist product or service that a CNI operator depends on — software, components, professional services.

  • Your customer's contracts will flow down NIS2-derived requirements
  • Cyber Essentials or Cyber Essentials Plus will typically be required
  • Security questionnaires and due diligence requests are routine
  • Incident notification within tight windows is often contractually required

General SME Supplier

Low obligation

You supply goods or services to a large organisation that may operate in regulated sectors, but you're not part of their core operational chain.

  • Direct legislative obligations are unlikely to apply
  • Cyber Essentials may still be required by contract
  • Data protection obligations (UK GDPR) apply if you handle personal data
  • Your customer may still send security questionnaires — this tool helps with those

Not sure if this applies to you?

That's exactly who this tool is built for. Run the two-minute diagnostic and get a plain-English answer.

Start the diagnostic