What energy-sector procurement NFR practice can teach SaaS vendors
The NFR catalogues that tier-1 energy operators send to vendors are intimidating, but they encode a discipline that SaaS vendors can copy: write the requirements you'd want a vendor to meet, then meet your own. The result is a competitive moat in any regulated-customer deal.
Tier-1 energy operators have a habit that surprises SaaS vendors when they first encounter it: a fifty-line non-functional-requirement matrix arrives with the RFP, structured by domain, scored compliant / partial / non-compliant / desirable, with evidence-link columns and a cost-impact tab. Most SaaS sales teams react with mild horror. The right reaction is admiration.
What the energy operators have figured out — usually after thirty years of integration scar tissue — is that what the system does matters less than how it behaves under failure, audit, regulation, and ten years of operations. The functional spec is the easy part. The NFR is where the actual cost lives.
A few patterns that SaaS vendors should copy from the people who write these matrices:
Encode your defaults. When the energy buyer asks “do you support TLS 1.2 minimum?” they’re not actually asking — they’re filtering. Write your security defaults down in advance. Have a one-page document that answers their first thirty questions before they ask. In one engagement, having the answers ready collapsed the security-question round of procurement from three weeks to four working days.
Separate “compliant” from “partial” honestly. The temptation to mark every requirement “compliant” is strong and self-defeating. Procurement teams have seen the trick. They will dig into anything that’s marked compliant without an evidence link. Say “partial — we encrypt at rest but key rotation is manual” and you keep credibility for the dozens of items where you genuinely do comply.
Cost-impact alongside gap-status. When you mark a requirement non-compliant, the next question is always “what does it cost to fix?” Pre-answer it. A non-compliant row with a €20k / 4-week remediation note is a deal in progress. The same row without that note is a “we’ll get back to you” that dies in committee.
Evidence-link everything. Procurement teams need the evidence chain to move the deal forward internally. They will copy-paste your evidence references into their internal report. Make it easy. A SOC 2 report PDF link, a pen-test summary, a signed DPA template — these things are evidence assets, treat them as such.
Maintain it as a living document. The biggest mistake is treating the NFR response as a per-deal document. Build it once, version it, and re-issue. The marginal cost of the next response drops by 80%. The competitive advantage in regulated-customer deals compounds.
The real insight: SaaS vendors who treat NFRs as an annoyance will lose to vendors who treat them as a competitive moat. The energy operators built this discipline because they were burned. The vendors who learn from them get into procurement-led deals that the rest of the market cannot reach.
If you sell into regulated industries — energy, healthcare, financial services, government, telco, building-automation — and you do not have a versioned NFR response document, you are about to either lose a deal or invent the same document under deadline pressure. The energy procurement teams have done the work for you. Copy the format.
Want this kind of cross-domain read on your problem?
The first thirty minutes is on us — no pitch, no slides.