Non-Functional Requirements Checklist: 14 Categories (2026)

Why Fora Soft wrote this playbook

Fora Soft has shipped 625+ projects since 2005. We have written, negotiated, and verified NFR specs across BrainCert ($10M ARR multi-tenant e-learning), CirrusMED (HIPAA-grade telehealth), VALT (legal e-discovery, chain-of-custody), TransLinguist (NHS UK, sub-1 s interpretation), StreamLayer (NBC, CBS, Red Bull) and EyeBuild (solar surveillance). Each project carried a different NFR profile; the patterns in this guide come from those engagements.

Across 80+ vendor estimates we review per year, the single biggest source of cost-forecast failure is NFR omission. The vendor quotes for the features; the customer signs; six months in the team learns it has to add MFA + audit logs + GDPR data residency + 99.95 % SLA, and the budget detonates. This guide is the playbook we use internally to stop that pattern.

If you are a CTO writing an RFP, a non-technical founder evaluating quotes, or a procurement lead running vendor selection, this guide tells you what 14 NFR categories to specify, how to translate adjectives into numbers, what changed in 2026 (HIPAA, EU AI Act, accessibility), and how to bind NFRs into the contract so the vendor has to meet them.

Why most projects fail at NFRs

PMI’s research on project failure attributes 28 % of cost-forecast misses to inaccurate estimates. McKinsey’s 2020 IT-project study found large projects on average run 45 % over budget. Both numbers track strongly with one root cause: the estimate was for functional features, the project shipped functional features plus the NFRs that came with them.

In our portfolio of 80 yearly estimates, the four most common NFR omissions are:

1. Compliance gaps surface mid-build. “We will need a SOC 2 report before our first enterprise customer” appears in month 4. The architecture was not designed for it. Retrofitting compliance is 3× the cost of designing it in.

2. Performance promises become real numbers too late. The brief says “real-time chat.” The implementation lands at 4-second message delivery on a slow connection because nobody specified the p95 latency.

3. Scale assumptions wrong by an order of magnitude. “A few thousand users” gets built. The product takes off; 50 000 users login on launch day; the database falls over.

4. Accessibility added in panic. An accessibility audit at launch finds 200+ WCAG violations; remediation costs 6–10 weeks of unplanned work and risks anti-discrimination lawsuits in some jurisdictions.

What NFRs actually are vs functional requirements

A functional requirement says what the system does. An NFR says how well, under what conditions, at what cost, and when proven. “Patient can book a video consult” is functional. “Booking flow completes in < 3 seconds end-to-end at p95 with 1 000 concurrent users” is the NFR pair.

The ISO 25010 quality model formalises NFRs into 8 high-level categories with 31 sub-attributes. It is exhaustive and academic. In practice we use a flatter 14-category model that maps to real engineering trade-offs and contract clauses. The 14 categories live below.

Three properties every NFR must have. A number (or enumerable threshold), a measurement method, and a verification path. “The system shall be fast” is a wish. “p95 API response time < 250 ms measured by k6 load test against staging at 1 000 concurrent users” is an NFR. The vendor can deliver against the second; not the first.

The 14 NFR categories with concrete examples

The matrix below is the spine of every spec we write. Each category gets a row in your project’s NFR sheet with a target threshold, a measurement method, and a verification artefact bound to the contract.

The downloadable NFR template

Our internal template (Excel + Word) maps each of the 14 categories to: a target threshold, the rationale, the measurement method, the verification artefact, the priority (must-have / should-have / nice-to-have), the owner, and the acceptance criterion that gets bound to the contract.

For example, a single Performance row reads: “p95 video-call connection time <1.5 s; rationale: above 2 s creates user perception of broken stream; measurement: synthetic monitoring with Pingdom from 5 regions; verification: weekly report; priority: must-have; owner: Platform Eng; acceptance: signed off by QA on staging before each release.” Every NFR row in the spec follows that shape.

Send us your project brief and we will return a populated NFR template within 5 business days, free of charge — see the CTA below.

Worked example: telehealth platform NFRs

A US telehealth product handling PHI, serving 50 clinicians and 5 000 patients on day 1, scaling to 30 000 patients in year 1. The relevant NFRs (selected highlights):

Performance. p95 video-consult connection time <2.5 s. Glass-to-glass latency <1 s. EHR query response <500 ms.

Availability. 99.95 % monthly during clinician hours (8am–8pm ET); 99.9 % off-hours. Multi-AZ deployment; documented failover playbook.

Security. SSO via Auth0 + MFA mandatory for clinicians; AES-256 at-rest with customer-managed KMS keys; DTLS-SRTP for video; audit log on every PHI access (6-year retention).

Compliance. HIPAA Security Rule 2024 update compliant; signed BAA with every vendor in the chain (AWS, Auth0, Datadog, video SDK, captioning); SOC 2 Type 1 by month 9, Type 2 by month 15. See our HIPAA + SOC 2 deep-dive for the full architecture.

Interoperability. FHIR R5 patient and encounter resources; Epic AppOrchard or Cerner integration via SMART-on-FHIR; CPT-code-tagged encounter records for billing.

Recoverability. RTO <1 hour (medical urgency tolerates no longer); RPO <5 min; quarterly disaster-recovery drills.

Worked example: live-streaming platform NFRs

An OTT live-sports platform with 1.4M concurrent viewers at peak, 24/7 operation, ad-supported with subscription tier. Selected highlights:

Performance. Glass-to-glass latency p50 <500 ms via WHIP/WHEP for interactive tier; p95 <1 s. LL-HLS fallback at <5 s. First-frame time <800 ms.

Scalability. 1.4M concurrent peak; auto-scaling SFU mesh in 4 regions; stadium-stress-test scenario (10x baseline) executed monthly.

Availability. 99.99 % during scheduled events (any minute of downtime during a game has direct revenue impact); 99.9 % off-event.

Cost efficiency. CDN cost <12 % of subscription revenue; per-minute delivery cost target <$0.0008. See our build vs buy decision framework for the cost crossover math.

Portability. Web, iOS, Android, Apple TV, Roku, Fire TV, Samsung Tizen, LG WebOS. Each platform’s own NFR row for codec support and DRM.

Worked example: AI agent product NFRs

A voice-AI agent product (think AI receptionist for dental clinics) shipping on OpenAI Realtime + LiveKit Agents. Selected NFRs:

Performance. Voice-to-voice latency p50 <800 ms; p95 <1.4 s. Tool-call success rate >96 %. See our OpenAI Realtime production guide.

Reliability. Hallucination flag rate <1 % (instrumented via periodic sample). Audit log delivery success 100 %.

Compliance. Subject to EU AI Act risk-tier classification; if deployed in healthcare context, falls under Annex III — high-risk system. Documentation, human oversight and post-market monitoring all required from day 1.

Observability. Helicone or LangSmith on every agent session: full audio capture, transcript, every tool call, latency p50/p95 per turn, token cost per session.

How NFR depth should evolve through project phases

A non-functional requirements spec is not a one-shot artefact. It tightens as the product matures, and the cost of getting it wrong rises non-linearly with stage.

Discovery / prototype (weeks 0–6). 4–6 NFRs total. Performance (rough p95 target), security (no PII leaks), portability (target browsers / OS). Everything else is “reasonable defaults.” Spending two weeks on a 14-category spec for a throwaway prototype is malpractice.

MVP / first paying customer (months 2–6). 8–15 NFRs across 6 categories: performance, scalability, security, compliance, usability, observability. Numbers are real but conservative; verification is manual or sampled.

Growth / Series A onward (months 6–18). Full 14 categories. Numbers tighten; verification automates into CI; SLA contracts start carrying penalties. The cost of a missed NFR at this stage is enterprise-deal-shaped, not bug-shaped.

Mature / regulated scale (year 2+). 80+ NFRs, sometimes broken into separate specs per regulated domain (HIPAA, SOC 2, EU AI Act). External auditors verify each release. NFR breach is a security incident.

How to negotiate NFRs with vendors

1. NFRs go in the RFP, not the kickoff. If the vendor first hears about HIPAA on the project kickoff call, the estimate is wrong by tens of thousands. List every NFR in the RFP itself.

2. Vendors should push back on impossible NFRs. “p95 latency <50 ms with global users” is not physically achievable on the public internet. A senior team will challenge it; a junior team will agree to everything and miss the target.

3. Bind NFRs to acceptance criteria. The contract’s acceptance section should list each NFR plus the verification artefact (load-test report, audit transcript, accessibility scan). Without this, the vendor can claim “done” on functional features and avoid NFR work.

4. Differentiate must-have vs should-have. “99.99 % availability” is more expensive than “99.9 %” by a factor of 10. Be honest about which NFRs are truly mandatory vs negotiable; the vendor will price accordingly.

How to verify NFRs are actually met

Performance. k6 / Locust / JMeter load tests on staging matching production traffic profiles. Synthetic monitoring (Datadog Synthetics, Pingdom) for ongoing verification.

Availability. Uptime monitoring with SLA dashboards (Datadog, Better Uptime); incident post-mortems linking to RTO/RPO targets.

Security. External pentest before launch + annually; SAST/DAST in CI; SBOM generation; vulnerability remediation SLA.

Compliance. External auditor signs the report. HIPAA risk assessment, SOC 2 attestation, GDPR ROPA all third-party verified.

Accessibility. Automated scan (axe-core, Lighthouse) plus manual audit by a certified accessibility consultant.

Recoverability. Live restore drill from backups, witnessed and documented. Quarterly minimum.

Cost model: what NFR work actually costs

Numbers from our 80-vendor-estimate-per-year sample, valid for a typical SaaS product targeting US + EU customers. Use them as planning anchors, not promises.

Compliance baseline (HIPAA + SOC 2 Type 2). $30–80k of audit fees plus 4–8 weeks of senior engineering for control implementation. Add 2 weeks per additional framework (GDPR, PCI, FedRAMP).

Accessibility (WCAG 2.2 AA, retrofitted). 6–10 weeks for a mature product, ~$25–60k including the certified manual audit. Designed-in from day 1: closer to 2 weeks.

Performance hardening (p95 baseline + load testing harness). 3–5 weeks plus ongoing 0.5 FTE for synthetic monitoring and regression catches. Costs rise sharply when targeting sub-100 ms global p95.

Availability uplift (99.9 → 99.95). Doubles infra cost (multi-region, hot standbys), adds an on-call rotation, requires runbooks and chaos drills. From 99.95 → 99.99 doubles it again.

Observability stack (Datadog or equivalent). $1–5/host/month at low scale, ramping to $50–200/host at high cardinality. Self-hosted Grafana stack drops the bill but adds 0.25 FTE of operations work.

Common NFR mistakes

1. Adjectives instead of numbers. “Fast,” “reliable,” “secure” are not NFRs. Replace each with a number plus measurement method.

2. Conflicting NFRs without trade-off resolution. “99.99 % availability + $2/user/month cost ceiling + 50 ms p95 latency global” is internally contradictory. Pick the priority order and acknowledge the trade-off.

3. Over-specification on greenfield products. Pre-PMF startups specifying SOC 2 Type 2 + 99.95 % SLA + WCAG AAA waste budget. Match NFR depth to stage.

4. Forgetting compliance updates. 2024 HIPAA Security Rule update made encryption-at-rest, MFA and asset inventory mandatory. EU AI Act applies from 2025 to high-risk classifiers. A 2022 NFR template is out of date.

5. NFRs in a separate document. If NFRs live in a different file from functional requirements, vendors read functional and forget NFRs. Combine them into one spec with NFRs as cross-cutting headers.

A decision framework — pick NFR depth in five questions

Q1. Pre-MVP or post-MVP? Pre-MVP: 6 categories (performance, security, scalability, compliance, usability, observability). Post-MVP: full 14.

Q2. Regulated industry? Healthcare, finance, public sector, education in EU all force compliance NFRs as must-have, not optional.

Q3. Volume profile? <10k DAU: scalability is best-effort. 10k–1M DAU: scalability is must-have. >1M: scalability dominates the NFR section.

Q4. Geographic reach? Multi-region deployment changes availability, recoverability, latency NFRs. Single-region simplifies dramatically.

Q5. Contract type? Fixed-bid: NFRs must be precise (vendor takes risk). T&M: NFRs can be evolving but trade-off discipline still required.

KPIs to measure NFR compliance

Quality KPIs. NFR violation rate per release (target: 0 critical, <3 minor). Pentest critical-finding rate (target: 0 outstanding >30 days). Accessibility scan score (target: 95+ on Lighthouse).

Business KPIs. SLA breach rate (target: zero customer-impacting breaches per quarter). Compliance audit pass rate (target: 100 % on first audit).

Reliability KPIs. Recovery drill success rate (target: 100 % successful quarterly drills). Incident MTTR vs target (target: meeting RTO).

When formal NFRs are overkill

Throwaway prototypes. 2-week clickable demo to validate UX hypotheses. Skip the NFR template; make the demo work end-to-end.

Internal tools for <10 users. The trade-off math does not justify formal NFRs. Reasonable defaults plus a maintainability commitment is enough.

Hyper-iterative product discovery. If the product is changing weekly based on user research, the NFR profile changes too fast for formal specification. Lock NFRs at MVP-stable, not at v0.

Mini case: NFR retrofit on a Series-A telehealth platform

Situation. A US telehealth client signed their first hospital network. Discovery: the hospital required SOC 2 Type 2, encryption-at-rest with customer-managed keys, an audit log surviving 6 years, and 99.95 % availability with documented failover. Their original non-functional requirements spec had two lines: “HIPAA compliant” and “highly available.” The hospital’s security questionnaire had 287 questions.

The 12-week plan. Weeks 1–2: 14-category NFR spec written and contract-bound. Weeks 3–6: control implementation (KMS rotation, MFA enforcement, structured audit logs into a tamper-evident store, multi-AZ failover with documented RTO/RPO). Weeks 7–9: external auditor onboarded for SOC 2 Type 1 attestation. Weeks 10–12: load tests, chaos drills, accessibility audit, security pentest, dry-run of the hospital’s 287-question questionnaire.

Outcome. Before: 4-second p95 EHR query, no audit log, single-AZ deployment, 0 % pass on the hospital questionnaire. After: 380 ms p95 EHR query, full PHI-access audit log with 6-year retention, multi-AZ with 23-minute documented failover, 94 % pass on the questionnaire (the remaining 6 % were non-blocking documentation requests). SOC 2 Type 1 report delivered week 14. Hospital contract closed week 16. Want a similar assessment?

FAQ

What to Read Next

Ready to specify NFRs that actually hold?

NFRs are 30–60 % of total project work but receive 5 % of the brief. The fix is the 14-category model with numeric thresholds, measurement methods, verification paths, priorities and owners. Bind them into the contract. Verify each release. Update them as compliance evolves — 2024 HIPAA, 2025 EU AI Act, European Accessibility Act all changed the floor.

The vendor that pushes back on impossible NFRs and quotes for the realistic ones is the partner you want. The vendor that says “sure, we’ll do all of that” is the partner who will surprise you with change orders in month 4.