Key Takeaway: NIS2 Article 21 explicitly requires organizations to manage supply chain cybersecurity risks. You are legally responsible for the security practices of your critical vendors, not just your own internal controls.
When SolarWinds was compromised in 2020, it wasn't the company itself that made headlines for long. It was the 18,000 organizations downstream whose systems were also breached. NIS2 was written with exactly this scenario in mind.
Under the NIS2 Directive, supply chain security is not a best practice. It is a mandatory requirement. This article provides a concrete framework for identifying your critical suppliers, assessing their security posture, and building the contractual and operational controls regulators will expect to see.
What NIS2 actually requires on supply chain
Article 21(2)(d) of the NIS2 Directive requires entities to address "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." This requirement covers:
Direct suppliers with access to your systems
Any vendor with network access, API credentials, or physical access to your infrastructure must be assessed and monitored.
Software and service providers in your critical processes
Cloud platforms, SaaS tools, and managed service providers that your operations depend on fall within scope.
Contractual security requirements
You must be able to demonstrate that security obligations are written into supplier contracts and enforced.
Ongoing monitoring, not one-time assessment
NIS2 expects continuous supplier oversight, not just a tick-box questionnaire at onboarding.
Step 1: build your supplier inventory
You cannot manage risk you haven't mapped. Start by identifying every third party that touches your systems, data, or critical processes.
Supplier inventory categories
| Category | Examples | NIS2 relevance |
|---|---|---|
| IT infrastructure | Cloud providers, hosting, CDN, DNS | High |
| Software & SaaS | ERP, CRM, communication tools, identity providers | High |
| Managed services | IT outsourcing, NOC/SOC, helpdesk | High |
| Professional services | Consultants, auditors, legal with system access | Medium |
| Physical services | Facilities, maintenance, hardware supply | Medium |
| Data processors | Analytics, payment processors, HR platforms | Medium-High |
Practical tip: Cross-reference your supplier list with your IT asset inventory and accounts payable records. Organizations routinely underestimate their supplier count by 30-40% when relying on memory alone.
Step 2: tier your suppliers by risk
Not every supplier poses the same risk. A risk-based tiering system lets you allocate due diligence proportionally and satisfy regulators that you have a structured approach.
Critical
Breach or outage would directly impact your NIS2-regulated services or cause significant harm.
- Privileged system access
- Single points of failure
- Access to sensitive data at scale
Annual audit + quarterly review
Important
Significant but not immediate operational impact if compromised. Limited or indirect access.
- Standard system access
- Important but replaceable services
- Moderate data access
Annual questionnaire + biannual review
Standard
Low risk. No direct system access, no sensitive data, easily replaceable.
- No system access
- Commodity services
- No sensitive data
Contractual clauses only
Step 3: assess Tier 1 and Tier 2 suppliers
For your critical and important suppliers, you need documented evidence of their security posture. There are three practical mechanisms:
Security questionnaire
Send a structured questionnaire covering their risk management, incident response capability, access controls, encryption practices, and business continuity. Industry-standard formats include CAIQ (CSA) and SIG (Shared Assessments).
Certification evidence
Request current ISO 27001 certificates, SOC 2 Type II reports, or equivalent third-party audit evidence. These provide independent verification and reduce your assessment burden significantly. Always check the certificate date and scope.
On-site or virtual audit
For your most critical Tier 1 suppliers, especially those with privileged access or no certifications, conduct direct audits. Review their actual controls, documentation, and security practices. This is resource-intensive but may be the only option for critical bespoke suppliers.
Step 4: update your contracts
Assessment without contractual obligation is just documentation. NIS2 regulators will want to see that you have binding security requirements in your supplier agreements. Key clauses to include:
Minimum NIS2 contract clauses
Incident notification obligation
Supplier must notify you within 24 hours of any security incident that could affect your systems or data, enabling you to meet your own NIS2 reporting deadlines.
Minimum security standards
Reference a specific baseline, whether your own security policy, ISO 27001, or ENISA guidelines. Vague "industry standard" language is difficult to enforce.
Right to audit
Reserved right to request security assessments, certifications, or audit access. Many large suppliers will resist direct audits but will accept annual certificate submission.
Sub-contractor disclosure and flow-down
Supplier must disclose and apply equivalent security obligations to any sub-contractors who access your systems or data.
Termination for security cause
Explicit right to terminate if the supplier fails to remediate a material security deficiency within a defined period.
Step 5: monitor continuously
One-time assessments degrade quickly. A supplier that passed your review 18 months ago may have suffered a breach since then, changed key personnel, or been acquired by an entity you would not have approved. Build an ongoing monitoring cadence:
Ongoing monitoring activities
Continuous (automated where possible)
- Monitor supplier security ratings services
- Track public breach disclosures and CVEs affecting supplier software
- Review privileged access logs for anomalies
Periodic (scheduled reviews)
- Quarterly: Tier 1 supplier check-in and access review
- Biannually: Tier 2 questionnaire refresh
- Annually: Full re-tiering and contract review for all critical suppliers
Common mistakes to avoid
Treating large suppliers as automatically low risk
Major cloud providers are still your responsibility under NIS2. Shared responsibility models do not transfer your compliance obligations.
Scoping out shadow IT suppliers
Tools procured by individual departments without IT approval still connect to your systems. Discover and assess them, then decide whether to approve or remove.
Accepting questionnaire responses without evidence
Self-attestation is a starting point, not an endpoint. Request supporting documentation for claims your assessment depends on.
Failing to reassess after supplier changes
Mergers, acquisitions, key personnel changes, or significant service changes at a supplier should trigger an out-of-cycle reassessment.
What regulators will look for
When a national authority conducts a NIS2 supervision activity, they will expect documented evidence of your supply chain management program. At minimum, prepare:
- A current supplier register with tiering rationale
- Assessment records for all Tier 1 and Tier 2 suppliers (questionnaires, certificates, audit reports)
- Supplier contracts with security clauses in place
- Evidence of periodic review and any remediation actions taken
- A written supply chain risk management policy approved by senior management
Frequently asked questions
What does NIS2 require for supply chain security?
Article 21(2)(d) requires entities to address supply chain security, including security-related aspects of relationships with direct suppliers and service providers. This covers direct suppliers with access to systems, software and service providers in critical processes, contractual security requirements, and ongoing monitoring rather than a one-time assessment.
How should I tier my suppliers under NIS2?
Use a risk-based three-tier system. Tier 1 critical suppliers, whose breach or outage would directly impact NIS2-regulated services, need annual audit plus quarterly review. Tier 2 important suppliers have significant but not immediate operational impact and need annual questionnaire plus biannual review. Tier 3 standard suppliers are low risk and need only contractual clauses.
What clauses should NIS2-compliant supplier contracts include?
Minimum NIS2 contract clauses should cover incident notification obligation within 24 hours, minimum security standards referencing a specific baseline, right to audit including security assessments and certifications, sub-contractor disclosure and flow-down of security obligations, and termination rights for security cause if deficiencies are not remediated within an agreed window.
How do I assess Tier 1 and Tier 2 suppliers under NIS2?
Three practical mechanisms. A structured security questionnaire covering risk management, incident response, access controls, encryption, and continuity, using formats like CAIQ or SIG. Certification evidence such as current ISO 27001 certificates or SOC 2 Type II reports. On-site or virtual audits for the most critical Tier 1 suppliers with privileged access to in-scope systems.
What evidence will regulators ask for on NIS2 supply chain?
National authorities expect a current supplier register with tiering rationale, assessment records for all Tier 1 and Tier 2 suppliers including questionnaires, certificates, and audit reports, supplier contracts with security clauses in place, evidence of periodic review and remediation actions, and a written supply chain risk management policy approved by senior management.
What common NIS2 supply chain mistakes should I avoid?
Treating large suppliers as automatically low risk, since shared responsibility models do not transfer compliance obligations. Scoping out shadow IT suppliers procured outside the IT approval process. Accepting questionnaire responses without supporting evidence. Failing to reassess after supplier mergers, acquisitions, or significant service changes. These four gaps drive most supply chain findings.
Does NIS2 supply chain security apply to sub-contractors and fourth parties?
Yes, indirectly. The entity remains responsible for the security of its services regardless of how many layers of sub-contracting sit beneath a supplier. Article 21(2)(d) requires security clauses to flow down, and Tier 1 contracts should list approved sub-contractors, require prior notification for changes, and give the entity the right to object where a fourth party poses unacceptable risk.
Need help building your supplier security program?
We help organizations build NIS2-compliant supply chain security programs, from supplier inventory through contract templates and ongoing monitoring frameworks.
Book a free consultation