In This Guide
- Why NIS2 Emphasises Supply Chain Security
- What Article 21(2)(d) Requires
- Supply Chain Risk Assessment Methodology
- Identifying Critical Suppliers
- Supplier Due Diligence Process
- Contractual Security Requirements
- Monitoring Supplier Security Posture
- Subcontractor Cascading Requirements
- Coordinated Risk Assessments (Article 22)
- Building the Supply Chain Evidence Pack
- NIS2 vs ISO 27001 Supplier Controls
- Common Supply Chain Compliance Gaps
- Frequently Asked Questions
- NIS2 Article 21(2)(d) explicitly mandates supply chain security, including security-related aspects between each entity and its direct suppliers or service providers.
- High-profile supply chain attacks (SolarWinds, Log4j, MOVEit) underscore why the Directive treats third-party risk as a first-class compliance obligation.
- Organisations must classify suppliers, conduct risk assessments, embed cybersecurity clauses in contracts, and monitor supplier posture on an ongoing basis.
- Subcontractor cascading is expected: your direct suppliers must impose equivalent security requirements on their own subcontractors along critical supply chain paths.
- A structured evidence pack—covering supplier inventory, risk assessments, contractual clauses, monitoring records, and incident notification chains—is essential for demonstrating compliance to regulators.
Why NIS2 Emphasises Supply Chain Security
The EU NIS2 Directive (Directive 2022/2555) elevates supply chain security from a best-practice recommendation to a legal obligation. This is not accidental. The past five years have delivered a series of devastating supply chain compromises that exposed the fragility of interconnected digital ecosystems—and the inadequacy of security models that stop at the organisational perimeter.
Lessons from Major Supply Chain Incidents
Three incidents, in particular, shaped the regulatory thinking behind NIS2's supply chain provisions:
- SolarWinds Orion (2020): A sophisticated threat actor compromised the build pipeline of a widely used IT management platform, injecting a backdoor into a legitimate software update. Over 18,000 organisations—including government agencies and critical infrastructure operators—downloaded the trojanised update, giving attackers persistent access to internal networks. The attack demonstrated that a single compromised supplier can cascade risk across thousands of downstream entities simultaneously.
- Log4Shell / Log4j (2021): A critical remote code execution vulnerability in the open-source Apache Log4j library affected hundreds of thousands of applications worldwide. Many organisations discovered, to their alarm, that they had no visibility into which of their suppliers used Log4j deep within their technology stacks. The incident exposed the challenge of understanding transitive dependencies—the suppliers of your suppliers—and the speed at which a single vulnerability can propagate across the global software supply chain.
- MOVEit Transfer (2023): A zero-day vulnerability in a managed file transfer product was exploited at scale by the Clop ransomware group. Over 2,600 organisations were affected—many of them not direct users of MOVEit but clients of service providers who used the tool. Sensitive data from government agencies, healthcare providers, and financial institutions was exfiltrated. The attack illustrated how a vulnerability in a single supplier's product can breach data across an entire ecosystem of organisations that never directly chose to use that product.
Each of these incidents followed a common pattern: a compromise at one point in the supply chain propagated rapidly to affect organisations that believed their own security perimeters were intact. The NIS2 Directive's supply chain provisions are a direct response to this pattern. Regulators recognised that no organisation operates in isolation and that cybersecurity resilience depends on the security of the entire chain of suppliers, service providers, and subcontractors.
The Regulatory Rationale
Recital 85 of the NIS2 Directive states that entities should address the cybersecurity-related risks stemming from their interactions with their supply chain and that they should take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of the products and cybersecurity practices of their suppliers. This signals a shift from perimeter-focused security to ecosystem-level resilience.
The emphasis is reinforced by the Directive's enforcement provisions. National competent authorities can inspect supply chain security arrangements, request evidence of supplier risk assessments and contractual clauses, and impose penalties where supply chain obligations are not met. For Essential entities, this supervision is proactive—authorities do not need to wait for an incident to examine your supply chain controls.
What Article 21(2)(d) Specifically Requires
Article 21(2)(d) of the NIS2 Directive requires entities to implement "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." While concise in its statutory language, this obligation, read alongside the recitals and implementing guidance, encompasses a broad set of requirements.
Breaking Down the Obligation
When deconstructed, Article 21(2)(d) requires organisations to:
- Identify and inventory suppliers that provide products or services relevant to the security of your network and information systems
- Assess the cybersecurity risk posed by each supplier relationship, considering the nature and criticality of the products or services provided
- Take into account the vulnerabilities specific to each supplier, including their cybersecurity maturity, incident history, and development practices
- Consider the overall quality of products and cybersecurity practices of suppliers, including their secure development procedures
- Implement appropriate measures to manage identified supply chain risks, including contractual requirements, monitoring, and contingency planning
- Consider the results of coordinated security risk assessments of critical supply chains carried out at EU level under Article 22
The Directive does not prescribe a single methodology. Instead, it follows a risk-based, proportionate approach: the measures you implement should be appropriate to the risk. A critical infrastructure operator with deep dependencies on a small number of suppliers will need a more rigorous programme than an organisation with diversified, low-criticality supply relationships.
Although Article 21(2)(d) explicitly references "direct suppliers or service providers," the Directive's recitals make clear that entities should also consider the security of the wider supply chain. This means understanding the risks posed by subcontractors, fourth parties, and transitive dependencies—particularly where those deeper supply chain links have access to your data, systems, or service delivery.
Supply Chain Risk Assessment Methodology
A structured supply chain risk assessment is the foundation of NIS2 compliance under Article 21(2)(d). The assessment should be integrated into your broader cybersecurity risk management framework—not treated as a standalone exercise.
Step 1 — Establish the Context
Before assessing individual suppliers, establish the overall context for your supply chain risk assessment:
- Scope definition: Which services, products, and systems are covered by your NIS2 obligations? Your supply chain assessment should focus on suppliers that support or interact with these scoped services.
- Risk appetite: What level of supply chain risk is acceptable? This should be defined by your management body and documented as part of your risk management framework.
- Assessment criteria: Define the factors you will evaluate—data access, system connectivity, service criticality, substitutability, geographic jurisdiction, and supplier cybersecurity maturity.
Step 2 — Build the Supplier Inventory
You cannot assess risks you have not identified. Build a comprehensive inventory of suppliers that includes:
- All direct suppliers of ICT products and services within your NIS2 scope
- Cloud service providers, managed service providers, and hosting providers
- Software vendors (including SaaS and open-source components)
- Outsourced service providers (e.g., SOC, helpdesk, development teams)
- Physical security and facilities management providers where relevant
- Consultants and contractors with system or data access
Step 3 — Classify Suppliers by Criticality
Not all suppliers carry equal risk. Classify each supplier to determine the depth of due diligence and monitoring required. A typical classification model uses three tiers:
| Tier | Description | Due Diligence Level |
|---|---|---|
| Tier 1 — Critical | Suppliers whose compromise or failure could directly disrupt NIS2-scoped services, or who have privileged access to systems and sensitive data | Full due diligence: questionnaire, evidence review, on-site or remote audit, continuous monitoring |
| Tier 2 — Important | Suppliers who support NIS2-scoped services but whose compromise would have a limited or indirect impact | Standard due diligence: questionnaire, certification review, periodic reassessment |
| Tier 3 — Standard | Suppliers with minimal or no access to systems, data, or service delivery in the NIS2 scope | Baseline due diligence: self-declaration, contractual clauses, exception-based review |
Step 4 — Assess Individual Supplier Risks
For each supplier, evaluate risk across multiple dimensions:
- Access and connectivity: Does the supplier have network access, VPN connections, API integrations, or physical access to your facilities?
- Data exposure: What data does the supplier process, store, or have access to? Is it personal data, commercially sensitive, or classified?
- Service dependency: How critical is the supplier's product or service to your operations? What is the impact of a 24-hour, 7-day, or 30-day outage?
- Substitutability: Can you replace this supplier at short notice? Single-source dependencies carry higher risk.
- Cybersecurity maturity: What certifications does the supplier hold (ISO 27001, SOC 2, etc.)? What is their security track record?
- Jurisdiction and compliance: Where is the supplier located? Are they subject to conflicting legal obligations? Do they operate in high-risk jurisdictions?
- Subcontractor dependencies: Does the supplier rely on subcontractors to deliver services to you? If so, who are they and what security controls apply?
Step 5 — Determine Risk Treatment
For each identified risk, determine the appropriate treatment: accept, mitigate, transfer, or avoid. Mitigation measures typically include enhanced contractual clauses, additional monitoring, technical controls (e.g., network segmentation), or contingency planning (e.g., identifying alternative suppliers).
Identifying Critical Suppliers and Dependencies
The identification of critical suppliers deserves particular attention because it drives the scope and intensity of your entire supply chain security programme. Misclassifying a critical supplier as standard can leave a significant gap in your risk posture.
Indicators of Criticality
A supplier should be classified as critical if any of the following conditions apply:
- The supplier has direct, privileged, or administrative access to your network or information systems
- The supplier processes, stores, or transmits data that is essential to your NIS2-scoped services
- The supplier provides infrastructure (cloud, hosting, connectivity) that underpins your NIS2-scoped services
- Failure or compromise of the supplier would cause immediate disruption to your ability to deliver essential or important services
- There is no readily available alternative supplier, creating a single point of failure
- The supplier's product is deeply embedded in your technology stack (e.g., a core middleware, database, or security tool)
Mapping Dependency Chains
Beyond identifying direct suppliers, map the dependency chains that underpin your critical services. Ask:
- Which suppliers does your cloud provider depend on for DNS, CDN, or identity services?
- Which open-source libraries are embedded in the software your vendor provides?
- Does your managed security service provider subcontract SOC operations to a third party?
This exercise is not about achieving complete visibility into every fourth-party relationship—that is practically impossible. It is about identifying the dependency chains where a compromise would have a material impact on your NIS2-scoped services and ensuring that appropriate risk management extends along those chains.
Supplier Due Diligence Process
Due diligence is the mechanism through which you evaluate whether a supplier meets your cybersecurity requirements. The depth of due diligence should be proportionate to the supplier's criticality classification.
Due Diligence Components
| Component | Tier 1 (Critical) | Tier 2 (Important) | Tier 3 (Standard) |
|---|---|---|---|
| Security questionnaire | Comprehensive, covering all Article 21 areas | Standard, focusing on relevant controls | Self-declaration or abbreviated form |
| Certification review | Verify ISO 27001, SOC 2, or equivalent; review scope and statement of applicability | Verify certifications; check scope alignment | Accept certification as baseline evidence |
| Evidence review | Request and review specific evidence (policies, pen test reports, incident records) | Sample evidence for high-risk areas | Not typically required |
| On-site or remote audit | Conduct or commission an audit of the supplier's security environment | Reserve for elevated risk situations | Not required |
| Subcontractor assessment | Request details of critical subcontractors and their security arrangements | Request confirmation of subcontractor management | Contractual clause only |
| Continuous monitoring | Security ratings, threat intelligence feeds, regular reassessment | Periodic reassessment (annual minimum) | Exception-based review |
Pre-Contract vs Ongoing Due Diligence
Due diligence is not a one-time exercise. It should be conducted:
- Pre-contract: Before engaging a new supplier, to establish a baseline understanding of their security posture and ensure they can meet your contractual requirements
- At renewal: When contracts are renewed or materially changed, to reassess the supplier's current security posture
- On a scheduled basis: At intervals determined by criticality tier—typically annually for Tier 1, biennially for Tier 2
- Triggered by events: When a supplier experiences a security incident, a significant change (e.g., acquisition, infrastructure migration), or a certification lapse
Contractual Security Requirements
Contracts are the primary legal mechanism through which you impose cybersecurity requirements on suppliers. Under NIS2, the absence of contractual security clauses is a gap that regulators can identify and penalise.
Essential Contractual Clauses
At a minimum, contracts with suppliers in your NIS2 scope should include the following cybersecurity provisions:
- Security requirements: Define the security controls the supplier must implement, ideally referencing a recognised standard (e.g., ISO 27001, NIS2 Article 21 measures) or a specific set of control requirements
- Incident notification: Oblige the supplier to notify you of security incidents within a defined timeframe (consider aligning with NIS2's 24-hour early warning requirement to give you time to meet your own reporting obligations)
- Audit and assurance rights: Reserve the right to audit the supplier's security controls, either directly or through an independent third party, and to request evidence of compliance
- Subcontractor controls: Require the supplier to impose equivalent security obligations on any subcontractors involved in delivering services to you, and to notify you of material subcontracting arrangements
- Data protection and handling: Specify how data must be handled, stored, encrypted, and returned or destroyed at the end of the engagement
- Business continuity: Require the supplier to maintain business continuity and disaster recovery plans relevant to the services they provide
- Vulnerability management: Oblige the supplier to maintain timely patching and vulnerability management processes and to notify you of vulnerabilities affecting products or services delivered to you
- Change notification: Require the supplier to notify you of material changes to their security posture, infrastructure, or subcontracting arrangements
- Termination and exit: Define security-related exit obligations, including data return, secure deletion, and access revocation
The contractual requirements you impose should be proportionate to the supplier's criticality and the risk they pose. A Tier 1 critical cloud provider will require detailed, bespoke security clauses, while a Tier 3 office supplies vendor may only need standard terms with a baseline security acknowledgement. Attempting to impose Tier 1 requirements on every supplier is neither practical nor proportionate—and it can create contract fatigue that undermines the entire programme.
Monitoring Supplier Security Posture
NIS2 compliance requires not just initial assessment but ongoing monitoring of supplier security. A supplier that was secure at the point of contract signing may not remain so over the duration of the engagement.
Monitoring Mechanisms
- Periodic reassessment: Repeat due diligence at intervals defined by the supplier's criticality tier. For Tier 1 suppliers, this should be at least annual.
- Security rating platforms: External security rating services (e.g., BitSight, SecurityScorecard) provide continuous visibility into a supplier's external security posture, including exposed vulnerabilities, configuration issues, and compromised credentials.
- Certification monitoring: Track the validity of supplier certifications (ISO 27001, SOC 2, etc.) and flag any lapses or scope changes.
- Threat intelligence: Monitor threat intelligence feeds for indicators of compromise or breaches involving your suppliers.
- Performance and SLA tracking: Monitor service-level compliance, as persistent SLA breaches may indicate underlying operational or security issues.
- Incident review: When a supplier experiences a security incident, conduct a thorough review of the incident's root cause, impact, and the supplier's response. Use the findings to reassess the supplier's risk rating.
Escalation and Remediation
Define clear escalation procedures for when monitoring reveals a deterioration in supplier security:
- Level 1 — Advisory: Issue a formal notification to the supplier identifying the concern and requesting a remediation plan within a defined timeframe
- Level 2 — Restricted: Limit the supplier's access or scope of services while remediation is in progress; increase monitoring frequency
- Level 3 — Critical: Invoke contingency plans, activate alternative suppliers, and consider contract termination if remediation is not achieved
Subcontractor Cascading Requirements
One of the most challenging aspects of NIS2 supply chain compliance is the expectation that security requirements cascade beyond your direct suppliers to their subcontractors and, where relevant, further down the chain.
What Cascading Means in Practice
Subcontractor cascading requires:
- Contractual flow-down: Your contracts with direct suppliers should include a clause requiring them to impose equivalent security obligations on any subcontractors involved in the delivery of services to you
- Visibility into subcontracting: You should know which critical subcontractors your suppliers rely on, particularly where those subcontractors have access to your data or systems
- Approval or notification rights: For Tier 1 critical suppliers, consider requiring that you are notified of, or approve, material subcontracting arrangements before they take effect
- Evidence of subcontractor management: Request evidence that your suppliers are actively managing subcontractor security—this could include subcontractor audit reports, security assessments, or certification confirmations
Practical Challenges
Subcontractor cascading is one of the areas where NIS2 compliance can feel most daunting. Common challenges include:
- Suppliers who resist disclosing their subcontractors for commercial confidentiality reasons
- Complex, multi-layered supply chains where visibility diminishes rapidly beyond Tier 1
- Subcontractors located in jurisdictions with different cybersecurity maturity levels
- Open-source software dependencies where there is no "supplier" to negotiate with
The pragmatic approach is to focus cascading efforts on the critical paths in your supply chain—the dependency chains whose compromise would have a material impact on your NIS2-scoped services. For lower-risk paths, contractual clauses and supplier self-attestation may be sufficient.
Coordinated Security Risk Assessments (Article 22)
Article 22 of NIS2 introduces a mechanism for coordinated security risk assessments of critical supply chains at the EU level. This provision recognises that some supply chain risks are systemic—they affect multiple sectors and Member States simultaneously—and cannot be adequately addressed by individual organisations alone.
How Article 22 Works
The NIS Cooperation Group, in collaboration with the European Commission and ENISA, can conduct coordinated risk assessments of specific critical supply chains. These assessments:
- Identify sector-wide dependencies on specific suppliers, products, or technologies
- Evaluate the cybersecurity risks associated with those dependencies
- Produce recommendations for mitigation measures at the EU level
The process builds on the precedent set by the EU's coordinated risk assessment of 5G networks, which identified security risks in the 5G supply chain and led to the EU Toolbox for 5G Security.
Implications for Your Organisation
Article 21(2)(d) explicitly requires entities to "take into account the results of coordinated security risk assessments of critical supply chains carried out in accordance with Article 22(1)." This means:
- Monitor for published coordinated risk assessments relevant to your sector
- Evaluate the recommendations against your own supply chain arrangements
- Implement applicable recommendations and document your response
- Be prepared for regulators to ask how you have incorporated coordinated assessment findings into your supply chain risk management
Building a Supply Chain Evidence Pack
Compliance is only as strong as the evidence that supports it. When regulators inspect your supply chain security arrangements, they will expect to see documented, current, and version-controlled evidence. The following sections outline the components of a comprehensive supply chain evidence pack.
1. Supplier Inventory and Classification
Maintain a register of all suppliers within your NIS2 scope, including:
- Supplier name, primary contact, and relationship owner
- Description of products or services provided
- Criticality classification (Tier 1, 2, or 3) with documented justification
- Data types accessed, processed, or stored by the supplier
- System or network access granted
- Contract reference and renewal dates
- Certifications held (ISO 27001, SOC 2, etc.) and validity dates
2. Risk Assessment Records
For each supplier (at a depth proportionate to their criticality tier), document:
- The risk assessment methodology used
- Risk factors evaluated and scoring criteria
- Individual supplier risk assessment results, including identified risks and risk ratings
- Risk treatment decisions (accept, mitigate, transfer, avoid) with justification
- Residual risk acceptance signed off by the appropriate authority
- Date of last assessment and scheduled next review
3. Contractual Clauses Evidence
Retain copies of:
- Signed contracts or agreements containing cybersecurity clauses
- Security schedules, annexes, or addenda
- Evidence that existing contracts have been updated or amended to include NIS2-aligned security requirements
- Records of any negotiations or exceptions agreed regarding security clauses, with risk acceptance documentation
4. Monitoring and Review Records
Demonstrate ongoing oversight through:
- Due diligence questionnaire responses and assessments
- Supplier audit reports (internal or third-party)
- Security rating reports and trend data
- Certification validity tracking records
- Meeting minutes from periodic supplier security review meetings
- Records of any escalation actions taken and their outcomes
5. Incident Notification Chain Documentation
NIS2 requires entities to report significant incidents within tight timelines (24-hour early warning, 72-hour notification). Your supply chain evidence pack should include:
- Documentation of the incident notification chain from each critical supplier to your organisation
- Contractual provisions requiring timely incident notification from suppliers
- Contact details and escalation procedures for each critical supplier's security team
- Records of any supplier-reported incidents, your response actions, and lessons learned
- Testing records demonstrating the notification chain has been exercised (e.g., tabletop exercises involving supplier incident scenarios)
Regulators are trained to distinguish between genuine, operating controls and paper-only compliance. Your evidence should demonstrate that controls are actively implemented and maintained—not just that a policy exists. For example, a supplier risk assessment dated three years ago with no evidence of review or update will not satisfy a regulator. Current, version-controlled, and regularly reviewed documentation is essential.
NIS2 Supply Chain Requirements vs ISO 27001 Supplier Controls
Organisations with an existing ISO 27001:2022 Information Security Management System already have a foundation for supply chain security through Annex A controls 5.19 to 5.22. However, NIS2 extends the requirements in several important directions. The following comparison highlights the key differences.
| Area | ISO 27001:2022 (Annex A 5.19–5.22) | NIS2 Article 21(2)(d) & Article 22 |
|---|---|---|
| Scope of supplier management | Focuses on information security in supplier relationships relevant to the ISMS scope | Covers all suppliers relevant to the security of network and information systems used to deliver NIS2-scoped services; broader lens on ICT products, services, and processes |
| Risk assessment depth | Requires identification and management of supplier-related risks within the ISMS risk assessment | Requires assessment of vulnerabilities specific to each direct supplier, the overall quality of products and cybersecurity practices, and secure development procedures of suppliers |
| Subcontractor cascading | A.5.19 addresses supply chain information security but does not prescribe depth of cascading | Recitals and guidance emphasise consideration of the entire supply chain, including subcontractors and transitive dependencies along critical paths |
| Coordinated risk assessments | Not addressed | Article 22 introduces sector-wide coordinated risk assessments at EU level; entities must take results into account |
| Incident notification from suppliers | A.5.20 requires addressing information security within supplier agreements, including incident management; no mandated timelines | Must align with NIS2's 24h early warning / 72h notification timeline; supplier notification chains must enable the entity to meet its own reporting obligations |
| Regulatory enforcement | Certification-based; non-conformities may result in certification withdrawal | Regulatory enforcement with inspections, binding instructions, and fines up to EUR 10M or 2% of global turnover |
| Management accountability | Leadership commitment required (Clause 5); no personal liability | Management body personally accountable for approving cybersecurity risk management measures, including supply chain security |
| Monitoring and review | A.5.22 requires monitoring, review, and change management of supplier services | Ongoing monitoring expected, with evidence of active supplier security oversight; regulators may request monitoring records |
The practical implication is that ISO 27001 certification provides a strong foundation—estimated at 60-70% coverage of NIS2 supply chain requirements—but most organisations will need to extend their supplier management programme in the areas of subcontractor cascading, incident notification chains, coordinated risk assessment integration, and the depth of individual supplier risk assessment.
Common Supply Chain Compliance Gaps
Based on assessments conducted across multiple sectors, the following are the most frequently observed gaps in supply chain security programmes when measured against NIS2 requirements.
| Gap | Description | Remediation Approach |
|---|---|---|
| No supplier inventory | The organisation cannot identify all suppliers with access to NIS2-scoped systems or data | Conduct a comprehensive supplier mapping exercise; integrate with procurement and contract management processes |
| Flat classification | All suppliers treated the same regardless of criticality; no tiered due diligence | Implement a tiered classification methodology based on access, data exposure, and service criticality |
| No contractual security clauses | Existing contracts lack cybersecurity provisions; legacy contracts were never updated | Develop standard and enhanced security clause templates; prioritise amendment of Tier 1 supplier contracts |
| One-time due diligence only | Due diligence conducted at onboarding but never repeated; no ongoing monitoring | Establish a recurring reassessment schedule aligned with supplier tiers; implement continuous monitoring for Tier 1 |
| No subcontractor visibility | No knowledge of which subcontractors suppliers use; no cascading requirements in contracts | Add subcontractor disclosure and flow-down clauses to contracts; request subcontractor details from Tier 1 suppliers |
| Supplier incident notification gap | No defined process for suppliers to notify you of incidents; notification timelines not contractually agreed | Define incident notification requirements in contracts; establish and test notification chains with critical suppliers |
| Paper-only compliance | Policies exist but are not operationally implemented; supplier risk register is outdated | Implement operational controls with evidence capture; update risk assessments on a scheduled and event-driven basis |
| Open-source blind spot | No visibility into open-source components within supplier products; no SBOM requirement | Require Software Bills of Materials (SBOMs) from critical software suppliers; implement dependency scanning for internally developed software |
Glocert International provides independent supply chain security assessments aligned with NIS2 Article 21(2)(d). Our assessments evaluate your supplier inventory, classification methodology, due diligence processes, contractual arrangements, monitoring practices, and subcontractor management against NIS2 requirements. We deliver a detailed gap analysis, risk-ranked remediation plan, and evidence pack review—giving you a clear path from current state to compliance. Learn more about our NIS2 assessment service.
Frequently Asked Questions
What does NIS2 Article 21(2)(d) require for supply chain security?
Article 21(2)(d) requires entities to implement supply chain security measures covering the security-related aspects between each entity and its direct suppliers or service providers. In practice, this means conducting risk assessments of suppliers, embedding cybersecurity requirements in contracts, monitoring supplier security posture, considering the overall quality of products and cybersecurity practices of suppliers, and taking into account the results of coordinated security risk assessments of critical supply chains carried out at EU level under Article 22.
How do I identify which suppliers are critical under NIS2?
Critical suppliers are those whose failure, compromise, or unavailability could directly impact your ability to deliver NIS2-scoped services. Apply a classification methodology based on data access level, service dependency, substitutability, and connectivity to your network and information systems. Suppliers with privileged access, those hosting or processing sensitive data, and those providing essential infrastructure components typically fall into the critical category. The classification should be documented, justified, and reviewed at least annually.
Do NIS2 supply chain requirements extend to subcontractors?
Yes. Although Article 21(2)(d) explicitly references direct suppliers, the Directive's recitals make clear that entities should consider the security of the wider supply chain. This means your contracts with direct suppliers should include provisions requiring them to impose equivalent security obligations on their own subcontractors. You should request evidence that subcontractor security is being managed, particularly for critical supply chain paths. The focus should be on the dependency chains whose compromise would have a material impact on your NIS2-scoped services.
How does NIS2 supply chain security differ from ISO 27001 supplier controls?
While ISO 27001 Annex A controls 5.19-5.22 address supplier information security, NIS2 goes further in several ways: it requires consideration of sector-wide and cross-border supply chain risks through coordinated risk assessments under Article 22, emphasises deeper subcontractor cascading, mandates tighter incident notification timelines from suppliers, and places supply chain security within a regulatory enforcement framework with significant penalties. Organisations with ISO 27001 have a strong foundation but typically need to extend their supplier management programme to meet NIS2's broader scope.
What evidence should I compile for NIS2 supply chain compliance?
A comprehensive NIS2 supply chain evidence pack should include: a classified supplier inventory with documented justifications, individual supplier risk assessment records, contractual security clauses and signed agreements, due diligence questionnaire responses and assessment results, monitoring and review records (audit reports, security scorecards, certification tracking), incident notification chain documentation and testing records, subcontractor management evidence, and records of any coordinated risk assessment findings and your response. All evidence must be current, version-controlled, and demonstrate active implementation rather than paper-only compliance.