NIS2 Supply Chain Security Requirements
A detailed reference on NIS2 supply chain security obligations under Article 21(2)(d), covering supplier assessments, contractual requirements, and coordinated risk assessments across the EU.
- 1
NIS2 Article 21(2)(d) creates an explicit, enforceable obligation to manage supply chain cybersecurity risk — a first for EU-wide cybersecurity legislation.
- 2
The scope covers all direct suppliers and service providers whose compromise could affect the entity's network and information systems, not just ICT vendors.
- 3
Entities must consider the results of EU-level coordinated risk assessments (Article 22) when evaluating their supply chain security posture.
- 4
Financial entities subject to DORA should use its more prescriptive Chapter V requirements as their baseline, but must check for NIS2 gaps in non-ICT supply chain areas.
- 5
Supply chain security measures must be approved and overseen by the management body under Article 20(1), integrating them into the entity's overall governance framework.
Article 21(2)(d) and the Supply Chain Security Obligation
Directive (EU) 2022/2555 (NIS2) fundamentally changed the way European organisations must approach supply chain cybersecurity. Article 21(1) requires essential and important entities to adopt appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. Article 21(2) then enumerates a minimum list of policy domains these measures must address, and subparagraph (d) explicitly names supply chain security — including the security-related aspects of relationships between each entity and its direct suppliers or service providers.
This is a significant departure from the original NIS Directive (2016/1148), which contained no comparable supply chain obligation. The inclusion reflects the EU legislator's recognition that many of the most damaging cyber incidents of recent years — SolarWinds, Kaseya, Log4Shell — exploited trust relationships between organisations and their technology suppliers. Recital 85 of NIS2 underscores that entities should assess the overall quality and resilience of products and services, the cybersecurity practices of their suppliers, and the results of coordinated security risk assessments of critical supply chains.
Importantly, the obligation extends beyond mere contractual pass-through. Entities must take a risk-based approach that considers the vulnerabilities specific to each direct supplier, the overall quality of the supplier's cybersecurity posture, and the results of any coordinated risk assessments carried out at EU or national level under Article 22. The standard of proportionality means that a critical infrastructure operator procuring a core network component faces far more demanding supply chain due diligence than a medium-sized digital service provider purchasing commodity office software.
Article 21(2)(d) is not a standalone obligation — it sits within the broader cybersecurity risk management framework of Article 21(1). All supply chain measures must be proportionate to the entity's risk exposure, size, and the potential impact of a compromise.
Which Suppliers and Products Fall in Scope
NIS2 does not limit its supply chain requirements to ICT suppliers alone. Article 21(2)(d) refers to relationships with "direct suppliers or service providers," a formulation that captures any third party whose compromise could affect the security of the entity's network and information systems. In practice this includes cloud infrastructure and platform providers, managed security service providers (MSSPs), software vendors whose products are deployed in operational environments, hardware manufacturers of network equipment or operational technology, and outsourced IT operations providers.
Recital 85 further clarifies the assessment criteria entities should use. When evaluating the security of direct suppliers, entities should take into account: the cybersecurity practices of the supplier, including their secure development procedures; the ability of the supplier to comply with cybersecurity specifications agreed with the entity; the overall quality and resilience of products and services and any embedded cybersecurity measures; and the results of coordinated security risk assessments of critical supply chains performed under Article 22. The directive does not prescribe a single assessment methodology, but the factors listed in Recital 85 effectively set a floor for due diligence.
Member States may, through implementing measures or national guidance, further specify which categories of suppliers require enhanced scrutiny. For instance, the French ANSSI and German BSI have both signalled that operators of essential services will be expected to maintain tiered supplier inventories distinguishing between critical, important, and standard suppliers — with graduated assessment and monitoring requirements for each tier.
Contractual Security Requirements for Suppliers
While NIS2 itself does not prescribe specific contractual clauses, Article 21(2)(d) requires entities to address the security-related aspects of their supplier relationships. In practice this means embedding cybersecurity requirements into procurement contracts, service-level agreements, and vendor governance frameworks. The European Union Agency for Cybersecurity (ENISA) has published guidance suggesting that contracts should address incident notification obligations, rights of audit and security testing, vulnerability disclosure and patching timelines, and minimum security baseline requirements.
A well-structured supply chain security clause will typically require the supplier to maintain a documented information security management system, to notify the contracting entity of any security incident that could affect the services provided within a defined timeframe (often 24 to 72 hours, aligning with the entity's own incident reporting obligations under Articles 23-24), and to permit the entity or its designees to conduct periodic security assessments. For critical suppliers, organisations often require evidence of third-party certifications such as ISO 27001, SOC 2, or sector-specific standards like TISAX for automotive or C5 for cloud services.
Organisations should also address supply chain continuity in their contracts. Article 21(2)(c) requires business continuity management, and this extends to scenarios in which a critical supplier suffers a disruption. Contractual provisions for alternative sourcing, data portability, and escrow arrangements help ensure that a supplier failure does not cascade into an operational crisis for the entity itself. The interplay between subparagraphs (c) and (d) of Article 21(2) means that supply chain security and business continuity planning must be developed in tandem.
When drafting supply chain security clauses, align incident notification timelines with your own obligations under NIS2 Article 23. If you must issue an early warning to your CSIRT within 24 hours, your suppliers should notify you well within that window.
Coordinated Security Risk Assessments Under Article 22
Article 22 of NIS2 introduces a novel EU-level mechanism for coordinated security risk assessments of critical supply chains. Where the Cooperation Group, in consultation with the Commission and ENISA, identifies specific critical ICT services, systems, or products for which a coordinated risk assessment is necessary, Member States may participate in a Union-wide assessment of the security risks associated with those supply chains. This mechanism was inspired by the precedent set by the EU 5G Toolbox process, which conducted a coordinated risk assessment of 5G network supply chains in 2019-2020.
The results of these coordinated assessments feed directly into the Article 21(2)(d) obligation. Recital 85 states that entities should take into account the results of coordinated security risk assessments of critical supply chains when assessing the security of their own suppliers. While participation in coordinated assessments is optional for Member States, the assessment results — once published — effectively become a reference standard that regulated entities are expected to consider.
For organisations, this creates a practical obligation to monitor and act on the outcomes of EU-level coordinated risk assessments. When ENISA or the Cooperation Group publishes findings about vulnerabilities or risks in a specific supply chain — for example, cloud computing infrastructure or industrial control systems — entities that use products or services from that supply chain must demonstrate that they have considered those findings in their own risk assessment and, where appropriate, taken mitigating action. Failure to do so could be seen as a failure to implement proportionate measures under Article 21(1).
Relationship to DORA Third-Party Risk Management Requirements
For financial entities, the supply chain security requirements of NIS2 overlap significantly with the third-party ICT risk management obligations of Regulation (EU) 2022/2554 (DORA). Article 4(2) of NIS2 establishes that where sector-specific Union legal acts require essential or important entities to adopt cybersecurity risk management measures or to notify significant incidents, and those requirements are at least equivalent in effect to the NIS2 obligations, the sector-specific rules prevail. DORA is explicitly identified as such a lex specialis in Recital 28 of NIS2.
DORA's Chapter V (Articles 28-44) sets out considerably more prescriptive requirements for ICT third-party risk management than NIS2 Article 21(2)(d). DORA mandates a formal ICT third-party risk management strategy (Article 28(2)), requires financial entities to maintain a register of all contractual arrangements with ICT third-party service providers (Article 28(3)), and specifies detailed mandatory contractual provisions in Articles 30-31. DORA also introduces a groundbreaking oversight framework for critical ICT third-party service providers designated by the European Supervisory Authorities under Articles 31-44.
Organisations that fall within the scope of both NIS2 and DORA — such as banks, insurers, and payment service providers — should generally build their third-party risk management programme to DORA standards, which will satisfy the NIS2 requirements by extension. However, for non-ICT supply chain relationships (e.g., physical security providers, facilities management), NIS2 Article 21(2)(d) may still apply independently. A practical approach is to implement a unified third-party risk management framework that addresses both regimes, using DORA's more detailed requirements as the baseline and extending coverage to non-ICT suppliers as required by NIS2.
Financial entities should not assume DORA fully replaces NIS2 supply chain obligations. NIS2 may still apply to non-ICT supplier relationships that fall outside DORA's scope. Conduct a mapping exercise to identify any gaps.
Practical Steps for Implementing Supply Chain Security
Building a compliant supply chain security programme requires a structured, phased approach. The first step is to create a comprehensive inventory of all direct suppliers and service providers whose products or services interact with, or could affect, the entity's network and information systems. This inventory should classify suppliers into risk tiers based on the criticality of the services they provide, the sensitivity of the data they access, and the potential impact of their compromise on the entity's operations.
Once the inventory is established, entities should develop a standardised supplier assessment methodology. For critical and important suppliers, this typically involves a combination of questionnaire-based assessments, review of third-party audit reports and certifications, technical security testing where contractually permitted, and ongoing monitoring of threat intelligence and vulnerability disclosures relevant to the supplier's products. The assessment should be repeated at defined intervals — annually for critical suppliers is a common baseline — and triggered by material changes such as the supplier's acquisition, a significant security incident, or a change in the services provided.
Finally, organisations must integrate supply chain security into their broader governance framework. Article 21(2) measures do not exist in isolation; they must be approved by the management body under Article 20(1), and the management body must oversee their implementation. This means that supply chain risk should be reported to the board or equivalent governing body at regular intervals, and that significant supply chain risks or incidents should trigger escalation procedures. Organisations that already have mature vendor management programmes will find that NIS2 primarily requires them to formalise and document existing practices; those starting from scratch face a more substantial implementation effort.
Does NIS2 require us to assess every single supplier we work with?
Not necessarily. NIS2 requires a risk-based and proportionate approach under Article 21(1). You must assess the security-related aspects of relationships with direct suppliers and service providers, focusing on those whose compromise could affect your network and information systems. In practice, most organisations implement a tiered approach: critical suppliers undergo comprehensive assessment, important suppliers receive standardised review, and low-risk suppliers are subject to baseline checks. The key is to demonstrate that your assessment depth is proportionate to the risk each supplier poses.
What is the relationship between NIS2 supply chain requirements and ISO 27001 Annex A controls?
ISO 27001:2022 Annex A includes controls A.5.19 (Information security in supplier relationships), A.5.20 (Addressing information security within supplier agreements), A.5.21 (Managing information security in the ICT supply chain), and A.5.22 (Monitoring, review, and change management of supplier services). These controls align closely with the NIS2 Article 21(2)(d) requirements. Organisations with a certified ISO 27001 ISMS will typically have a strong foundation for NIS2 supply chain compliance, though they should verify that their supplier management programme explicitly addresses the NIS2-specific elements such as consideration of coordinated risk assessment results under Article 22.
How do coordinated risk assessments under Article 22 affect individual organisations?
When the NIS Cooperation Group conducts a coordinated risk assessment of a critical supply chain under Article 22, the results are published and become a reference input for all regulated entities that rely on that supply chain. Recital 85 states that entities should take these results into account when assessing their own supplier security. While you do not need to participate in the assessment process itself, you must monitor for published results, evaluate their relevance to your supply chain, and document any actions taken in response. Ignoring published coordinated assessment findings could be treated as a failure to implement proportionate measures.
Can we rely on our suppliers' certifications instead of conducting our own assessments?
Third-party certifications such as ISO 27001, SOC 2, or the forthcoming European cybersecurity certification schemes under the Cybersecurity Act (Regulation 2019/881) are valuable evidence of a supplier's security posture, but they are not a complete substitute for your own risk assessment. NIS2 requires you to evaluate the specific security-related aspects of your relationship with each supplier — including the particular services provided, data accessed, and integration points. A certification confirms the supplier's general security controls but may not address risks specific to your use case. Best practice is to use certifications as a foundation and supplement them with targeted assessment of the relationship-specific risks.
What happens if a supplier refuses to comply with our security requirements?
If a supplier refuses to meet security requirements that you have determined are necessary to comply with Article 21(2)(d), you face a risk management decision. You must assess whether the residual risk of continuing the relationship is acceptable given your overall risk appetite and regulatory obligations. Options include accepting the risk with additional compensating controls, escalating contractual negotiations, seeking alternative suppliers, or terminating the relationship. Document the decision and its rationale thoroughly — supervisory authorities will expect to see evidence that supply chain risks are actively managed, even when a supplier is uncooperative.
Ready to Operationalise This?
Turn this guide into working compliance workflows. Create an account or schedule a personalised demo.