NIS2

NIS2 Supply Chain Security Requirements

4 min readUpdated 10 June 2026

NIS2's supply chain security provisions are one of the most operationally challenging aspects of the regulation. Article 21(d) requires essential and important entities to address security in their supply chain — not just their own systems. This means assessing and managing the security practices of your ICT vendors, cloud providers, and software suppliers. It also means that if you are a supplier to NIS2-regulated entities, your customers' compliance programme now reaches into your organisation.

What NIS2 Requires on Supply Chain Security

NIS2 Article 21(1)(d) requires entities to implement measures addressing:

"Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers"

This is not a vague aspiration — it has specific operational requirements:

  1. Risk assessment of each direct supplier: For suppliers that provide ICT products or services relevant to your security posture, you must assess their security practices.

  2. Security requirements in contracts: Suppliers handling data or providing systems must be contractually bound to security standards.

  3. Monitoring of supplier compliance: Supplier security is not a one-time check at onboarding — it must be actively monitored.

  4. Management of supplier changes: Changes to critical suppliers must be assessed for security impact before implementation.

Which Suppliers Are in Scope

You cannot apply the full supply chain security programme to every vendor. NIS2 focuses on "direct suppliers or service providers" that are relevant to your security and operational continuity. These are:

ICT infrastructure suppliers:

  • Cloud hosting providers (AWS, Azure, GCP, or private cloud)
  • Colocation data centre operators
  • Network providers and connectivity suppliers

Software suppliers:

  • Operating systems and virtualisation platforms
  • Security software vendors (firewalls, SIEM, endpoint protection)
  • Enterprise SaaS used in critical operations

Managed service providers:

  • IT management companies
  • Security operations centres (SOCs) and MSSPs
  • Outsourced IT helpdesk or NOC

Hardware suppliers:

  • Server and network equipment manufacturers (for critical infrastructure equipment)

The Supplier Risk Assessment

For each significant supplier, conduct a documented risk assessment:

Supplier profile:

  • What services/products does the supplier provide?
  • What access does the supplier have to your systems and data?
  • What would happen to your operations if this supplier were unavailable or compromised?

Security assessment:

  • Does the supplier hold ISO 27001, SOC 2 Type II, or equivalent certification?
  • Has the supplier experienced a security breach in the last 24 months?
  • Does the supplier have an incident notification commitment?
  • What is the supplier's patching and vulnerability management practice?

Contractual review:

  • Do current contracts include security obligations?
  • Do contracts require notification of security incidents?
  • Is there an audit right in the contract?

Risk rating:

  • High / medium / low based on access level and criticality
  • Higher-rated suppliers require more rigorous ongoing monitoring

Contract Requirements for Suppliers

For high-risk suppliers, your contracts should include:

  • Security obligations: The supplier must implement security measures at least equivalent to your NIS2 requirements
  • Incident notification: The supplier must notify you of any security incident affecting your services or data within 24–72 hours
  • Audit rights: You can audit the supplier's security practices
  • Sub-contractor disclosure: The supplier must disclose further sub-contractors with access to your systems
  • Data processing agreement: If the supplier processes personal data on your behalf, a GDPR-compliant DPA is required alongside the security provisions

For existing contracts that predate NIS2, plan a programme to renegotiate critical supplier agreements to include these provisions by the end of 2025.

You as a Supplier: What NIS2 Customers Will Demand

If you supply ICT products or services to NIS2-essential or important entities, your customers' NIS2 compliance programme will reach into your organisation. Expect:

Security questionnaires — typically based on ISO 27001 or similar frameworks, covering all Article 21 requirements.

Contractual security clauses — your customers will add security obligations, incident notification requirements, and audit rights to new and renewing contracts.

Certification requirements — some enterprise customers will require ISO 27001 or SOC 2 Type II as a precondition for contract, not just as a questionnaire response.

24-hour incident notification — your customers will require you to notify them of any security incident affecting the services you provide to them within 24 hours, regardless of whether the incident is formally reportable under NIS2 itself.

Building Your Supply Chain Security Programme

Tier 1 — Critical suppliers: Full risk assessment, contractual security requirements, annual review, incident notification in place. These are suppliers whose compromise could directly affect your operations.

Tier 2 — Significant suppliers: Standardised security questionnaire, review at contract renewal, incident notification clause. These are important but less critical suppliers.

Tier 3 — Standard suppliers: Basic vendor due diligence, standard contract terms, no active monitoring programme.

ComplyOne determines your NIS2 entity classification and generates the required security documentation.

Check your NIS2 compliance →

Related guides

Does NIS2 Apply to My Company?

NIS2 — the EU's revised Network and Information Security Directive — expanded its scope dramatically compared to its predecessor.

NIS2 for Data Centres

Data centres are explicitly named in NIS2 Annex I as essential entities under the digital infrastructure sector.

NIS2 Entity Classification: Essential vs Important

NIS2 divides in-scope entities into two categories: essential entities and important entities.

View all guides in this module