Supply Chain Security Under NIS2: A Practical Guide
How to assess supplier cybersecurity risk, what to include in supplier contracts, and how to build an ongoing supplier monitoring programme that satisfies NIS2 Article 21(2)(d).
Supply chain security is one of the most challenging and consequential requirements of NIS2. Article 21(2)(d) explicitly requires covered entities to address security risks arising from relationships with direct suppliers and service providers. This reflects the EU's recognition that many of the most damaging cyberattacks in recent years have exploited the supply chain rather than attacking targets directly.
Why Supply Chain is a Priority
The SolarWinds attack of 2020 compromised over 18,000 organisations — including multiple US government agencies — through a single software update from a trusted vendor. The Kaseya VSA ransomware attack in 2021 hit over 1,500 managed service provider customers through a single vulnerability. MOVEit Transfer, exploited in 2023, affected hundreds of organisations across critical sectors. These incidents demonstrate that an organisation's cybersecurity is only as strong as its weakest supplier. NIS2 makes this a legal obligation to address, not merely best practice.
What Article 21(2)(d) Requires
- Security in the supply chain including security aspects of the relationships between each entity and its direct suppliers or service providers
- Assessment of the overall security posture of suppliers with specific regard to the security of products and services delivered
- Appropriate and proportionate measures to manage supply chain risks — what is appropriate will depend on the criticality of the supplier to your operations
- Consideration of vulnerabilities specific to each supplier and the quality of products and services offered, including secure development practices
Assessing Your Suppliers
A structured supplier assessment process should follow these steps:
- 1Inventory your suppliers — create a complete list of all suppliers and service providers, including cloud services, software vendors, managed services, and contractors
- 2Classify by criticality — rank each supplier by the impact their failure or compromise would have on your operations (Critical / High / Medium / Low)
- 3Assess security posture — for Critical and High suppliers, conduct security assessments using questionnaires, certification verification, or right-to-audit clauses
- 4Document findings — record the results of your assessments and the risk decisions made for each supplier
- 5Remediate gaps — work with suppliers to address identified weaknesses, or develop compensating controls if the supplier cannot improve
- 6Maintain records — keep a current supplier register with assessment dates, scores, and next review dates
Supplier Questionnaire Key Topics
Your supplier security questionnaire should cover the following topic areas at minimum:
- Information security governance — do they have a CISO, security policies, and management oversight?
- Certifications — ISO 27001, SOC 2, Cyber Essentials, or sector-specific standards
- Incident response — do they have an IRP and what is their notification obligation to customers?
- Access controls — how is access to your data or systems controlled and monitored?
- Data handling — where is your data stored, processed, and transmitted?
- Subprocessors — who do they use, and are those also assessed?
- Vulnerability management — how quickly do they patch critical vulnerabilities?
- Business continuity — what is their RTO/RPO and have they tested their BCP?
- Personnel security — do they conduct background checks on staff with access to your data?
Contractual Requirements
Every contract with a Critical or High supplier should include the following clauses:
- Security standards — obligation to maintain specified security standards or certifications throughout the contract
- Incident notification — requirement to notify you within 24-72 hours of any security incident affecting your data or systems
- Right to audit — right to conduct or commission security assessments of the supplier at reasonable notice
- Subprocessor approval — requirement to obtain your approval before engaging subprocessors with access to your systems or data
- Penetration testing — requirement for regular penetration testing and provision of results
- Vulnerability disclosure — obligation to disclose known vulnerabilities in their products and services
- Data return/deletion — requirements for returning or securely deleting your data at contract termination
- Regulatory compliance — obligation to comply with applicable regulations including NIS2 where they are themselves covered
Your Organisation
Essential / Important Entity
Tier 1 — Critical Suppliers
Direct suppliers with significant access or impact
Tier 2 — Sub-processors
Suppliers used by your Tier 1 suppliers
Three-tier model for supply chain risk management
Ongoing Monitoring
Supplier assessment is not a one-time exercise. You must maintain ongoing monitoring of your supply chain:
- Annual reassessment for all Critical and High suppliers
- Continuous monitoring of public vulnerability disclosures affecting supplier products
- Subscription to supplier security bulletins and patch notifications
- Review of supplier security posture following major incidents in their sector
- Tracking of supplier certifications — ensure ISO 27001 certificates remain current
- Incident response drills that include supplier communication scenarios
Start with Your Crown Jewels
If you are starting your supply chain programme from scratch, focus first on suppliers with access to your most critical systems or sensitive data. A Tier 1 list of 10-20 critical suppliers, assessed thoroughly, provides more NIS2 compliance value than a superficial assessment of your entire vendor list.