Skip to main content
NIS2 Manager LogoNIS2 Manager
Back to blog
Best Practices

NIS2 supply chain security: what you need to know

NIS2 requirements for supply chain security: identifying critical suppliers, risk assessment, contractual clauses, and monitoring.

Laura Stan
Content Team at NIS2 Manager, BetterQA
6 min read

Introduction

One of the most discussed aspects of NIS2 is the requirement for supply chain security. "How deep do I need to go in vetting my suppliers?" is a question that concerns many organizations.

What Does NIS2 Require Regarding Supply Chain?

Article 21 - Explicit Requirements:

Essential and important entities must take measures for:

  1. Security of procurement, development, and maintenance of systems
  2. Vulnerability management and disclosure policies
  3. Supply chain security - including security aspects of relationships with direct suppliers

What Does This Mean in Practice?

You don't need to audit every supplier in the world, but you must:

  • Identify suppliers critical to your operations
  • Assess risks associated with these suppliers
  • Include security requirements in contracts
  • Monitor compliance of critical suppliers

Defining Critical Suppliers

Assessment Criteria:

  1. System Access - Does the supplier have access to your IT infrastructure?
  2. Data Access - Does the supplier process sensitive data?
  3. Operational Dependency - What happens if the supplier is unavailable?
  4. Uniqueness - Are there alternatives in the market?
  5. Incident Impact - What would happen if the supplier is compromised?

Categories of Critical Suppliers:

Level 1 - Critical:

  • Cloud infrastructure providers
  • Managed Service Providers (MSP)
  • Custom software developers
  • Cybersecurity providers

Level 2 - Important:

  • Commercial software providers
  • IT support services
  • Network equipment suppliers
  • Consultants with system access

Level 3 - Standard:

  • Office service providers
  • Consumables suppliers
  • External services without system access

Practical Implementation Measures

1. Supplier Inventory

Create a registry that includes:

  • Supplier name
  • Services provided
  • Access level (systems, data)
  • Criticality classification
  • Date of last assessment

2. Due Diligence for New Suppliers

Before contracting, verify:

  • Security certifications (ISO 27001, SOC 2)
  • Security incident history
  • Security policies
  • Business continuity plan
  • Cyber liability insurance

3. Security Contractual Clauses

Include in contracts:

  • Minimum security obligations
  • Right to audit
  • Incident notification obligation
  • Continuity requirements
  • Termination clauses for non-compliance

4. Continuous Monitoring

For critical suppliers:

  • Periodic assessments (annual or more frequent)
  • Certification monitoring
  • Review of published incidents
  • Access and permission reviews

Specific Challenges

Global Suppliers

Many organizations depend on international suppliers (AWS, Microsoft, Google). For these:

  • Verify NIS2 compliance (many already have it)
  • Analyze data processing agreements
  • Evaluate EU data residency options
  • Document due diligence performed

Small Suppliers

Smaller suppliers may not have formal certifications. In this case:

  • Request completion of a security questionnaire
  • Evaluate basic practices (backup, access, updates)
  • Consider risk and mitigate it contractually

Open Source Software

While not a traditional "supplier," open source components require attention:

  • Maintain an inventory (SBOM)
  • Monitor vulnerabilities
  • Promptly update critical components
  • Evaluate project maintenance

Required Documentation

For DNSC and Audits:

  1. Supplier Management Policy

    • Assessment criteria
    • Approval process
    • Review frequency

  2. Critical Supplier Registry

    • Updated list
    • Risk classifications
    • Mitigation measures

  3. Assessment Records

    • Completed questionnaires
    • Verified certifications
    • Action plans

  4. Standard Contractual Clauses

    • Security annex templates
    • Data processing agreements
    • Relevant SLAs

How NIS2 Manager Helps

Supplier Management Module (In Development):

  • Centralized supplier inventory
  • Automatic criticality classification
  • Reminders for periodic assessments
  • Document and certification storage
  • Audit reports

Integration with Gap Analysis:

  • ID.SC control (Supply Chain Risk Management)
  • Requirement implementation verification
  • Gap identification

80% of Critical Entities Are Behind

A recent study shows that 80% of companies defined as critical infrastructure under the NIS2 directive do not yet meet NIS2 risk management and compliance requirements, including those for supply chain.

This represents both a challenge and an opportunity: organizations that get their supplier management in order now will have an advantage over competitors.

Conclusion

Supply chain security doesn't mean auditing every supplier, but intelligently managing risks. Focus on critical suppliers, document processes, and include security in procurement decisions.

NIS2 doesn't require perfection, but demonstrating a mature and documented process for managing supply chain risks.

Start evaluating supply chain controls

NIS2 Manager is a product by BetterQA, one of Europe's top software testing companies.

Tags:
supply chainsuppliersriskcontractsthird-party
Share this article:
LinkedIn
Laura Stan
Content Team at NIS2 Manager, BetterQA

Translates complex regulatory language into actionable guidance for compliance teams.

Want to know if your company falls under NIS2?

Use our free calculator to check eligibility in just 3 minutes.

Check eligibility for free

Related Articles

10 common NIS2 compliance mistakes (and how to avoid them)
Best Practices

10 common NIS2 compliance mistakes (and how to avoid them)

The most common errors organizations make on the path to NIS2 compliance. From underestimating eligibility to insufficient documentation.

Stefan Balan
6 min
How to choose NIS2-compliant QA partners in Belgium
Best Practices

How to choose NIS2-compliant QA partners in Belgium

Evaluation criteria for selecting QA partners with cybersecurity expertise and NIS2 compliance knowledge for Belgian projects. Certifications, capabilities, and the CCB framework.

Diana Petrescu
7 min
How to select security QA companies for EU compliance
Best Practices

How to select security QA companies for EU compliance

Guide to selecting security QA companies with NIS2 compliance experience at European level. ENISA standards, cross-border testing, and sector-specific requirements.

Adrian Voicu
7 min
160K+
organizations affected by NIS2 across the EU (ENISA, 2024)
EUR 10M
maximum penalty for NIS2 non-compliance or 2% of global turnover
24h
incident reporting deadline under NIS2 directive
18
critical sectors covered by NIS2 compliance requirements

The NIS2 Directive (EU 2022/2555) entered into force on January 16, 2023, with member states required to transpose it by October 17, 2024. According to ENISA's 2024 Threat Landscape report, ransomware attacks increased 73% year-over-year, while supply chain attacks grew by 85%. The European Commission estimates NIS2 compliance costs average EUR 120,000 per organization, but non-compliance penalties can reach EUR 10 million or 2% of global annual turnover. Only 34% of affected organizations reported full NIS2 readiness by the October 2024 deadline (EY Global Cybersecurity Survey, 2024). Romania's DNSC reported a 156% increase in cybersecurity incidents in 2024, making compliance tools essential for the 8,000+ Romanian organizations affected by the directive.

BetterQA
ISO 27001 & NATO certified security company
50+ Engineers
Cybersecurity & compliance specialists across 24 countries
Since 2018
Independent security testing & compliance expertise
NIS2 Ready
Full compliance lifecycle from assessment to certification