NIS2 supply chain responsibility: a game changer
The NIS2 directive introduces a fundamental shift in how organizations view their suppliers. Article 21(2)(d) explicitly requires essential and important entities to include supply chain security in their risk management measures. This means your cybersecurity doesn't stop at your own network.
For many SMEs, this is uncharted territory. While ISO 27001 already addressed supplier management via Annex A controls 5.19–5.23, NIS2 makes this a legal obligation with potential fines of up to €10 million or 2% of global turnover.
NIS2 requirements for supplier policy
NIS2 requires organizations to adopt a risk-based approach to their suppliers. This includes identifying critical suppliers — suppliers whose failure or compromise has direct impact on your service delivery. Think of cloud providers, software vendors, managed service providers, and data centers.
You must then perform a risk assessment per supplier examining the supplier's security measures, the nature and sensitivity of shared data, the dependency on your primary processes, and the geographic and legal context of the supplier. Based on this, you set proportional requirements and document them contractually.
The three levels of supplier assessment
Level 1 — Critical suppliers: For suppliers with direct access to your systems or delivering essential services, an in-depth assessment is required. This includes requesting certifications (ISO 27001, SOC 2), reviewing their incident response plan, agreeing on notification obligations for security incidents, and the right to audit.
Level 2 — Important suppliers: Suppliers with access to non-public information but not directly delivering to your critical processes. A standard security questionnaire and contractual agreements on data processing and incident notification suffice.
Level 3 — Standard suppliers: Suppliers without access to sensitive systems or data. Minimal assessment required, but awareness of potential indirect risks through the chain.
Contractual requirements under NIS2
Existing supplier contracts must be reviewed to ensure NIS2 compliance. Essential clauses to include are a security annex with minimum technical and organizational measures, an incident notification obligation with time limits (maximum 24 hours for initial notification), the right to audit and security assessments, clauses on sub-processors and passing on security requirements, and an exit strategy for contract termination.
Practical step-by-step plan for SMEs
Start with a supplier inventory: map all suppliers with access to your data, systems, or networks. Then classify each supplier into one of three levels. Conduct risk assessments, starting with critical suppliers. Adjust contracts where needed and establish an annual review process to keep supplier assessments current.
A GRC platform can significantly simplify this process by centrally managing suppliers, assessments, contracts, and follow-up actions. The iso2700x platform offers specific supplier management modules aligned with both NIS2 and ISO 27001 requirements.
Common mistakes in supply chain security
The biggest pitfall is treating supplier management as a one-time exercise. NIS2 requires ongoing oversight. A second common mistake is setting unrealistic demands on smaller suppliers: proportionality is a core principle. A third mistake is not including sub-processors — your cloud provider may engage dozens of sub-service providers that also pose a risk.
How iso2700x helps with NIS2 supply chain
Our consultants help you set up a complete supplier management process that meets both NIS2 and ISO 27001 requirements. From risk assessments to contract templates, from supplier inventories to ongoing monitoring via our GRC platform. Contact us for a free consultation.