What NIS2 Art. 21(2)(d) Requires in Every Supplier Contract — A Procurement Team Checklist

When the NIS2 Directive lists cybersecurity obligations, most organisations look to the CISO. Article 21(2)(d) has a different audience in mind — procurement.

Supply chain security under NIS2 is not a technical matter that can be delegated entirely to IT. Recital 85 of Directive (EU) 2022/2555 is explicit: entities must incorporate cybersecurity risk-management measures into their contractual arrangements with direct suppliers [1]. That sentence lands in procurement’s inbox, not the SOC.

Commission Implementing Regulation (EU) 2024/2690 made this concrete. It defines three layers of supply chain obligation that procurement teams own or co-own: a supply chain security policy governing supplier relationships, selection criteria applied at the tender stage, and contractual requirements embedded in every significant supplier agreement [2]. This guide walks procurement teams through all three layers — from scoring security in a tender to offboarding a supplier with certified data deletion. Every clause referenced here maps to a specific provision in the directive or implementing regulation.

What Art. 21(2)(d) Actually Requires

The Legal Foundation

Article 21(2)(d) of Directive (EU) 2022/2555 requires essential and important entities to implement cybersecurity risk-management measures covering “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers” [1]. This applies to any organisation the directive classifies as essential or important — sectors including energy, transport, banking, health, digital infrastructure, and ICT service management. If your organisation falls within scope, Art. 21(2)(d) is not optional.

Three Layers That Procurement Owns

Implementing Regulation 2024/2690 translates the directive into operational requirements. For supply chain security, it creates three procurement-relevant obligations [2]:

1. Supply chain security policy (Point 5.1.1) — A documented policy governing all supplier relationships, defining the entity’s role in the supply chain and communicating security expectations to suppliers. Procurement must produce and maintain this document.

2. Supplier selection criteria (Point 5.1.2) — Formal criteria for selecting and contracting suppliers, including assessment of their cybersecurity practices, secure development procedures, and overall quality and resilience of ICT products and services. These criteria apply at the tender stage, not just after contract award.

3. Contractual security requirements (Point 5.1.4) — Service level agreements must address incident notification obligations, audit rights, subcontractor cybersecurity standards, and asset return or destruction at termination.

The penalty exposure for failing to implement these measures is up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities [1].

Supplier Classification: Who Needs Security Clauses?

Not every supplier needs the same treatment. The key filter, identified in DLA Piper’s analysis of Art. 21(2)(d) [4], is whether the supplier provides services, has access to network or information systems, or handles data linked to the entity’s regulated functions. ICT service providers, SaaS vendors, managed service providers, and any supplier with system or data access are clearly in scope. Suppliers of physical goods or facilities with no digital connection to regulated functions are out of scope — though extending contractual protections to them is considered good practice.

Within in-scope suppliers, a risk-tiered approach [5] allows proportionate treatment:

Tier	Characteristics	Clause Set Required
Critical	Direct network or system access; no alternative source; failure disrupts regulated service	Full clause set; annual audit; incident notification within 24 hours
Significant	Partial data access; substitutable but disruptive; ICT services without direct network access	Core clauses; third-party certification accepted; 48-hour notification
Standard	No system access; commodity services; easily replaced	Security attestation; basic incident notification

Implementing Regulation Point 5.1.2 specifies the factors to use in classification: the supplier’s cybersecurity practices and secure development procedures, their ability to meet specified security requirements, and the ability to diversify supply sources [2]. Classification should be documented in the supply chain security policy and reviewed annually or after any supplier incident.

Embedding Security in the Tender Process

The gap most NIS2 procurement guides miss: security requirements must appear before the contract, in the tender itself. A supplier who cannot demonstrate baseline security practices at RFP stage is unlikely to meet contractual obligations after award.

Security Questionnaire as Tender Evaluation Criterion

Implementing Regulation Point 5.1.2 requires selection criteria that include assessment of cybersecurity practices [2]. In practice, this means adding a mandatory security questionnaire to your RFP or ITT and weighting it in the evaluation matrix. ENISA’s Good Practices for Supply Chain Cybersecurity confirms that 61% of organisations use security certifications as part of procurement screening, and 37% conduct structured due diligence assessments [3].

A minimum security questionnaire for the tender stage should cover five areas:

• Current certifications — ISO/IEC 27001, SOC 2 Type II, TISAX, or national equivalents, with scope confirmation and expiry date
• Incident history — material breaches in the last 36 months; disclosure timelines and remediation evidence
• Vulnerability management — patch cadence for critical vulnerabilities (target: within 14 days for CVSS 9.0+ CVEs)
• Subcontractor management — disclosure of all critical subcontractors with system or data access, including their security baseline
• Business continuity — tested recovery capability with documented RTO and RPO targets relevant to your service

Score each area on a 1–5 scale and make it a threshold criterion: suppliers scoring below 3 on certification or incident history do not advance to commercial evaluation, regardless of price. This approach satisfies Point 5.1.2’s requirement that cybersecurity practices form part of the supplier selection decision.

Using CRA Compliance as Supplier Security Evidence

From December 11, 2027, the Cyber Resilience Act (CRA) requires all products with digital elements sold in the EU to carry the CE Mark under that regulation, confirming they meet mandatory cybersecurity requirements by design [7]. For procurement teams evaluating software or hardware suppliers, a CRA-compliant CE Mark replaces a substantial portion of the due diligence questionnaire — the manufacturer has completed legally mandated security risk assessments and implemented secure-by-design principles before EU market entry.

Before the 2027 enforcement date, asking suppliers for their CRA readiness roadmap or whether they can produce an EU Declaration of Conformity for their products is a credible proxy for security maturity. It signals a supplier treating cybersecurity as a product requirement rather than an afterthought — exactly the “overall quality and resilience” criterion Implementing Regulation Point 5.1.2 requires you to assess.

The 5 Mandatory Contract Clauses

Implementing Regulation 2024/2690, Point 5.1.4, defines the contractual requirements that must appear in supplier service level agreements [2]. These map directly to five clause categories. Each clause type, below, states what the regulation requires and how to operationalise it.

Clause 1: Security Baseline Obligation

The contract must specify the cybersecurity requirements the supplier must meet. Reference a recognised framework — ISO/IEC 27001, CRA alignment, or NIST CSF — rather than writing custom controls. Include a change-management obligation: the supplier must notify the entity of any material change to their security programme that would weaken the agreed baseline. This obligation is required under Point 5.1.4’s requirement for “specific cybersecurity requirements aligned with acquisition standards” [2].

For a practical mapping of NIS2 supply chain security obligations to policy and contract language, including Article 21(2)(d) control mapping across all supplier tiers, see our dedicated guide.

Clause 2: Incident Notification

Point 5.1.4 requires the “obligation on suppliers and service providers to notify, without undue delay, the relevant entities of incidents” [2]. The notification window must accommodate the entity’s own 72-hour reporting obligation to national CSIRTs under Article 23 of the directive [1].

For Critical-tier suppliers: require notification within 24 hours of a significant incident affecting services, including suspected cause, systems affected, and potential cross-border impact. For Significant-tier: 48 hours. Include a 30-day final report obligation mirroring the entity’s own regulatory timeline [6]. Define what constitutes a significant incident for supplier purposes: service degradation exceeding agreed SLA thresholds, confirmed data exfiltration, or unauthorised access to entity systems or data.

Clause 3: Right-to-Audit

The implementing regulation requires “right to audit or receive audit reports” [2]. Structure this in two tiers to avoid operational friction while preserving compliance coverage:

• Annual scheduled audit: the entity may conduct or commission a security audit annually. ISO/IEC 27001, SOC 2 Type II, TISAX, or CSA STAR Level 2 certifications from accredited third parties substitute for on-site visits — unless the certification scope does not cover the services provided, or a security incident has occurred within the prior 12 months [6].
• Unscheduled audit trigger: the entity may initiate an unscheduled audit within 30 days of any significant incident at the supplier, material change to the supplier’s systems, or regulatory inquiry. The supplier must provide evidence packs within 10 business days of the request.

Include language requiring the supplier to impose equivalent audit obligations on critical subcontractors. A supplier who accepts audit rights for themselves but shields subcontractors has created a compliance gap that regulators will identify.

Clause 4: Subcontractor Transparency and Flow-Down

The implementing regulation requires requirements “regarding subcontracting and subcontractor cybersecurity standards” [2]. Three obligations belong in your contract:

• Disclosure obligation: the supplier must disclose all critical subcontractors — those with system or data access — on request, including their role and current security baseline status
• Prior consent: the supplier must obtain the entity’s written consent before adding, replacing, or removing a critical subcontractor. Require 30-day advance notice minimum [6]
• Flow-down requirement: all security obligations in the prime contract must extend, by clause or equivalent, to all critical subcontractors

Require the supplier to notify the entity of any change of control within 30 days, with termination rights if the new owner’s risk profile is incompatible with the entity’s security posture [6]. Ownership changes are a frequent source of undetected risk escalation in supply chains.

Clause 5: Data Handling, Access Control, and Termination

The implementing regulation requires “return or destruction of assets upon contract termination” [2]. This clause covers two distinct obligations that must be explicit in the contract, not assumed.

Access revocation: all access credentials, sessions, and permissions granted to supplier personnel must be revoked at contract termination or individual personnel change. For a detailed breakdown of NIS2 access control requirements, including joiner-mover-leaver processes applicable to supplier personnel management, see the dedicated guide. The standard for privileged access is immediate revocation; standard user access within 24 hours. Include an obligation to provide a formal access revocation log as part of offboarding documentation.

Data return and deletion: within 30 days of termination, the supplier must return all entity data in a documented, machine-readable format and provide written certification of secure deletion from all supplier systems and subcontractor systems [6]. Include a carve-out for data the supplier is legally required to retain, with explicit access limitations and an end-of-life deletion schedule. Require 30–90 days of continuity assistance post-termination to support service migration without disruption.

Role-Responsibility Table

Clause	Procurement	CISO / IT Security	Legal
Security baseline	Defines supplier tier; embeds framework reference in contract schedule	Specifies required technical controls and acceptable frameworks	Reviews clause enforceability under governing law
Incident notification	Manages supplier relationship; receives and escalates notifications	Assesses impact; coordinates with CSIRT reporting	Confirms regulatory deadlines are reflected in clause language
Right-to-audit	Schedules annual review; manages evidence requests	Conducts or commissions audit; reviews reports and certifications	Holds audit rights clause; defines refusal remedies
Subcontractor flow-down	Consent process owner; tracks changes and notifications	Reviews subcontractor risk classification and security baseline	Drafts flow-down clause language and termination triggers
Data / access	Manages offboarding timeline; confirms completion	Verifies access revocation; tests that credentials are deactivated	Confirms deletion certificate validity and legal carve-outs

Supplier Monitoring Lifecycle

A signed SLA with all five clause types is a necessary condition for NIS2 compliance, not a sufficient one. Implementing Regulation Point 5.1.4 requires risk-based monitoring proportionate to supplier criticality [2]. The monitoring lifecycle runs from onboarding through to offboarding.

Onboarding

Before service commencement, collect the supplier’s security evidence pack: current certification with scope and expiry date, latest penetration test summary if available, named security contact and incident escalation contact, and completed subcontractor disclosure form. Log everything in the supply chain security register referenced in your Point 5.1.1 policy.

Ongoing Monitoring

For Critical-tier suppliers: annual security review covering certification validity, incident history since last review, and confirmation that the security baseline has not materially changed. For Significant-tier: biennial review, plus a triggered review if any significant incident occurs at the supplier. ENISA’s Good Practices methodology specifically recommends periodic compliance reviews and control testing as part of a structured supplier lifecycle [3].

Incident-Triggered Reviews

Any significant incident at the supplier — regardless of whether it directly affected the entity — triggers an unscheduled review within 30 days. The trigger list should include: confirmed breach at the supplier, a CVE rated CVSS 9.0 or above in software the supplier provides, regulatory enforcement action against the supplier, or public disclosure of a supplier security failure. Waiting for the supplier to self-report before initiating a review is insufficient.

Offboarding Checklist

Offboarding is where many organisations fail their Art. 21(2)(d) obligations in practice. A complete offboarding requires:

• Immediate revocation of all privileged access credentials
• Standard user access revocation within 24 hours
• Recovery of all entity-issued assets: hardware tokens, managed laptops, VPN certificates
• Data return in agreed machine-readable format within 30 days
• Written deletion certificate within 30 days of confirmed data return
• Confirmation that critical subcontractor access has been similarly revoked, with evidence
• Continuity assistance period agreed, tracked, and logged in the supply chain register

Gap Analysis: Current Practice vs. NIS2 Required

Practice Area	Typical Current State	NIS2 Required State	Effort to Close
Supply chain policy	Informal or no documented policy	Written policy; communicated to all in-scope suppliers	Low — 2–3 weeks to draft
Supplier classification	All suppliers treated the same	Risk-tiered: Critical, Significant, Standard with documented criteria	Medium — supplier inventory and scoring exercise required
Security in tenders	Price and capability only; security not scored	Security questionnaire weighted in evaluation matrix; threshold criterion	Medium — questionnaire template development and procurement training
Contract clauses	Generic IT terms; no NIS2-specific obligations	5-clause set: baseline, notification, audit, flow-down, data and access	High — legal review required; retroactive addenda for existing contracts
Audit cadence	On-request or post-incident only	Annual scheduled review plus incident- and change-triggered reviews	Medium — calendar, certification process, and evidence management
Offboarding protocol	Manual and undocumented; ad hoc	Structured checklist with access revocation log and deletion certificate	Low — process documentation and checklist only

Frequently Asked Questions

Does Art. 21(2)(d) apply to all suppliers, or just ICT vendors?

NIS2 focuses on direct suppliers and service providers whose services or products connect to the entity’s network and information systems. ICT service providers, SaaS vendors, managed service providers, and any supplier with system or data access are clearly in scope [4]. Suppliers of physical goods or facilities with no digital connection to regulated functions are out of scope, though DLA Piper notes that extending contractual protections to them is considered good practice.

What if a supplier refuses to accept security clauses?

This is a risk decision, not a negotiation shortcut. If the supplier is Critical-tier, refusal to accept audit rights or incident notification obligations creates material compliance exposure for the entity — document the refusal, escalate to CISO and Legal, and formally assess whether the relationship can continue. If the supplier is Standard-tier and the only viable source, document the residual risk in the supply chain security register, implement compensating controls on the entity side, and flag for review at the next annual policy cycle.

Can ISO 27001 certification replace an on-site audit?

Yes, with conditions. The certification must be current (issued within 12 months), cover the specific services the supplier provides, and be issued by an accredited certification body [6]. If a security incident has occurred within the prior 12 months, on-site audit rights supersede certification substitutes regardless of scope. SOC 2 Type II, TISAX, and CSA STAR Level 2 are similarly acceptable under the implementing regulation’s audit evidence framework.

What are the penalties for failing to implement supply chain security?

Essential entities face fines of up to €10 million or 2% of total global annual turnover, whichever is higher. Important entities face up to €7 million or 1.4% of turnover [1]. National supervisory authorities may also impose temporary suspension of services. Under Article 20 of the directive, management boards are held directly accountable for NIS2 compliance — supply chain security obligations are not delegable to a supplier or a single department without board-level oversight.

Getting Your Supplier Contracts Audit-Ready

Article 21(2)(d) makes procurement the compliance gateway for supply chain security. The obligation runs from tender — security questionnaire as a scored evaluation criterion — through contract — the five mandatory clause types — to termination — access revocation and certified deletion. A CISO who signs off on supply chain policy without procurement embedding it in contracts and tenders has created a paper compliance exercise that will not survive a supervisory audit.

The practical starting point: classify your Critical-tier suppliers this month, audit existing contracts for the five clause types, and schedule updates at the next renewal cycle. For legacy contracts not due for renewal, issue a security addendum now. For new tenders, add the security questionnaire as a threshold evaluation criterion from the next RFP onwards — it costs nothing at the tender stage and avoids the much higher cost of retroactive contract renegotiation.

The Supply Chain Declaration Pack provides NIS2-mapped templates for each element covered in this guide — supply chain security policy, supplier security questionnaire, contract clause schedules, and offboarding certification forms — ready for immediate procurement team use.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. NIS2 Directive (EU) 2022/2555 — EUR-Lex: full directive text including Article 21(2)(d), Recital 85, and Article 23 incident reporting obligations
2. Commission Implementing Regulation (EU) 2024/2690 — EUR-Lex: technical and methodological requirements for supply chain security, Points 5.1.1–5.1.4
3. Good Practices for Supply Chain Cybersecurity — ENISA: supplier lifecycle methodology, screening statistics, and security questionnaire framework
4. NIS2 Directive Explained: Part 3 — Supply Chain Security — DLA Piper (December 2025): supplier classification and in-scope determination
5. Do All Supplier Contracts Need NIS 2 Security Clauses? — ISMS.online: tiered classification and notification window analysis
6. NIS2 Supply Chain Security: 5 Clauses to Require from Your Suppliers — nis2insights.com: clause-level implementation guidance including certification substitutes and termination requirements
7. Understanding the Relationship Between NIS2 and the EU Cyber Resilience Act — Hyperproof: CRA applicability timeline and CE Mark procurement significance