NIS2 Article 21(2)(d) Is Changing Your B2B Contracts: A Supplier’s Guide to New Security Requirements
Your EU customer just sent a security addendum and a 30-question cybersecurity questionnaire. You sell them logistics software, steel brackets, or managed IT support — and suddenly someone is asking whether you have ISO 27001 certification and a 24-hour incident notification procedure.
Before you panic or ignore the email, the most important thing to understand is the distinction between two entirely different types of obligation: the direct legal requirement that NIS2 imposes on regulated entities, and the contractual requirement those entities are now legally required to pass down to you. Only one of these is a matter of EU law. The other is a matter of your customer relationship — which may matter just as much to your business.
This guide explains the difference, tells you exactly what your customers will ask you to sign and prove, and shows why getting ahead of these demands is one of the better B2B sales moves available to European suppliers right now.
Does NIS2 Directly Apply to Your Organisation? (A Two-Minute Check)
NIS2 directly regulates organisations that meet both a sector test and a size test. Sector is defined by Annex I and Annex II of the directive. Annex I covers “essential” sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (including cloud and data centre operators), ICT service management, public administration, and space. Annex II covers “important” sectors: postal and courier, waste management, chemicals, food, manufacturing of critical products (medical devices, pharmaceuticals, vehicles, machinery), and digital providers including online marketplaces and search engines.
Size thresholds run alongside sector classification. For essential entities, the threshold is 250 or more employees or annual turnover of at least €50 million. For important entities it drops to 50 employees or €10 million turnover. Organisations below both thresholds are generally out of direct scope, with narrow exceptions for certain critical infrastructure regardless of size.
The practical result: if you supply precision machined parts, financial accounting software, recruitment services, security guarding, or most categories of business services to an NIS2-regulated company, you are probably not directly regulated by NIS2 yourself — even if your customer absolutely is. The directive does not extend the legal obligation horizontally across supply chains by default.
There is one important carve-out. Cloud computing providers, managed service providers, managed security service providers, data centre operators, content delivery network providers, and DNS service providers are in scope regardless of size under Commission Implementing Regulation (EU) 2024/2690 (CIR 2024/2690), because their systemic importance makes the size threshold inappropriate. If your business falls into any of these categories and you serve the EU market, the full NIS2 risk management requirements apply to you directly.
For everyone else: NIS2 does not regulate you directly. What it does do is make your customer legally responsible for your security posture — which is where the contractual cascade begins.
The Article 21(2)(d) Cascade: What Your Customer Is Legally Required to Demand from You
Article 21(2)(d) of Directive (EU) 2022/2555 requires every essential and important entity to implement “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.” Entities must specifically consider “the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.”
This obligation is not a best-practice recommendation. It is a legal requirement backed by penalties of up to €10 million or 2 percent of global annual turnover for essential entities, and €7 million or 1.4 percent of turnover for important entities. When your customer fails to assess and manage supply chain risk, they expose their board to personal liability. That makes your security posture their regulatory problem.
CIR 2024/2690 Article 7 adds operational specificity: entities must establish criteria for selecting suppliers, evaluate cybersecurity practices during that selection, ensure suppliers meet required standards once contracted, monitor their compliance over time, and maintain a directory of in-scope suppliers. The ENISA supply chain good practices guidance goes further, requiring that minimum security requirements be communicated “directly to suppliers” and embedded in procurement policies before a contract is signed.
The cascade is not indiscriminate. Your customer is required to apply these measures to suppliers whose failure could disrupt the availability, integrity, authenticity, or confidentiality of their regulated services. In practice, this means you are in scope if you process or host data that, if compromised, would trigger your customer’s significant-incident reporting obligation — or if you hold privileged access to their systems. Facility management contractors, off-site catering, or non-critical consumable suppliers are generally not in scope, though customers are increasingly applying simplified due diligence even to those relationships.
The DLA Piper analysis of NIS2 Part 3 highlights one consequence customers are learning the hard way: where a major ICT vendor refuses to accept NIS2-aligned contractual terms because of their market leverage, the entity must find alternative risk mitigations — additional audits, insurance, or termination planning. The commercial pressure this creates is being felt upstream.
For a deeper look at how NIS2 entities are implementing supply chain security programs, including supplier classification tiers and monitoring cadences, the supply chain security guide covers the full implementation picture from the entity side.
The 5 Contractual Clauses Your Customer Will Ask You to Sign
NIS2-regulated entities are required to embed specific security obligations in supplier contracts. The five clauses appearing in NIS2-aligned supplier addenda across multiple sectors are consistent enough that you can prepare for them before they arrive.
Security baseline alignment. You commit to maintaining a minimum cybersecurity posture throughout the contract term. The most commonly accepted evidence is a current ISO/IEC 27001 certificate with statement of applicability, though alternatives including SOC 2 Type II (for cloud/software providers), TISAX (automotive), and CSA STAR Level 2 (cloud) are also accepted. The clause includes a material change notification requirement: if your security posture weakens significantly — loss of certification, major infrastructure change, key personnel departure — you must notify the customer in writing promptly rather than waiting for the next annual review.
Incident notification. You commit to notifying the customer within 24 hours of discovering a significant incident affecting the services you provide them, regardless of whether you have confirmed the cause. Updates must follow every 24 hours during active incidents, and a final resolution report is expected within one month. This timeline is not arbitrary: it is designed to allow your customer to meet their own 24-hour early warning obligation to their national competent authority under NIS2 Article 23. Your clock and their clock are linked.
Subprocessor transparency and change control. You agree to disclose critical subcontractors involved in delivering the contracted services, obtain your customer’s written approval before adding, replacing, or removing any critical subcontractor, and notify within 30 days of any ownership change (acquisition, merger, private equity transaction) that could affect your security posture or data location. Customers retain termination rights if a change-of-control creates an incompatible risk profile.
Audit rights. The customer retains the right to audit your security controls at least annually and at any point following a significant incident. On-site audits are resource-intensive for both parties, so most addenda explicitly accept a current ISO/IEC 27001 certificate with Annex A, a SOC 2 Type II report shared under NDA, or an equivalent third-party assessment as satisfactory audit evidence. Maintaining live certification eliminates the friction of audit requests entirely.
Termination assistance, data return, and secure deletion. On contract termination, you provide continuity support for a defined period (typically 30 to 90 days), return all customer data in a machine-readable format on an agreed timeline, and provide certified evidence of secure deletion within 30 days — with a carve-out for backups required under applicable law. This clause has become standard because NIS2 entities are required to demonstrate they can exit supplier relationships without creating residual security risk.
Expect these clauses as a package, usually in a supplier security addendum attached to the main commercial agreement. Larger enterprises have standard-form addenda; negotiating the substance is increasingly difficult if you are not a large vendor with corresponding leverage. The practical question is not whether to accept the clauses but how quickly you can demonstrate that you already meet the underlying requirements.
How to Respond to a NIS2 Security Questionnaire as a Supplier
Most entities will send a security questionnaire before or alongside the contract addendum. The questionnaire is the risk assessment tool your customer is legally required to run — it determines your criticality tier and informs which contractual clauses apply at what stringency.
Seven questions appear in almost every NIS2 supplier questionnaire. Here is what each is assessing and what a credible response looks like.
Do you have a formal cybersecurity risk management program with executive oversight? This assesses governance maturity and leadership accountability. A credible response names the person responsible for security (CISO, IT director, or owner-level equivalent), states that a written security policy exists, and confirms executive-level reporting cadence. A two-sentence answer that names a real person and a real process scores far better than a generic “yes, we take security seriously.”
Which cybersecurity standards or certifications do you adhere to? ISO/IEC 27001 is the EU standard of choice: NIS2 Recital 79 explicitly encourages its use, and European enterprise buyers recognise it far more readily than SOC 2. If you are not certified, name the controls framework you follow (ISO 27001 as a guide without formal certification, CIS Controls, or equivalent) and commit to a certification timeline if asked.
Do you conduct regular security risk assessments and penetration testing? Annual external penetration testing and quarterly vulnerability scanning is the expected baseline. Share a redacted executive summary from your most recent test — methodology, scope, critical finding count, and remediation status. Customers are not expecting a perfect record; they are expecting evidence that you find and fix vulnerabilities systematically.
How do you manage software updates and patch known vulnerabilities? Define your patch cadence in hours, not “as soon as practicable.” Critical CVEs patched within 24 to 72 hours is the standard against which most customers assess this. Document the process in writing and note whether patching is automated or manual with a tracked exception register.
What is your incident response plan, and how quickly will you notify us? Commit to a named incident lead available 24/7, a written incident response plan, and a customer notification commitment of 24 hours for incidents affecting the contracted service. Customers need this to be a written commitment in the questionnaire response, not just a verbal assurance, because they will copy it into their supplier risk file as audit evidence.
Do you rely on subcontractors, and how do you ensure they are secure? Disclose any critical subcontractors involved in delivering the specific services. State what security requirements you impose on them contractually and whether they hold relevant certifications. Customers are increasingly required to assess fourth-party risk — their auditors may ask your customer for this information, so they will ask you for it first.
Will you agree to contractual terms enforcing NIS2 compliance? The answer is yes, with a review timeline. Stating that you will agree but need five business days to review addendum language with your legal team is a professional response. Refusing entirely is increasingly treated as disqualifying in enterprise procurement, particularly in banking, energy, and health sectors where NIS2 supervision is most active.
The single most effective operational change you can make today is assembling a supplier security evidence pack: a single folder containing your security policy, ISO 27001 certificate or equivalent, your latest penetration test executive summary, and your incident notification contact details. With this pack ready, you can respond to most NIS2 questionnaires in under a day rather than scrambling for documentation under deadline pressure.
Proactive NIS2 Readiness as a Procurement Differentiator
Most suppliers treat NIS2 demands reactively — responding to each questionnaire as it arrives, negotiating each addendum separately, and viewing the whole process as administrative overhead. The suppliers gaining commercial ground are treating it differently.
The automotive sector provides the clearest early evidence. As OEMs implemented NIS2-aligned supply chain security programs in 2025, they required cybersecurity questionnaires and security clause acceptance during vendor onboarding. Suppliers who had invested in ISO/IEC 27001 alignment in advance shortened procurement cycles and won preferred-vendor status over competitors who were still assembling documentation under deadline. Those who could not demonstrate adequate security posture in a reasonable timeframe were progressively removed from approved vendor lists.
The same dynamic is now developing in banking, health, and digital infrastructure supply chains. The NIS2 transposition deadline passed in October 2024, and national competent authorities across major EU economies are actively supervising essential entities. Supervision creates urgency in supply chain programs, which creates urgency in supplier qualification.
Five actions close the gap between reactive and proactive positioning. First, pursue or align to ISO/IEC 27001 — the single credential that satisfies audit rights clauses, answers the certification question on every questionnaire, and provides a documented control framework for every other NIS2-adjacent requirement. For an SME, certification costs typically run €15,000 to €50,000 all-in. The alternative is losing one major regulated customer contract worth multiples of that figure annually. Second, appoint a named security lead with a line to executive management — even a part-time appointment signals governance maturity to procurement teams. Third, run annual penetration tests and maintain a vulnerability remediation log that you can share on request. Fourth, build and maintain your security evidence pack so questionnaire responses take hours, not weeks. Fifth, propose a security addendum to key regulated customers before they ask — the conversation positions you as a compliance-aware partner rather than a risk to be managed.
One further dimension merits attention. NIS2 makes senior management personally accountable for cybersecurity governance failures, including failures in third-party oversight. In serious cases, competent authorities can impose temporary bans on individuals holding managerial functions. Your customer’s board is acutely aware of this exposure. Suppliers who reduce that exposure by demonstrating robust, documented security practices are removing a personal liability concern for the executives who ultimately approve procurement decisions. That is a meaningfully different value proposition than “we take security seriously.”
For context on the full scope of what NIS2 requires from regulated entities — including the 10 risk management measures your customers are implementing — the complete guide covers the directive in detail.
Action by Role: Where to Start
| Your Role | Most Relevant Action |
|---|---|
| SME owner receiving first NIS2 demand | Read the Direct vs. Cascade section; assemble your security evidence pack before responding |
| Procurement or legal team reviewing addendum | Review the 5 Clauses section; flag the incident notification timeline and audit rights provisions for legal review |
| IT or security manager | Use the questionnaire response section as a gap analysis; prioritise pen testing and patch cadence documentation |
| Sales or business development | Read the Competitive Advantage section; propose a security addendum proactively to key regulated prospects |
Frequently Asked Questions
Can my customer require me to get ISO 27001 certified?
A contract clause can require that you meet minimum security standards and accept ISO 27001 as the evidence standard. Certification cannot be legally mandated outside of a contract, but refusal to accept security clauses is increasingly treated as grounds for contract termination or non-renewal in regulated sectors. Most customers accept alternative evidence (SOC 2 Type II, TISAX, CSA STAR Level 2) where ISO 27001 is not appropriate to your business type.
If I refuse to sign the security addendum, can my customer terminate?
Yes. Standard NIS2 supply chain addenda include termination rights for non-compliance with contractual security obligations. NIS2-regulated entities are required to maintain evidence that their supplier agreements meet the directive’s requirements — a supplier who refuses to sign creates a compliance gap the entity must resolve, typically by finding an alternative supplier.
Does this apply to non-EU suppliers?
If you supply to an EU-based entity subject to NIS2, that entity’s Article 21(2)(d) obligation applies to the supply relationship regardless of your location. The contractual cascade is not geographically limited to EU-based vendors. Non-EU suppliers in ICT, cloud, and professional services are routinely receiving NIS2-aligned security addenda from European customers.
How quickly will I start seeing these demands?
The NIS2 transposition deadline was October 17, 2024. National competent authorities in banking, energy, and health sectors across the largest EU member states are actively supervising essential entities’ supply chain programs. Most B2B suppliers to these sectors are encountering first questionnaires in 2025–2026, with contract renegotiation requests following within one to two quarters.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- Directive (EU) 2022/2555 (NIS2 Directive) — EUR-Lex
- NIS2 Supply Chain Security: What the Directive Requires — CyberTrust365
- NIS2 Supply Chain Security: 5 Clauses to Require from Your Suppliers — NIS2 Insights
- 7 Questions to Ask Suppliers for NIS2 Compliance — 3rdRisk
- NIS2 Technical Implementation Guidance — ENISA (June 2025)
