How to Classify Suppliers Under NIS2: Tier 1 Gets Full Audits, Tier 4 Gets Standard Clauses

Most organisations in scope of NIS2 face the same challenge: they know they need to manage supplier security, but they apply the same level of scrutiny to every vendor in their supply chain. That creates two problems at once — critical vendors receive insufficient oversight while low-risk vendors consume security team time for no measurable benefit.

Commission Implementing Regulation (EU) 2024/2690 — the CIR — addresses this directly. Annex 5 requires entities to establish a supply chain security policy that accounts for supplier roles and cybersecurity practices, with proportionate requirements. ‘Proportionate’ is the operative word: the regulation does not mandate a full security audit for your stationery supplier.

This guide gives procurement and risk teams a practical 4-tier classification framework grounded in CIR Annex 5. Tier 1 suppliers with direct access to your critical systems get the full treatment — security questionnaires, right-to-audit clauses, and annual reviews. Tier 4 suppliers with no material system access get standard contract clauses, nothing more. Read this alongside our NIS2 supply chain security overview for the broader regulatory context.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Why NIS2 Requires Proportional Supplier Security — Not Equal Security

Article 21(2)(d) of Directive (EU) 2022/2555 requires essential and important entities to implement measures addressing “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.” The word direct matters: NIS2 focuses primarily on your immediate supply relationships, though the non-binding recitals recommend assessing sub-supplier risks for high-criticality relationships.

CIR Annex 5.1.3 adds a further obligation: where the European Commission has conducted a coordinated security risk assessment of a critical supply chain under Article 22(1) of the Directive, entities must factor those findings into their supply chain policy. This means your classification methodology cannot ignore sector-wide threat intelligence — if an ENISA coordinated assessment flags managed service providers as elevated risk in your sector, that must be reflected in how you classify your MSPs.

The CIR specifies that supplier contracts must address cybersecurity requirements, incident notification duties, audit rights, and vulnerability handling. But applying all of those elements uniformly across every vendor in your register is neither proportionate nor operationally sustainable. A mid-sized essential entity typically manages 150 to 300 suppliers. Full technical audits across all of them annually would consume more resources than the security risk justifies — and would still leave your highest-risk vendors without the depth of assessment they warrant.

Proportionality applied through formal tier classification is how the regulation expects these requirements to work in practice. Your supply chain security policy must document the classification methodology — not just the outcomes — to demonstrate to auditors that classification is reasoned and repeatable, not ad hoc. For the full scope of what NIS2 mandates across all ten security measures, see our NIS2 requirements guide.

The 4-Tier NIS2 Supplier Classification Framework

The framework divides your supply base into four tiers based on the security risk each supplier represents to your network and information systems:

• Tier 1 — Critical: Direct access to NIS2-regulated systems, production environments, or security infrastructure. Compromise at this tier directly threatens essential service delivery.
• Tier 2 — Important: No direct system access, but significant indirect impact on availability, data integrity, or confidentiality. Failure or compromise causes material operational disruption.
• Tier 3 — Standard: Limited engagement with your operations — no system access, no direct data processing, but failure creates partial disruption or a potential physical pathway risk.
• Tier 4 — Low: No material access to systems, networks, or sensitive data. Failure creates administrative inconvenience at most.

The critical distinction between Tier 1 and Tier 2 is direct system access. A cloud provider with administrative access to your production environment is Tier 1. A market data provider whose feed interruption slows your reporting — but cannot reach your systems — is Tier 2. Most organisations initially over-classify Tier 2 suppliers as Tier 1, which inflates audit workload and dilutes focus on genuinely critical relationships. The scoring matrix in the next section prevents this drift.

How to Score and Assign Suppliers to Tiers

Subjective classification creates inconsistency and audit risk — two team members scoring the same supplier without a structured method will frequently reach different conclusions. Use this four-dimension matrix to assign each supplier objectively. Score each dimension 1–3, sum for a total between 4 and 12, then assign the tier.

Dimension	Score 1	Score 2	Score 3
System access	No access to your networks or data systems	Indirect or limited access (read-only portals, non-critical environments)	Direct access to production systems, security infrastructure, or privileged accounts
Data sensitivity	No access to confidential or personal data	Access to non-critical business data	Access to confidential, personal, or classified operational data
Availability impact	Failure has no operational impact	Failure causes minor or quickly recoverable disruption	Failure directly disrupts provision of essential or important services
Replaceability	Can be replaced within days at minimal cost	Moderate switching cost; 30–90 day replacement cycle	Sole-source or strategic; replacement requires months or service interruption

Tier assignment by total score: 10–12 = Tier 1 Critical; 7–9 = Tier 2 Important; 5–6 = Tier 3 Standard; 4 = Tier 4 Low.

Practical examples: A SaaS identity management vendor scores 3+3+3+3 = 12 → Tier 1. An ERP vendor with business data access but no privileged accounts scores 2+3+2+3 = 10 → Tier 1. A translation agency with marketing copy access scores 1+1+1+2 = 5 → Tier 3. An office supplies company scores 1+1+1+1 = 4 → Tier 4.

Document the score for each supplier with rationale notes. The scoring record is audit evidence that your classification methodology is reasoned and repeatable, not retrospectively assigned. When a reclassification occurs, retain the previous scores and the trigger for the change — this change history is precisely what NIS2 auditors look for in a mature supplier governance programme.

Tier 1 — Critical Suppliers: Full Security Programme

Tier 1 suppliers have direct access to your NIS2-regulated systems, security infrastructure, or production data. Common examples include cloud service providers with administrative access, managed security service providers (MSSPs), network equipment suppliers with remote maintenance access, identity and access management platform vendors, and payment processing infrastructure providers in the financial sector.

Before onboarding a Tier 1 supplier:

• Comprehensive security questionnaire covering governance, access controls, patch management, incident response, and subcontracting practices
• Review of current certifications: ISO 27001, SOC 2 Type II, or a sector-equivalent standard — the certificate scope must cover the specific services being procured
• Contractual right-to-audit clause enabling your organisation to conduct or commission an independent technical audit at reasonable notice
• Background verification obligations for supplier personnel with access to your systems — explicitly required by CIR Annex 5.1.4
• Incident notification requirement: the supplier notifies you without delay, with significant incidents reported within 24 hours — mirroring NIS2’s own reporting timelines under Article 23
• Documented approval process for subcontracting, requiring equivalent security standards for any sub-processors handling your data or systems

During the Tier 1 relationship:

• Annual security review — formal reassessment using the original questionnaire, with documented review of any scope or infrastructure changes since the previous cycle
• Ongoing monitoring using security ratings platforms or third-party assessment evidence as interim assurance between annual reviews
• Designated security contact at the supplier with a defined escalation path to your incident response team
• Right to conduct unannounced audits following significant security events — include this explicitly in the contract, not as a general audit right clause that the supplier can interpret as requiring advance notice

These requirements map directly to CIR Annex 5.1.4, which specifies that contracts must address incident notification without delay, audit rights, vulnerability handling protocols, and subcontracting requirements with equivalent security standards. The annual review cycle connects to CIR 5.1.6, which requires periodic review of supplier cybersecurity practices.

Tier 2 — Important Suppliers: Enhanced Controls

Tier 2 suppliers lack direct system access but would cause significant operational disruption or data exposure if compromised. Examples include ERP software vendors with access to operational data but no privileged accounts, telecoms providers creating availability dependency, business intelligence platforms handling operational data, physical security system vendors, and data centre colocation providers with facility access but no network access.

Before onboarding a Tier 2 supplier:

• Simplified security questionnaire — scoped to the specific service rather than a full programme review
• Certification evidence required: ISO 27001 or SOC 2 Type II preferred; self-attestation with supporting evidence acceptable for lower-risk sub-categories within Tier 2
• Standard NIS2 contractual clauses covering cybersecurity requirements, incident notification, and an audit right (exercised annually or upon suspicion of a breach event)

During the Tier 2 relationship:

• 18-month security review cycle — compared to annual for Tier 1
• Certification validity confirmation at each review cycle
• Incident notification clause active: the supplier reports security incidents affecting your service within 72 hours

NIS2 audit practice analysis confirms that auditors distinguish critical from important suppliers primarily by review cycle length — annual versus 18-month — and by the depth of pre-engagement assessment. A well-maintained Tier 2 register demonstrates deliberate, proportionate oversight rather than deprioritised vendors. Any Tier 2 supplier that expands its service scope to include direct system access must be rescored and reclassified to Tier 1 immediately — do not wait for the next scheduled review cycle.

Tier 3 — Standard Suppliers: Baseline Compliance

Tier 3 suppliers interact with your organisation in ways that create limited but real engagement. They have no system access, but failure or compromise could create an indirect pathway or partial data exposure. Examples include facility management and maintenance contractors with physical access to server rooms, training providers delivering non-ICT content, marketing agencies handling customer communications data, non-critical software vendors, and logistics providers for physical goods.

Before onboarding a Tier 3 supplier:

• Standard supplier due diligence at onboarding; existing certifications reviewed if available but not mandatory for classification
• NIS2-aligned contract clauses covering: cybersecurity standards appropriate to the service scope, incident reporting for any event that could affect your organisation, and restrictions on unvetted subcontracting where your data is involved

During the Tier 3 relationship:

• Review at contract renewal — no separate periodic security review required between renewals
• Incident notification clause active: the supplier reports events that could materially affect your operations

The key distinction from Tier 4 is intentional pathway risk. A facility management contractor with physical access to a server room is not a cybersecurity threat in the same way as a cloud provider — but an attacker with patience could exploit that physical relationship. The NIS2-aligned contract clause is substantive even if the assessment depth is minimal. Document in your supplier register why each Tier 3 supplier was not classified as Tier 2 — this rationale protects against audit challenge if the classification is later questioned.

Tier 4 — Low-Impact Suppliers: Contract Clauses Only

Tier 4 suppliers have no material access to your network and information systems, handle no confidential data, and present no credible pathway to your regulated systems. Typical examples include office supplies vendors, corporate event organisers, insurance providers without system integration, catering suppliers, and professional services firms with no technical engagement with your infrastructure.

Before onboarding a Tier 4 supplier:

• Standard commercial contract clauses only
• No dedicated security questionnaire required
• No certification evidence required

During the Tier 4 relationship:

• No active security monitoring or separate security review
• Standard contract management applies

CIR Annex 5.1.1 requires a supply chain security policy governing relationships with direct suppliers — which means your policy must explicitly address Tier 4 suppliers, not simply omit them. The policy should state that Tier 4 vendors are managed through standard commercial terms and document why that classification is proportionate to the risk they present. An auditor finding a policy silent on low-impact suppliers may flag it as an incomplete risk management framework — even when the practical risk is genuinely minimal. The explicit proportionality rationale is the compliance record, not the absence of controls.

Mapping CIR Annex 5 Requirements to Each Tier

The table below maps specific CIR Annex 5 requirements to each supplier tier. Use this as a compliance checklist when designing or auditing your supplier security programme.

CIR Annex 5 Requirement	Tier 1 — Critical	Tier 2 — Important	Tier 3 — Standard	Tier 4 — Low
5.1.1 Supply chain security policy	Full policy coverage with named controls per supplier	Included in policy	Included in policy	Explicitly addressed as standard commercial — proportionality rationale documented
5.1.2 Selection criteria — cybersecurity practices	Comprehensive pre-contract questionnaire	Simplified questionnaire	Due diligence review at onboarding	Not required
5.1.2 Selection criteria — quality and resilience	Certification mandatory (ISO 27001 / SOC 2 Type II)	Certification preferred; attestation acceptable	Not required	Not required
5.1.4 Cybersecurity requirements in contract	Full NIS2 clause set	Standard NIS2 clause set	NIS2-aligned clauses	Standard commercial clauses
5.1.4 Background verification in contract	Required	Required	Not required	Not required
5.1.4 Incident notification	24-hour notification required	72-hour notification required	Notification clause active (no defined timeline)	Not required
5.1.4 Audit rights	Full right-to-audit + unannounced capability for security events	Right-to-audit (annual or upon breach suspicion)	Audit right in contract	Not required
5.1.4 Vulnerability handling SLA	Mandatory in contract with defined timelines	Required in contract	Not required	Not required
5.1.4 Subcontracting controls	Approval required; equivalent security standards for sub-processors	Documented in contract	Notification required where your data is involved	Not required
5.1.5/5.1.6 Periodic review	Annual	Every 18 months	At contract renewal	None

This mapping is a synthesis for compliance planning purposes. Apply it alongside the official regulation text and your organisation’s specific risk profile, sector, and jurisdiction.

Who Owns What: Role Responsibilities in Supplier Classification

Supplier classification fails in practice when ownership is unclear — typically because procurement owns the vendor relationship, security owns the assessment criteria, and legal owns the contracts, with no single function accountable for the complete lifecycle. This table assigns clear responsibilities across the programme.

Role	At Onboarding	Periodic Review	Reclassification Trigger	Supplier Security Incident
CISO / Head of Security	Approves Tier 1 classification and questionnaire scope	Signs off Tier 1 annual review conclusions	Final decision authority on upward reclassification to Tier 1	Activates incident escalation for Tier 1 supplier events
Procurement / Sourcing	Applies scoring matrix; collects questionnaire responses	Schedules reviews; updates supplier register	Flags supplier scope changes to security team	Manages commercial escalation with supplier
Risk / Compliance	Maintains supply chain security policy; verifies classification against policy	Owns audit evidence file; coordinates review schedule	Documents reclassification rationale in register	Coordinates with CISO on notification obligations
Legal / Contracts	Embeds tier-appropriate NIS2 clauses; reviews right-to-audit language	Confirms clause currency at renewal	Updates contracts when tier changes	Assesses contractual notification and audit obligations
IT / Technical	Verifies claimed system access scope for Tier 1 candidates; validates certification scope	Technical validation of Tier 1 annual assessment	Reports new integrations or access scope changes	Leads technical response to Tier 1 supplier incidents

Building an Audit-Ready Supplier Register

A well-executed tier classification delivers compliance value only if it is documented in a supplier register that auditors can examine. CIR Annex 5.1.1 requires a policy governing supplier relationships — and enforcement-context auditors expect that policy to be backed by a populated, current register, not a theoretical framework that exists only on paper.

Each supplier entry in your register should contain:

• Supplier name and service description — what they provide and the business reason for the relationship
• Tier assignment and date — current tier (1–4) and when the classification was last confirmed
• Scoring record — the four-dimension scores and rationale notes; this is the classification evidence auditors review first
• Contractual status — contract date, whether tier-appropriate NIS2 clauses are in place, next renewal date
• Certification records — links to ISO 27001 certificate or SOC 2 report for Tier 1 and Tier 2, with certificate expiry dates flagged for proactive renewal chasing
• Review schedule — next review date based on the tier cycle (annual, 18-month, or at renewal)
• Incident history — any security events reported by this supplier, resolution status, and any impact on their tier classification

The register must be a living document. Reclassification triggers — requiring updated scores and documented rationale — include: the supplier expands its scope to include new system access; your organisation deploys a new essential service relying on this supplier; the supplier experiences a significant security incident; or a member-state regulator publishes guidance identifying this supplier category as elevated risk.

The compliance gap practitioners consistently identify is not a missing policy — it is the absence of continuous, timestamped evidence. Auditors want versioned records of reviews and reclassification decisions, not a static spreadsheet with no change history. Build the register in a version-controlled system or maintain a change log with dates and named owners alongside the current classification state. A register that cannot show when a Tier 1 classification was last reviewed is audit-ready in name only.

The Supply Chain Declaration Pack includes ready-to-use supplier register templates, tier-specific security questionnaires, and NIS2-compliant contract clause sets for each tier — designed to reduce the time to build a compliant, audit-ready register from weeks to hours.

Frequently Asked Questions

Does NIS2 require me to classify all suppliers, or only ICT suppliers?
CIR Annex 5 focuses on suppliers and service providers that could affect your network and information systems. In practice, ICT suppliers and service providers with direct or indirect system access are the primary scope. Physical suppliers with no system access typically fall into Tier 3 or Tier 4. Article 21(2)(d) of the Directive uses the term “direct suppliers or service providers” — it does not limit scope to ICT — but the risk assessment determines which suppliers present material cybersecurity exposure worth formal classification.

Can a Tier 2 supplier move to Tier 1?
Yes — and this is exactly why periodic reviews exist. If a Tier 2 supplier expands its role to include direct system access (for example, a BI vendor that adds API integration into your production environment), re-score using the matrix and reclassify immediately. Document the trigger, the new scores, the previous scores, and the rationale in your supplier register — the reclassification history is audit evidence of an active, functioning programme.

What if a Tier 1 supplier refuses right-to-audit clauses?
Document the refusal and the alternative assurance mechanisms in place — for example, a current SOC 2 Type II report with scope validation, or an ISO 27001 certificate covering the relevant services. Escalate the residual risk to management for documented acceptance. A supplier’s unwillingness to accept audit rights is itself a risk signal that should feed into your annual Tier 1 review cycle and may affect your appetite for renewing the relationship at the same tier.

Is our managed security service provider always Tier 1?
Almost certainly. An MSSP with access to your SIEM, endpoint detection, or network monitoring infrastructure scores 3 across all four dimensions: direct system access (3), sensitive security data (3), critical availability dependency (3), and high replaceability cost (3). Total: 12 — unambiguously Tier 1. The fact that the vendor is a security specialist does not reduce the classification; privileged access to your security systems is among the highest-risk configurations your organisation manages.

A supplier provides both a critical service and a low-risk service. Which tier applies?
The highest tier that applies to any part of the relationship governs the whole relationship. If a supplier provides both outsourced network operations (Tier 1) and stationery delivery (Tier 4), classify the entire relationship as Tier 1 and apply Tier 1 requirements throughout. Splitting the relationship into two separate contracts to achieve a lower-tier classification would be artificial structuring and would not survive audit scrutiny.

Sources

1. Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 — EUR-Lex
2. NIS2 Third-Party Risk Documentation: What Auditors Actually Check — Orbiq
3. NIS2 Directive Explained Part 3: Supply Chain Security — DLA Piper (2025)
4. Everything You Need to Know About the NIS2 Directive: Supply Chains and IT Security — Lawcode