NIS2 Supply Chain Declaration Pack
199,00 €
6 editable DOCX — supplier security policy, clauses, self-assessment, and compliance checklist
Digital download — withdrawal waived at checkout per EU Dir. 2011/83, Art. 16(m).
Description
Article 21(2)(d) requires documented supply chain security—from policy to vendor assessment to contractual clauses—but most organisations lack a structured approach to supplier due diligence. The Supply Chain Pack delivers 6 editable templates covering the full supplier security lifecycle: from policy and contractual requirements through self-assessment and compliance scoring, all mapped to Article 21(2)(d), CIR 2024/2690 Annex Section 5, and ENISA technical guidance.
CIR 2024/2690 referenced
ISO 27001:2022 cross-referenced
ENISA guidance referenced
UK English
Editable DOCX/XLSX
Why Article 21(2)(d) Puts Your Suppliers on the Audit Agenda
Article 21(2)(d) of the NIS2 Directive requires entities to address “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.” CIR 2024/2690 Annex Section 5 specifies what this means in practice: a supply chain security policy, security requirements embedded in contracts, a process for assessing supplier risk, and ongoing monitoring of supplier compliance.
This is not a pass/fail checkbox. Auditors expect to see a documented programme: which suppliers have been identified, what security requirements were communicated, whether those requirements are contractually binding, and how supplier compliance is assessed and tracked over time. Organisations that manage vendor relationships informally—through emails and ad-hoc conversations—cannot evidence this measure, regardless of how strong their own internal security may be.
6 Documents from Supplier Policy to Compliance Scoring
The Supply Chain Pack provides every document needed to build and evidence a supply chain security programme under Article 21(2)(d). Each template follows a consistent 9-section structure—Purpose, Scope, Definitions, RACI matrix, Requirements, Exceptions, Monitoring, References, and Appendix—with pre-filled RACI tables, red-highlighted placeholders for your organisation-specific data, and cross-references to CIR 2024/2690 and ENISA guidance.
| Doc # | Document | What It Does |
|---|---|---|
| 42 | Supplier Security Policy | Establishes your organisation’s requirements for supplier security: classification criteria, minimum security standards, assessment frequency, and escalation procedures for non-compliance |
| 43 | Supplier Security Clauses | Contract appendix with pre-drafted security clauses covering data protection, incident notification obligations, audit rights, sub-contractor controls, and termination triggers—ready to attach to procurement agreements |
| 44 | Confidentiality Statement | Standalone confidentiality agreement for suppliers handling sensitive information—defines obligations, permitted use, return/destruction requirements, and breach notification duties |
| 45 | Supplier Directory | Structured register for recording all suppliers, their criticality classification, services provided, contract dates, last assessment date, and compliance status—the single source of truth for vendor management |
| 60 | Supplier Self-Assessment Questionnaire | Standardised questionnaire for suppliers to report their own security posture—covering governance, access control, incident management, business continuity, and data protection—designed to be sent directly to vendors |
| 61 | Supplier Compliance Checklist | Scoring framework for evaluating supplier self-assessment responses—assigns risk ratings, identifies gaps, and generates an overall compliance score for each vendor |
Together, these 6 documents create a closed-loop supplier security programme: define requirements → embed them in contracts → protect confidential information → maintain a vendor register → assess supplier security posture → score and track compliance. Every step produces an auditable artefact that evidences Article 21(2)(d).
Who Uses the Supply Chain Pack
Procurement Lead — You need security clauses that can be attached to contracts and a self-assessment questionnaire that standardises how you evaluate vendor security. This pack gives you ready-to-use contract appendices and assessment tools so supplier due diligence becomes a repeatable process, not a case-by-case negotiation.
Vendor Manager — You need a structured supplier directory and compliance scoring system to track which vendors meet your security requirements and which need remediation. The directory, self-assessment, and checklist create a single workflow from vendor onboarding to ongoing monitoring.
Common Questions About the Supply Chain Pack
Are these templates legal advice?
No. These templates are general samples intended as a starting point for your supply chain security documentation. They do not constitute legal advice. Every document—especially the Supplier Security Clauses (Doc 43)—must be reviewed by a qualified legal professional before inclusion in contracts.
Do you offer refunds?
This is a digital download product. The right of withdrawal is waived at checkout in accordance with EU Directive 2011/83/EU, Article 16(m). You will be asked to consent to this waiver before completing payment.
Are updates included?
Yes. Your purchase includes one year of updates. As EU guidance evolves—new ENISA publications, member state implementation acts, or CIR amendments—updated templates are made available for download at no additional cost during your update period.
Can I send the self-assessment to suppliers?
Yes. Doc 60 (Supplier Self-Assessment Questionnaire) is designed to be sent directly to your suppliers as a standalone document. It covers governance, access control, incident management, business continuity, and data protection. Doc 61 (Supplier Compliance Checklist) then provides the scoring framework to evaluate their responses and assign risk ratings.
Start Securing Your Supply Chain Documentation
The Supply Chain Pack gives you 6 editable, regulation-mapped documents that cover the full Article 21(2)(d) supply chain security requirement—from policy and contractual clauses to vendor assessment and compliance scoring. Download, customise the red-highlighted fields, and turn informal vendor management into a documented, auditable programme.
Stripe-secured checkout
VAT handled at checkout
1 year of updates included
Disclaimer: These templates are general samples for internal use. They do not constitute legal advice and must be reviewed by a qualified professional before adoption. No document in this pack guarantees NIS2 compliance. See our full Disclaimer.
Reviews
There are no reviews yet.