NIS2 Supply Chain Security: Requirements and Implementation Guide

The SolarWinds attack in 2020 compromised 18,000 organisations — including multiple US government agencies — through a single tampered software update. NotPetya in 2017 caused over $10 billion in global damage by spreading through the update mechanism of a Ukrainian accounting application. Neither attack targeted the victims directly. Both exploited the supply chain.

These weren’t anomalies. According to the Verizon 2025 Data Breach Investigations Report, 30% of all data breaches now involve a third party — double the rate from the previous year [4]. Supply chain attacks cost 17 times more to remediate than direct breaches, and the average detection time stretches to 267 days.

The EU legislators took notice. Under the original NIS Directive (NIS1), supply chain security received a passing reference at best. NIS2 — Directive (EU) 2022/2555 — makes it one of ten mandatory risk management measures in Article 21(2)(d), and the Commission Implementing Regulation (CIR) 2024/2690 adds detailed requirements for policies, supplier contracts, and ongoing assessment.

This is the single biggest operational shift from NIS1 to NIS2 for most organisations. You’re no longer responsible only for your own cybersecurity — you’re accountable for understanding and managing the risks your suppliers bring into your environment.

This guide breaks down exactly what the regulation requires, how to classify your suppliers by risk, which contract clauses you need, and how to build a monitoring process that satisfies both the CIR and your national supervisory authority.

What Article 21(2)(d) and the CIR Require

Article 21(2)(d) of the NIS2 Directive requires every essential and important entity to implement “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.”

Under NIS1, supply chain security was barely mentioned. NIS2 dedicates a full requirement to it — and the Commission Implementing Regulation (CIR) 2024/2690 spells out the specifics in Annex Section 5.

What the Directive Requires

Article 21(3) expands on what “supply chain security” means in practice. Entities must:

• Evaluate vulnerabilities specific to each direct supplier and service provider
• Assess the overall quality of their suppliers’ cybersecurity products and practices, including secure development procedures
• Take into account the results of coordinated security risk assessments of critical supply chains carried out under Article 22

This applies to all entities in scope of NIS2 — both essential and important. The obligation covers every supplier or service provider that has a relationship with the entity’s network and information systems.

What the CIR Adds

CIR 2024/2690 Annex Section 5 breaks supply chain security into two areas:

5.1 — Supply Chain Security Policy. Entities must establish, implement, and apply a written policy governing relationships with direct suppliers and service providers. The policy must identify the entity’s own role in the supply chain, lay down criteria for selecting and contracting suppliers, and be reviewed at planned intervals or when significant incidents or risk changes occur.

5.2 — Supplier Contracts and SLAs. Based on the security policy and the entity’s overall risk assessment, contracts with suppliers must specify six categories of requirements (detailed in the contract clauses section below). The ENISA Technical Implementation Guidance (published June 2025) provides additional detail on how to implement these measures in practice.

What this means practically: if you’re an in-scope entity, you need three things — a written supply chain security policy, a documented assessment process for each supplier, and contracts that include the six clause types required by CIR Annex 5.1.4. For a complete map of all ten NIS2 risk management measures, see our NIS2 requirements overview.

How to Classify Suppliers by Criticality

Not every supplier carries the same risk. Your cloud infrastructure provider and the company supplying office stationery don’t need the same level of cybersecurity scrutiny. The CIR takes a risk-based approach — measures must be “proportionate,” and proportionality starts with classification.

A three-tier model works for most organisations:

Tier	Description	Examples	Assessment Frequency
Critical (Tier 1)	Direct access to your network, systems, or sensitive data. Disruption would halt essential services.	Cloud/hosting providers, managed security services, ERP/core software vendors, identity providers	Annual audit + continuous monitoring
Important (Tier 2)	Limited system access or handles non-critical data. Disruption would degrade but not halt operations.	Email platforms, HR software, specialised SaaS tools, payment processors	Annual questionnaire + periodic review
Standard (Tier 3)	No system access or data handling. Minimal operational impact if disrupted.	Office supplies, facilities management, marketing agencies (no system access)	Simplified check at onboarding + renewal review

Four Classification Criteria

Use these factors to assign each supplier to a tier:

1. System access level — Does the supplier connect to your network, access production systems, or hold administrative credentials?
2. Data sensitivity — Does the supplier process, store, or transport personal data, trade secrets, or data classified under NIS2?
3. Substitutability — How quickly could you switch to an alternative? High lock-in pushes the supplier up a tier.
4. Service criticality — Would a disruption affect your ability to deliver essential or important services under NIS2?

If a supplier scores high on any single factor, move them up a tier. Classify borderline cases upward — the cost of over-assessing is trivial compared to the cost of an unmanaged critical supplier.

Who owns classification? In organisations with a CISO, the security team leads this exercise in consultation with procurement. For SMEs without dedicated security staff, the business owner or IT manager should work through the list — the process is straightforward once the criteria are defined.

Security Requirements by Supplier Tier

Once suppliers are classified, apply tier-specific requirements. This table maps CIR Annex 5 obligations to practical measures per tier:

Requirement (CIR Annex 5)	Critical (Tier 1)	Important (Tier 2)	Standard (Tier 3)
Security policy review	Full policy review + evidence	Policy summary + self-attestation	Accept standard terms
Risk assessment	Joint risk assessment	Supplier provides own assessment	N/A
Incident notification	Real-time alerting (< 24h)	Notification within 72h	Material incidents only
Audit rights	On-site or remote audit annually	Remote assessment annually	Contract clause only
Employee vetting	Background checks confirmed	Training certificates confirmed	Contractual obligation only
Secure development	SDLC evidence + pen testing	Self-attestation	N/A
Business continuity	Tested BCP/DR plan required	BCP documentation required	N/A
Termination plan	Data return + system handover	Data deletion confirmation	Standard contract terms

Gap Analysis Approach

For each Critical and Important supplier:

1. Map the supplier’s current state against the requirements above
2. Identify gaps — requirements not yet met
3. Classify each gap by effort: Low (contract clause update), Medium (supplier needs to implement controls), High (requires infrastructure changes or supplier substitution)
4. Set remediation deadlines aligned with your NIS2 compliance timeline

This gap analysis doubles as audit documentation. Keep the completed matrix as evidence of your supply chain risk management process — national supervisory authorities will ask for it.

Six Contract Clauses Every NIS2 Entity Needs

CIR 2024/2690 Annex 5.1.4 lists six topics that must appear in supplier contracts or service level agreements. Here’s what each clause should cover:

1. Cybersecurity requirements. Specify the security standards the supplier must meet. For Critical suppliers, reference ISO 27001 or SOC 2 as a baseline. For Important suppliers, a documented information security policy may suffice. Include requirements for encryption, access control, and vulnerability management appropriate to the service provided.

2. Employee skills, training, and certifications. Supplier staff with access to your systems must receive cybersecurity awareness training. For Critical suppliers, require evidence of specific certifications (CISSP, CISM, or equivalent) for key personnel. Define minimum training frequency — annual at minimum.

3. Background checks. For suppliers whose employees access your sensitive systems or data, require appropriate background verification. What counts as “appropriate” depends on your sector — criminal record checks, reference verification, or security clearance for entities in critical infrastructure sectors.

4. Incident notification. Suppliers must notify you of any security incident posing a risk to your systems “without undue delay.” Define the timeline explicitly: 24 hours for Critical suppliers, 72 hours for Important suppliers. Specify the communication channel, required information (scope, impact, remediation steps), and escalation procedures. This aligns with NIS2’s broader incident reporting obligations.

5. Audit and review rights. You need the contractual right to assess your supplier’s security posture. For Critical suppliers, this means on-site or remote audit rights exercisable at least annually. For others, the right to request evidence of compliance — certifications, test reports, policy documents. Define the notice period and cooperation obligations.

6. Termination obligations. When a contract ends, the supplier must return or securely delete all data, revoke all access to your systems, and provide documentation about any network or system information obtained during the engagement. This prevents data leakage during vendor transitions and is a requirement many organisations overlook until it’s too late.

For ready-to-use versions of these clauses, see our NIS2 templates page — Documents 42 (Supplier Security Policy), 43 (Supplier Security Assessment Questionnaire), and 45 (Supplier Security Clauses for Contracts) cover these requirements in full.

Monitoring and Ongoing Obligations

Supplier assessment is not a one-time exercise. The CIR requires ongoing monitoring with reviews triggered by specific events:

• Planned intervals — annual review for all classified suppliers, with quarterly or continuous monitoring for Critical tier
• Significant changes — new services, system architecture changes, mergers and acquisitions, or changes in the supplier’s ownership or management
• Security incidents — any incident affecting the supplier or their sub-suppliers that could impact your systems
• EU coordinated risk assessments — if the Cooperation Group issues a coordinated risk assessment under Article 22 affecting products or services you use, you must factor the results into your supplier evaluation. Ignoring these assessments can result in compliance penalties even if you’ve fulfilled other requirements [1]

Documentation Checklist

Maintain an auditable record for each classified supplier:

• Tier classification with documented rationale
• Completed assessment questionnaires or audit reports
• Signed contract with all six clause types
• Incident notification log
• Review schedule and outcomes
• Gap remediation tracking with deadlines

This documentation serves two purposes: it satisfies the CIR’s requirement for a formal supply chain security policy, and it provides the evidence your national supervisory authority will request during inspections. If you don’t have a record, you can’t prove compliance. For a full compliance tracking framework, see our NIS2 compliance checklist.

Frequently Asked Questions

Do I need to assess every supplier?

No. The CIR requires a proportionate approach. Classify suppliers into tiers based on system access, data sensitivity, substitutability, and service criticality. Standard (Tier 3) suppliers — those with no system access or data handling — need only basic contractual clauses and simplified onboarding checks. Focus your assessment effort on Critical and Important tier suppliers.

What if a supplier refuses our security requirements?

This is a risk decision, not just a compliance one. If a Critical or Important supplier won’t agree to the clauses required by CIR Annex 5.1.4, you have three options: negotiate alternative controls that achieve the same security outcome, accept the residual risk and document your justification in the risk register, or find a replacement supplier. For Critical tier suppliers, refusal on core requirements like incident notification or audit rights is generally a deal-breaker.

Does NIS2 require my suppliers to be ISO 27001 certified?

No. Neither NIS2 nor the CIR mandate any specific certification for suppliers. However, ISO 27001 certification simplifies your assessment process — it provides third-party evidence of a structured information security management system. It’s a useful baseline for Critical tier suppliers, but it doesn’t guarantee NIS2 compliance on its own. You still need to verify the supplier meets the specific requirements relevant to your relationship. For a detailed comparison, see our guide on NIS2 vs ISO 27001.

How far down the supply chain must I look?

Article 21(2)(d) refers to “direct suppliers or service providers.” You’re not expected to audit your supplier’s suppliers directly. However, the CIR requires your supply chain security policy to address sub-supplier risks. In practice, this means requiring your Critical suppliers to demonstrate they have their own supply chain security processes — creating a cascade of accountability down the chain.

What about open source software dependencies?

Open source components are part of your supply chain. In 2024 alone, researchers identified over 512,000 malicious packages in open source repositories — a 156% year-over-year increase [4]. The CIR’s secure development requirements (Annex Section 6) apply here. Maintain a Software Bill of Materials (SBOM) for your critical applications, monitor for known vulnerabilities in dependencies, and include open source risk in your supply chain security policy.

For a sector-specific breakdown of how Article 21(2)(d) applies to chemical dosing vendors, SCADA remote monitoring SaaS, and remote access system integrators, see our guide: NIS2 Supply Chain Security for Water Utilities.

For food manufacturers, processors, and wholesale distributors, the same Article 21(2)(d) framework applies to ERP integrations with ingredient suppliers, cold chain telematics platforms, and Codex-mandated traceability systems: see our guide on NIS2 Supply Chain Security for the Food Industry.

Sources

1. Directive (EU) 2022/2555 (NIS2 Directive), European Parliament and Council, 14 December 2022. EUR-Lex.
2. Commission Implementing Regulation (EU) 2024/2690, European Commission, 17 October 2024. EUR-Lex.
3. ENISA, Technical Implementation Guidance on Cybersecurity Risk Management Measures, Version 1.0, June 2025.
4. Verizon 2025 Data Breach Investigations Report — third-party breach data via DeepStrike Supply Chain Attack Statistics 2025.
5. ENISA, Threat Landscape for Supply Chain Attacks.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.