Telecom Supply Chain Security Under NIS2 Article 21(2)(d): 5G Toolbox High-Risk Vendor Restrictions, RAN Diversity, and Contractual Obligations

Telecom operators buying RAN equipment from Ericsson, Nokia, or Huawei have a supply chain problem that no general NIS2 guide fully explains: Article 21(2)(d) of the NIS2 Directive creates a documented, risk-assessed, contractually enforced obligation covering each direct supplier — and if your member state has used the EU 5G Toolbox to restrict high-risk vendors, that restriction flows directly into your Art. 21(2)(d) compliance documentation.

This guide maps the mechanism. It covers which telecom entities fall in scope, what Art. 21(2)(d) demands beyond generic supply chain policy, how to tier RAN, core network, and OSS/BSS suppliers by risk, what your contracts must now include, and how the incoming Cybersecurity Act 2 (CSA2) will convert current voluntary restrictions into binding obligations — with a 36-month phase-out clock for mobile networks.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Why Telecom Operators Face Stricter NIS2 Supply Chain Scrutiny

Providers of public electronic communications networks and publicly available electronic communications services sit in Annex I of NIS2 — the “highly critical sectors” list. That matters for supply chain compliance in two ways. First, Annex I entities are essential entities by default in most member states, which means they face the full Art. 21 requirements, not the lighter “important entity” regime. Second, essential entities are subject to ex-ante supervision: national competent authorities can inspect, audit, and issue binding instructions without waiting for an incident to trigger enforcement.

The table below shows which telecom and adjacent digital infrastructure sub-sectors sit in NIS2 Annex I and their typical designation level.

Sub-sector	NIS2 Annex	Typical designation	Key supply chain exposure
Public electronic communications network providers	Annex I, Section 8	Essential (size-independent in many MS)	RAN, core network, passive infrastructure
Publicly available electronic communications services	Annex I, Section 8	Essential	Core platform vendors, roaming interconnects
Internet exchange point (IXP) operators	Annex I, Section 8	Essential	Route server software, peering fabric hardware
DNS service providers (>3 M queries/day threshold)	Annex I, Section 8	Essential	Resolver software vendors, anycast infrastructure
Cloud computing service providers	Annex I, Section 8	Essential or Important (by size)	Hypervisor, network function virtualisation vendors
Managed service providers (MSPs/MSSPs)	Annex I, Section 8	Important	Monitoring platforms, SIEM vendors, NOC/SOC tooling

Each of these sub-sectors carries its own vendor ecosystem — and NIS2 requires each entity to assess and manage the security risks from its own direct suppliers, not to delegate that assessment to a sector-wide body or rely on another entity’s due diligence.

What Article 21(2)(d) Actually Requires for Telecom Supply Chains

The obligation in Art. 21(2)(d) is precise: “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.” [1] The phrase “each entity” is not collective — it means your organisation must conduct its own assessment of your own direct suppliers, not rely on a shared industry register.

In practice, compliance officers working through this requirement break it into four operational steps [7]:

Step 1 — Supply chain security policy. A written policy setting minimum security standards for all direct suppliers who could affect the availability, integrity, authenticity, or confidentiality of your network and information systems. The policy should define scope criteria (which supplier types are in scope), tier criteria (how criticality is graded), and the review cadence.

Step 2 — Supplier-specific risk assessment. Article 21(3) further requires that when determining appropriate measures under Art. 21(2)(d), entities must “take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices.” [1] That language rules out a one-size-fits-all questionnaire: a vendor supplying passive fibre infrastructure carries different Art. 21(2)(d) exposure than a vendor supplying your 5G core access and mobility management function (AMF). Each critical supplier needs an individual risk record.

Step 3 — Contractual flow-downs. Contracts with in-scope suppliers must be updated to include cybersecurity standards, incident reporting obligations, audit rights, and sub-contractor visibility requirements. Pre-NIS2 contracts that lack these clauses create a documented compliance gap that auditors will find. The Commission Implementing Regulation (EU) 2024/2690 (CIR) provides binding standards for digital entities on exactly what these clauses must cover [3].

Step 4 — Supplier register and ongoing monitoring. Maintaining a current directory of in-scope suppliers, their criticality tier, their last assessment date, and any outstanding findings. “Ongoing” is deliberate: the obligation is not a one-time procurement gate but a continuous monitoring requirement.

These four steps apply regardless of whether your member state has implemented any HRV restrictions. If it has, those restrictions add a fifth dimension — covered in the next section.

The 5G Toolbox High-Risk Vendor Framework and Its Art. 21(2)(d) Consequences

The EU 5G Cybersecurity Toolbox, adopted in 2020 by the NIS Cooperation Group, was designed as a coordinated framework for assessing the risk profile of 5G network suppliers. It introduced the concept of “high-risk vendors” (HRV) and recommended that member states assess each supplier against a defined set of technical and non-technical criteria — including the likelihood of interference from a non-EU government, the supplier’s ownership structure, and the degree to which the supplier’s home country’s legislation could compel disclosure or restrict security updates. [5]

The toolbox is soft law. Member states are not required to act on it uniformly, and as of 2025, implementation is uneven: some countries (Germany, Sweden) have imposed formal HRV restrictions, while others (Spain) have taken a more open position. [6]

Here is where the toolbox intersects directly with Art. 21(2)(d): when a member state does designate a vendor as HRV — whether formally by law or through a regulator’s guidance — that designation creates a specific, documented vulnerability in your supply chain. Article 21(3) requires entities to “take into account the vulnerabilities specific to each direct supplier” when implementing Art. 21(2)(d) measures. A nationally designated HRV in your RAN is precisely such a vulnerability, and not addressing it in your supply chain security documentation creates a direct compliance gap.

This creates two possible positions for a telecom operator:

• You still deploy HRV equipment. Your Art. 21(2)(d) documentation must acknowledge the HRV designation as a supplier-specific risk, document your current mitigation controls (network segmentation, software update monitoring, third-party code audits), and include a transitional plan with milestones for reducing dependency.
• You are phasing out HRV equipment. Your documentation should record the phase-out timeline, define interim controls for the transition period, and confirm which network functions are already de-risked.

In both cases, silence is not defensible. An auditor examining your Art. 21(2)(d) implementation who finds no reference to a nationally designated HRV in your supplier risk register has a ready-made finding.

Three Supplier Tiers in a Telecom Network: RAN, Core Network, and OSS/BSS

Art. 21(2)(d) applies to all direct suppliers, but not all suppliers carry equal Art. 21(2)(d) weight. Applying the same level of due diligence to a passive infrastructure lessor as to your 5G core vendor wastes compliance resources and obscures the real risk picture. Most telecom-facing compliance frameworks use three functional tiers.

Tier	Network functions	Typical vendors / components	Art. 21(2)(d) priority	HRV exposure
Tier 1 — RAN	Base stations, remote radio units (RRUs), antennas, fronthaul transport	Ericsson, Nokia, Huawei, ZTE, Samsung	Critical — full assessment required	High — primary 5G Toolbox concern
Tier 1 — Core network	5G Core (AMF, SMF, UPF), IMS, EPC, signalling (SS7/Diameter/SIP)	Ericsson, Nokia, Huawei, Cisco, Oracle (Tekelec)	Critical — full assessment required	High — data plane access, subscriber records
Tier 2 — OSS/BSS	Network management systems, billing, CRM, provisioning, SIEM/NOC platforms	Amdocs, Netcracker, Comverse, IBM, open-source NMS	High — full assessment for privileged-access vendors	Medium — indirect access to subscriber data and network config
Tier 3 — Interconnect and transit	IP transit, peering, roaming hubs, SS7 clearing	Tier-1 ISPs, GSMA roaming hubs, transit providers	Moderate — questionnaire and contract review	Lower — limited to traffic engineering data

Tier 1 suppliers warrant the deepest Art. 21(2)(d) scrutiny because a security failure at the RAN or core layer cascades immediately into service availability, subscriber data integrity, and emergency communications functionality. A compromised AMF can intercept or redirect authentication for an entire region’s subscribers. A backdoored base station firmware update can affect millions of users simultaneously. These are not theoretical risks — they are precisely why the 5G Toolbox focused on RAN and core before extending to other layers.

For practical guidance on classifying your entire supplier portfolio under NIS2, including non-telecom vendors, see the supplier classification guide.

Contractual Obligations: The Minimum Clause Set for Each Supplier Tier

Updating existing vendor contracts is the most labour-intensive part of Art. 21(2)(d) compliance for telecom operators. Most operator-vendor agreements were negotiated pre-NIS2 and contain procurement-grade SLAs but no security clauses aligned to the directive’s requirements. The DLA Piper analysis of NIS2 supply chain obligations identifies contractual flow-downs as one of the four core implementation steps, noting that pre-NIS2 contracts lacking these clauses create a “documented compliance gap that auditors will find.” [7]

The table below gives the minimum clause set by tier. “Minimum” means the clause must exist in the contract — additional depth is acceptable and recommended for Tier 1 vendors.

Clause type	What it must cover	Tier 1 (RAN / Core)	Tier 2 (OSS/BSS)	Tier 3 (Interconnect)
Cybersecurity standards	ISO 27001:2022 or equivalent; ETSI TS 33.501 for 5G core; explicitly name the applicable standard	Required	Required	Recommended
Incident notification	Notification to your SOC within 24 hours of any security incident affecting supplied components; includes obligation to notify if the vendor itself is breached	Required	Required	Required
Audit and access rights	Right to conduct or commission security audits of the supplier’s relevant systems and processes; minimum annual frequency for Tier 1	Required	Required	Optional
Sub-contractor visibility	Obligation to disclose all sub-contractors with access to your network components; prior approval required for changes; fourth-party risk assessment on request	Required	Required	Optional
Vulnerability disclosure	Supplier must disclose CVEs affecting supplied products/services within 72 hours of public knowledge; patch delivery timeline commitment	Required	Required	Recommended
HRV mitigation plan	If the supplier is nationally designated HRV: milestones for reducing dependency, interim technical controls, escalation triggers	Required if HRV-designated	Required if HRV-designated	N/A
Right to terminate	Termination right if the vendor receives an HRV designation post-contract, suffers a serious security incident, or fails a scheduled audit	Required	Recommended	Optional

One clause that operators frequently miss: the obligation to notify you if the supplier itself is breached, not just if their components affect your network. Under Art. 23 of NIS2, you must report significant incidents to your national authority within 24 hours of awareness — and you can only meet that obligation if your vendors are contractually required to inform you promptly. [1] Linking your incident notification clause to Art. 23’s reporting windows is not optional housekeeping; it is the mechanism by which your supply chain and your incident response obligations connect.

For suppliers where you hold a long-term framework agreement that cannot be renegotiated immediately, an interim solution is a signed addendum or “security schedule” appended to the existing contract. This is defensible during an audit as evidence of good-faith compliance action pending full contract renewal.

RAN Vendor Diversity as a NIS2 Resilience Measure

Multi-vendor RAN strategy — deploying base station equipment from two or more vendors across different regions of your network — is often discussed as a commercial or technical choice. Under NIS2, it also functions as an Art. 21(2)(d) resilience measure.

The EU Commission’s ICT Supply Chain Security Toolbox explicitly promotes “multi-vendor strategies” as a core mitigation against supply chain concentration risk. [5] If your entire RAN relies on a single vendor, your Art. 21(2)(d) supplier risk assessment will identify single-vendor concentration as a specific vulnerability — one that by definition cannot be mitigated by contractual clauses alone, because a failure (deliberate or accidental) at the vendor level affects your entire access layer simultaneously.

Operators pursuing multi-vendor RAN programmes can document this in their supply chain security policy as an active mitigation measure against concentration risk. Practically, this means:

• Specifying in your supply chain security policy that no single vendor may supply more than X% of your active RAN sites (the threshold is yours to set and justify based on your risk appetite).
• Recording the current vendor-split against that target in your supplier register, with a roadmap to the target state.
• Referencing the EC toolbox recommendation on multi-vendor strategy as the regulatory basis for this control. [5]

For operators already planning open RAN (O-RAN) deployments, the disaggregated architecture adds a new supply chain dimension: software vendors for the O-DU and O-CU become direct suppliers whose security practices fall within Art. 21(2)(d) scope. O-RAN does not simplify the supplier register — it typically expands it.

What the CSA2 Proposal Will Change: Binding 36-Month Phase-Out and Penalty Exposure

The current 5G Toolbox is a soft-law instrument with no binding enforcement mechanism at the EU level. The proposed Cybersecurity Act 2 (CSA2), announced in early 2025, changes this substantially. [6]

Under CSA2, the European Commission gains the power to designate specific countries or entities as “high-risk suppliers” across all NIS2 sectors — not just telecommunications — based on criteria including: government disclosure obligations in the supplier’s home country, oversight gaps, and “substantiated indications of malicious cyber activities.” [6] A Commission designation would be binding across all 27 member states, closing the current fragmentation problem where Germany bans a vendor that Spain still permits.

For mobile network operators, the telecom-specific provision is the most pressing: mandatory phase-out of high-risk components within 36 months of CSA2 adoption for mobile networks, with implementation timelines for fixed and satellite networks set via separate Commission acts. [8] Given the expected adoption timeline of late 2026 or early 2027 [6], operators procuring RAN equipment now are making commitments that will extend into CSA2’s enforcement window.

CSA2 also raises the penalty ceiling. Current NIS2 penalties for essential entities under Art. 34(4) reach a maximum of “at least EUR 10 000 000 or at least 2% of total worldwide annual turnover” whichever is higher. [2] CSA2 introduces a higher ceiling of 7% of global turnover for serious supply chain violations — a significant escalation for large network operators whose global turnover runs to tens of billions.

The practical implication is that a thorough Art. 21(2)(d) supplier register is not just a current compliance deliverable; it is the foundation document for your CSA2 readiness assessment. Operators who have completed the four-step implementation (policy, risk assessment, contractual flow-downs, supplier register) will be positioned to identify their HRV exposure, quantify the phase-out cost, and demonstrate a compliance trajectory when CSA2 audits begin.

Four Documents Your Organisation Needs for the Supply Chain Audit Trail

When a national competent authority conducts an Art. 21 review — whether as a routine supervision exercise or triggered by an incident — supply chain evidence typically falls into four document categories. These are not a comprehensive compliance programme; they are the minimum evidentiary baseline auditors request first. [7][4]

1. Supply chain security policy. A written, board-approved policy defining which suppliers are in scope, how they are tiered by criticality, what minimum security standards apply to each tier, and how often the policy is reviewed. The policy should reference Art. 21(2)(d) explicitly and map to your organisation’s wider ISMS if you have one.

2. Supplier risk register. A live document (not a one-time spreadsheet) listing each in-scope supplier, their assigned tier, the date of their last risk assessment, the current risk rating, any outstanding findings, and the status of contractual compliance. For HRV-designated suppliers, the register should include a mitigation section documenting current controls and the transitional timeline.

3. Contract addenda or updated SLAs. Evidence that in-scope supplier contracts contain the Art. 21(2)(d)-aligned clause set described above — or, where full renegotiation is pending, a signed interim security schedule. Undated or unsigned drafts do not count as evidence of a binding obligation.

4. HRV impact assessment (if applicable). If any of your direct suppliers are nationally designated HRVs, you need a standalone document assessing the specific risks they introduce, the mitigation controls in place, and the phase-out or risk-acceptance rationale. This document becomes especially important under CSA2, where binding phase-out obligations will attach to Commission-level HRV designations. For context on how public sector entities handle mandatory supplier relationships that cannot simply be terminated, the public administration supply chain article covers the risk-acceptance documentation approach.

Frequently Asked Questions

Does Article 21(2)(d) apply to roaming partners and international interconnect providers?

If the relationship meets the “direct supplier or service provider” threshold — meaning the partner’s systems could affect the availability, integrity, authenticity, or confidentiality of your network — then yes. Roaming hubs with access to your SS7 infrastructure and transit providers with BGP peering relationships are typically in scope, though at a lower criticality tier than RAN or core vendors.

What is the legal relationship between the 5G Toolbox and NIS2 Art. 21(2)(d)?

The 5G Toolbox is a soft-law instrument produced by the NIS Cooperation Group. It has no direct legal force on operators. However, member-state measures taken pursuant to the toolbox — such as statutory HRV restrictions — are national law and are relevant to your Art. 21(2)(d) supplier risk assessment because they create a specific, documented supplier vulnerability you are obligated to address.

If my member state has not restricted any vendors, does HRV status still affect my Art. 21(2)(d) assessment?

Yes, in two ways. First, even in the absence of a national restriction, the risk factors identified in the 5G Toolbox assessment criteria — such as a vendor’s legal obligation to provide access to a non-EU government — are legitimate inputs to your own supplier risk assessment. Second, the CSA2 proposal, once adopted, will introduce Commission-level HRV designations binding across all member states. Operators that have assessed and documented those risk factors now will face fewer surprises when binding obligations arrive.

Key Takeaways

• Article 21(2)(d) requires entity-specific supply chain risk assessment — not sector-wide reliance on shared registers.
• Member-state 5G Toolbox HRV designations create specific Art. 21(2)(d) documentation obligations for operators using or phasing out that equipment.
• Tier 1 suppliers (RAN, 5G Core) warrant full contractual clause sets including vulnerability disclosure, incident notification, audit rights, and sub-contractor visibility.
• Multi-vendor RAN strategy is a documentable Art. 21(2)(d) resilience measure — operators should record it in their supply chain security policy with a concentration-limit target.
• CSA2 (expected late 2026/2027) will replace the voluntary 5G Toolbox with binding EU-level HRV designations and a 36-month mobile network phase-out obligation.
• The four audit-trail documents — policy, supplier register, contract addenda, HRV impact assessment — are the minimum baseline for an Art. 21(2)(d) supervision review.

Sources

1. NIS2 Directive Article 21 — Cybersecurity Risk-Management Measures, nis-2-directive.com (primary text)
2. NIS2 Directive Article 34 — General Administrative Fines, nis-2-directive.com (primary text)
3. NIS2 CIR 2024/2690: Cybersecurity Requirements for EU Digital Infrastructure, Advisera
4. NIS2 Technical Implementation Guidance v1.0, ENISA (June 2025)
5. ICT Supply Chain Security — EU Adopts a Toolbox to Mitigate Risks, European Commission
6. New EU Cybersecurity Package: NIS2 Amendments and ICT Supply Chain Security Framework, Cobalt Legal
7. NIS2 Directive Explained Part 3: Supply Chain Security, DLA Piper (December 2025)
8. European Commission Proposal: Telecom and 17 Other Critical Industries from High-Risk Suppliers, Strand Consult