NIS2 Art.21.2d: Supply Chain Security
What This Control Requires
The measures referred to in paragraph 1 shall include at least the following: (d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.
In Plain Language
SolarWinds and Log4j proved that your security is only as strong as the weakest link in your supply chain. NIS2 requires organisations to systematically assess and manage cybersecurity risks from suppliers, service providers, and third parties - not just during procurement, but throughout the entire relationship.
The scope here goes well beyond traditional vendor management. It covers software dependencies, cloud service providers, managed service providers, and anyone with access to your network or data. You need to understand the security posture of your direct suppliers and, for the most critical ones, the risks introduced by their suppliers further down the chain.
This is not a one-time exercise. Supplier risk profiles change. New vulnerabilities emerge. Acquisitions shift a vendor's security posture. You need ongoing monitoring and management processes that catch these changes and trigger reassessment when conditions shift.
How to Implement
Write a supply chain security policy defining how you identify, assess, and manage cybersecurity risks across your supplier ecosystem. Apply risk-based due diligence requirements proportionate to how critical each supplier relationship is.
Build a register of every supplier and service provider that touches your network, data, or systems, or whose products are critical to your operations. Classify each by risk level, factoring in access to sensitive data, service criticality, geographic location, and regulatory standing.
Establish a due diligence process for assessing supplier cybersecurity maturity. Use security questionnaires, review certifications (ISO 27001, SOC 2), set penetration testing requirements where appropriate, and conduct on-site audits for high-risk suppliers.
Put cybersecurity requirements into every relevant contract and SLA. Cover data protection obligations, incident notification timelines, right-to-audit clauses, subcontractor management expectations, and business continuity requirements. If it is not in the contract, you cannot enforce it.
Monitor suppliers on an ongoing basis. Run periodic reassessments, track supplier security incidents, use continuous monitoring tools or services where practical, and verify that suppliers are meeting their contractual security obligations.
Plan for supply chain incidents specifically. Your incident response plan should include scenarios where a supplier is compromised - communication protocols, containment measures, and impact assessment steps.
Review and update your supply chain security programme regularly based on emerging threats, lessons from incidents, and regulatory changes.
Evidence Your Auditor Will Request
- Supply chain security policy approved by management
- Supplier register with risk classifications
- Supplier due diligence assessment records and results
- Contracts and SLAs with cybersecurity clauses
- Records of ongoing supplier monitoring and periodic reassessments
Common Mistakes
- Supplier risk assessments performed only during procurement and never updated
- Contracts lack specific cybersecurity requirements or incident notification clauses
- No visibility into sub-supplier (fourth-party) risks
- Shadow IT and unauthorised SaaS usage bypass the supplier management process
- Supplier due diligence is purely checkbox-based without meaningful security evaluation
Related Controls Across Frameworks
Frequently Asked Questions
How deep into the supply chain must we assess?
What if a critical supplier refuses to share security information?
Track NIS2 compliance in one place
AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.
Start Free Assessment