NIS2 Supply Chain Security: Article 21(2)(d) Explained

TL;DR

Article 21(2)(d) requires all NIS2 entities to actively manage the cybersecurity of their supply chain. This includes assessing direct suppliers, security clauses in contracts, reviewing patch management and vulnerability disclosure, and contingency planning for critical supplier failure.

Supply chain cyberattacks have increased considerably in recent years. The SolarWinds attack, the MOVEit campaign, and the Kaseya VSA attack demonstrated how one compromised supplier can hit hundreds of downstream organisations. NIS2 responds with mandatory supply chain security requirements.

This guide explains what Article 21(2)(d) specifically requires, how to classify and assess suppliers, which contractual clauses are needed, and what the requirements for software suppliers under the EU Cyber Resilience Act (CRA) mean.

What Article 21(2)(d) Requires Exactly

The wording is broader than many expect. Entities must assess and manage the following:

🔍

Security in the supply chain

Assessing the security measures deployed by suppliers and service providers: not just technical controls, but also processes and governance.

📋

Overall security practice assessment

Reviewing the supplier's general cybersecurity posture, including internal policies, incident history, and certifications.

🐛

Vulnerability disclosure policies

Checking whether suppliers have a formal CVD (Coordinated Vulnerability Disclosure) policy and how they handle security vulnerabilities in their products.

🔄

Secure development practices

For software suppliers: assessing Secure SDLC practices, code review processes, release security testing, and signing practices.

Classifying Suppliers: The Tier Model

Not all suppliers are equally important or equally risky. A pragmatic criticality-based classification helps focus assessment effort on the most important suppliers:

Tier	Description	Examples	Minimum requirements
Critical	Direct access to critical systems or data, failure impact on core services	Cloud infra, MSSP, core ERP, SCADA partner	Full assessment, certification evidence, right to audit, annual re-assessment
Important	Access to sensitive data, support for important processes	SaaS HR, CRM provider, backup services	Standardised questionnaire, certification preferred, biennial re-assessment
Standard	General services with no critical system access	Office supplies, general cloud tools, consulting	Self-declaration, escalate classification if scope changes

ENISA Supply Chain Security Guidelines

ENISA published specific supply chain security guidelines under NIS2 in December 2023. The key recommendations:

▸Categorise suppliers by criticality to your services

▸Define minimum security requirements per supplier tier

▸Deploy a standardised security questionnaire for all Tier-1 suppliers

▸Include contractual security clauses in all supplier agreements

▸Include right-to-audit clauses in contracts with critical suppliers

▸Conduct regular (at least annual) re-assessment of all critical suppliers

▸Systematically track security incidents from suppliers

▸Create contingency plans for the failure of critical suppliers

📊 Quick Test

Find out if your company is in scope

Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?

Check NIS2 Scope →

Sample Contract Clauses for Supplier Agreements

The following clauses form a baseline to include in supplier contracts. Have your legal team adapt these to your specific situation:

1. Minimum security standards

The supplier declares that it maintains cybersecurity measures in accordance with [ISO 27001 / CyberFundamentals / NIS2 Article 21] and will provide corresponding evidence on request.

2. Incident notification obligation

The supplier commits to notifying the customer immediately, and no later than 24 hours after becoming aware, of any security incident that could affect the services or systems used by the customer.

3. Right to audit

The customer has the right to verify the supplier's security measures once per year via a security questionnaire or, where there is justified cause, via an on-site inspection. The supplier commits to fully cooperating in such reviews.

4. Patch management

Critical security patches for all systems exposed to the customer must be applied within [14 days for critical / 30 days for high] severity patches following publication.

5. Sub-processors

The supplier may only delegate tasks for which it has access to the customer's systems to sub-processors with prior written consent. The same security requirements apply to all sub-processors.

Software Supply Chain: SBOM and the Cyber Resilience Act

NIS2 does not mention a Software Bill of Materials (SBOM) explicitly, but the EU Cyber Resilience Act (CRA), applying from 2027, makes SBOMs mandatory for manufacturers of products with digital elements. For NIS2 entities that deploy software, this creates a practical framework:

NIS2 (Art. 21(2)(d))

▸Assessment of your suppliers' software security practices
▸Ask about: CVD policy, Secure SDLC, patch release history
▸Assess deployed open-source components for known vulnerabilities

Cyber Resilience Act (from 2027)

▸Manufacturers must provide SBOM: full list of all software components
▸Security updates mandatory over the full product lifecycle
▸NIS2 entities should request SBOMs from software suppliers now to prepare

Practical Implementation: 5 Steps

Create a supplier inventory

List all third-party vendors and service providers that have access to your networks, systems, or data, including cloud services, managed services, and software vendors. Do not overlook indirect access points such as IT support or remote maintenance.

Classify suppliers by criticality

Use the tier model (Critical, Important, Standard) from this article. Critical suppliers are those whose failure or compromise would directly impact your critical services. Each tier gets different requirements.

Deploy security questionnaires

Develop standardised questionnaires based on ENISA guidelines or use industry frameworks (SIG-Lite, CAIQ). For critical suppliers: request direct audits or certification evidence (ISO 27001, SOC 2). Do not simply accept every answer: ask follow-up questions when responses are unclear or generic.

Formalise contractual requirements

Include the minimum clauses from this article in all new and renewed supplier contracts: security standards, incident notification obligation, audit right, patch management, sub-processor rules. Existing contracts without such clauses should be renegotiated at the next renewal.

Continuous monitoring

Track security news about critical suppliers, monitor CVE databases for deployed software products, and schedule annual re-assessments. Respond to disclosed security incidents at suppliers with a risk assessment and, if appropriate, escalation.

FAQ

Do we need to assess all suppliers, or only the most important ones?▾

NIS2 refers to 'direct suppliers and service providers'. In practice, you should assess all Tier-1 suppliers with access to your critical systems. For non-critical suppliers, a self-assessment questionnaire is sufficient.

What happens if a supplier does not meet the requirements?▾

You must document the risk and either agree on an improvement plan with the supplier, compensate the risk through your own controls, or change supplier. The authority may ask about your risk assessment and actions taken during an audit.

Does the supply chain obligation apply to cloud services too?▾

Yes. Cloud providers, SaaS solutions, and managed service providers with access to your systems or data fall under the supply chain security obligation of Article 21(2)(d).

How often do we need to re-assess suppliers?▾

ENISA recommends annual re-assessment for critical suppliers. For important suppliers, every two years is sufficient. Additional re-assessment should be triggered when a supplier discloses a security incident, when the service changes materially, or when new vulnerabilities in deployed products are disclosed.

Can I accept ISO 27001 or SOC 2 as sufficient evidence?▾

ISO 27001 and SOC 2 Type II are good starting points and cover many NIS2-relevant controls. However, you should check whether the certificate is still valid, whether the scope covers the relevant services, and whether the audit report contains significant findings. A certification does not relieve you of your own risk assessment obligation.

Supply chain as part of your gap assessment

Our Article 21 Gap Assessment tool includes specific controls for supply chain security under NIS2.

📊 Start Gap Assessment ⚖️ NIS2 vs CER