Your Supplier Contracts Are Now Part of NIS2 Compliance

Your biggest customer just sent you a new contract addendum. It includes cybersecurity requirements you have never seen before: incident notification obligations, vulnerability management processes, evidence of risk assessments, and the right to audit your security controls. This is not a corporate preference. It is NIS2.

If you supply goods or services to any organisation that falls under the NIS2 Directive, your contracts are about to change — or they already have.

The Legal Basis: Article 21(2)(d) and Implementing Regulation 2024/2690

NIS2 Article 21(2)(d) requires entities in scope to address "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."

That is the directive. The specifics come from EU Implementing Regulation 2024/2690, which details exactly what entities must do. Article 5.1.4 of this regulation is the clause that changes supplier relationships across the EU. It specifies that contracts between NIS2-regulated entities and their suppliers must include:

Cybersecurity requirements that the supplier must meet
Obligations that extend to subcontractors — the requirements cascade at least two layers deep
Audit rights allowing the regulated entity to verify compliance
Incident notification requirements from supplier to regulated entity
Vulnerability management obligations

This is not guidance. It is legally binding in every EU member state that has completed NIS2 transposition — currently Germany, Belgium, Italy, Hungary, Poland, and several others. More countries activate every quarter.

Supply Chain Cascade Effect — How a Breach Spreads
!
Origin of breach
Tier 1 Supplier Compromised
A critical IT service provider or software vendor suffers a cyberattack
Cascades to direct customers▼
Direct Impact (Tier 2)
1
Essential entity A loses access to critical services
2
Essential entity B has sensitive data exposed
3
Important entity C faces operational disruption
Spreads further downstream▼
Indirect Impact (Tier 3)
1
Downstream clients of entity A affected
2
Regulatory investigation triggered across the chain
3
NIS2 incident reporting cascade for all impacted entities
4
Reputational and financial damage spreads sector-wide
Origin
Direct impact
Indirect impact

Who Is Affected? More Companies Than You Think

NIS2 directly regulates essential and important entities: energy companies, hospitals, transport operators, digital infrastructure providers, water utilities, and more. These organisations number in the tens of thousands across the EU.

But here is where it gets interesting for SMEs. Every one of those regulated entities has suppliers. And under Article 21(2)(d), they must assess the cybersecurity posture of those suppliers and include security requirements in their contracts.

That means you are affected if:

You provide IT services (managed services, cloud hosting, software development) to a company in a NIS2 sector
You supply components or raw materials to a manufacturer classified as essential or important
You handle logistics, transport, or warehousing for a regulated entity
You provide professional services (consulting, legal, accounting) that involve access to a regulated entity's systems or data
You are a subcontractor to any of the above — the chain goes two layers deep

A 30-person software company building custom applications for a Dutch hospital? In scope through the contract. A Polish MSP managing servers for a German energy company? In scope. A Belgian logistics firm handling transport for a French water utility? Same story.

The critical insight: you do not need to be a NIS2 entity yourself to face NIS2 requirements. The obligations reach you through your customer's contracts.

What Will These Contract Clauses Look Like?

Based on the Implementing Regulation and early enforcement patterns across the EU, expect your NIS2-regulated customers to include clauses covering these areas:

1. Security Baseline Requirements

Your customer will define minimum cybersecurity standards you must meet. These typically align with the ten security measures in Article 21(2), including:

Risk analysis and information system security policies
Incident handling procedures
Business continuity and crisis management
Cryptography and encryption policies where appropriate
Human resources security and access control
Multi-factor authentication

2. Incident Notification Obligations

You will be required to notify your customer of any security incident that could affect their systems or data. The timeframes mirror NIS2's own reporting requirements — typically 24 hours for early warning, 72 hours for full notification. Your customer needs this because they have their own reporting obligations under Article 23.

3. Audit and Verification Rights

Expect clauses granting your customer (or their auditor) the right to verify your security controls. This may include:

Requesting evidence of security certifications (ISO 27001, SOC 2)
On-site or remote security assessments
Periodic self-assessment questionnaires
Access to penetration test results or vulnerability scan reports

4. Subcontractor Flow-Down

If you use subcontractors, you will be required to impose equivalent cybersecurity requirements on them. This is the cascade effect — your customer's NIS2 obligations flow through you to your suppliers. The chain extends at least two layers.

5. Termination Clauses

Many contracts will include the right to terminate if you fail to meet the cybersecurity requirements or if you experience a significant security breach that is not adequately resolved.

What This Means Concretely for SMEs

Let us be direct about the practical impact:

The good news: Most of what NIS2 demands through supplier contracts aligns with basic cybersecurity hygiene that any well-run business should already have. If you have decent access controls, patch management, backup procedures, and incident response plans, you are not starting from zero.

The reality: Many SMEs do not have these measures documented and formalised. Having good practices is not enough — you need evidence. Contracts will require you to demonstrate compliance, not just claim it.

The opportunity: Companies that prepare now gain a competitive advantage. When your competitor cannot demonstrate NIS2-aligned security measures and you can, you win the contract. This is already happening in Germany, where BSI enforcement has made supplier security a boardroom priority.

Here is a practical approach:

Identify which of your customers are NIS2 entities. Check if they operate in essential or important sectors. If unsure, ask them directly — they will know.
Run a gap analysis against Article 21 measures. A step-by-step NIS2 gap analysis identifies where you meet the requirements and where you have gaps.
Document everything you already do. Many SMEs have adequate security practices but zero documentation. Start with written policies for access control, incident response, and backup procedures.
Address the gaps. Prioritise based on what your customers are likely to demand first: incident notification capability, access control, and vulnerability management.
Prepare your evidence package. Create a supplier security profile that you can share with customers: certifications, policies, last audit date, incident response contact.

Take the free NIS2 Quick Scan to find out in five minutes where your organisation stands against Article 21 requirements.

NIS2 vs ISO 27001 — Requirements Comparison
◈NIS2 Only
Mandatory incident reporting to authorities (24h / 72h)
Board-level personal liability for cybersecurity
Supply chain security obligations for essential entities
Sector-specific regulatory obligations
⬡Shared Requirements
Information security risk management
Access control and identity management
Business continuity and disaster recovery
Security awareness and training
◇ISO 27001 Only
Internal audit and management review cycles
Statement of Applicability (SoA) documentation
Formal certification and third-party audit
◈NIS2 Only
Mandatory incident reporting to authorities (24h / 72h)
Board-level personal liability for cybersecurity
Supply chain security obligations for essential entities
Sector-specific regulatory obligations
⬡Shared Requirements
Information security risk management
Access control and identity management
Business continuity and disaster recovery
Security awareness and training
◇ISO 27001 Only
Internal audit and management review cycles
Statement of Applicability (SoA) documentation
Formal certification and third-party audit
The centre column shows requirements that both NIS2 and ISO 27001 share

The Timeline Is Now

This is not a future problem. The contractual requirements are already flowing in countries with completed NIS2 transposition:

Germany: NIS2UmsuCG in force since December 2025. BSI registration deadline passed in March 2026. Regulated entities are actively updating supplier contracts.
Belgium: Full operational maturity. Supply chain assessments are part of routine compliance.
Italy: ACN is publishing sector-specific guidance through September 2026. Implementation measures deadline: October 2026.
Poland: NIS2 law entered into force in March 2026. Registration deadline: 3 October 2026.
Netherlands: Cyberbeveiligingswet (Cbw) vote imminent after March 2026 parliamentary debate. Expected in force Q2 2026.
Austria: NISG 2026 takes full effect 1 October 2026.

Every country that goes live means more regulated entities sending updated contracts to their suppliers. If you operate across borders — and most supply chains do — the wave of contractual requirements is building fast.

Three Mistakes to Avoid

Mistake 1: "We are not in NIS2 scope, so this does not apply to us." This is the most common and most costly misconception. You may not be a NIS2 entity, but your customers are. Their compliance obligations become your contractual obligations. Ignoring this means losing contracts.

Mistake 2: "We will deal with it when we get the contract." By the time the contract addendum arrives, your customer expects a response within weeks, not months. Running a gap analysis, implementing measures, and documenting evidence takes 3-6 months minimum. Start before the contract lands.

Mistake 3: "An ISO 27001 certification covers everything." ISO 27001 is an excellent foundation, but NIS2 has specific requirements (incident reporting timelines, supply chain cascading, governance obligations under Article 20) that go beyond generic information security management. Use your ISO framework as a starting point, then map the NIS2-specific gaps.

Key Takeaways

NIS2 Article 21(2)(d) and Implementing Regulation 2024/2690 Article 5.1.4 make cybersecurity clauses in supplier contracts legally mandatory for regulated entities.
SMEs that supply to NIS2 entities are indirectly in scope through contractual requirements — even if they are not NIS2 entities themselves.
The cascade effect is real: requirements flow from regulated entity to supplier to subcontractor, at least two layers deep.
Preparation is a competitive advantage. Companies that can demonstrate NIS2-aligned security win contracts. Those that cannot, lose them.
Penalties for NIS2-regulated entities can reach €10 million or 2% of global turnover. They have strong financial incentives to ensure their suppliers comply — and to replace those who do not.

Sources: DLA Piper — NIS2 Directive Explained Part 3: Supply Chain Security, DIESEC — NIS2 for SMEs, Turing Law — NIS2 and Contracting, EU Implementing Regulation 2024/2690, NIS2 Directive 2022/2555 Article 21(2)(d).