NIS2 Supply Chain Security: Why It Affects You Even If NIS2 Doesn't Apply Directly

You've checked the NIS2 criteria. Your organisation doesn't have 50 employees. You're not in one of the 18 sectors. NIS2 doesn't apply to you — right?

Not so fast. Article 21(2)(d) of the NIS2 Directive requires every covered entity to secure its supply chain. In practice, this means your customers who fall under NIS2 will pass those requirements down to you. The ripple effect is massive.

This article explains how NIS2 supply chain requirements work, what your customers will demand from you, and how to prepare.

How Article 21(2)(d) creates a chain reaction

NIS2 entities must take measures to secure their supply chain, including:

Assessing the cybersecurity practices of each direct supplier
Evaluating the overall quality of products and security practices of suppliers
Considering the results of EU-level coordinated supply chain risk assessments

This is not a vague recommendation. It's a legal obligation. And the most practical way for NIS2 entities to meet it is to impose requirements on their suppliers — contractually.

Supply Chain Cascade Effect — How a Breach Spreads
!
Origin of breach
Tier 1 Supplier Compromised
A critical IT service provider or software vendor suffers a cyberattack
Cascades to direct customers▼
Direct Impact (Tier 2)
1
Essential entity A loses access to critical services
2
Essential entity B has sensitive data exposed
3
Important entity C faces operational disruption
Spreads further downstream▼
Indirect Impact (Tier 3)
1
Downstream clients of entity A affected
2
Regulatory investigation triggered across the chain
3
NIS2 incident reporting cascade for all impacted entities
4
Reputational and financial damage spreads sector-wide
Origin
Direct impact
Indirect impact

The chain doesn't stop with you. If you have your own suppliers who handle sensitive data or connect to your systems, you may need to pass similar requirements down to them.

What your customers will require from you

Based on NIS2 Article 21 and emerging industry practices, here are the most common requirements NIS2 entities impose on their suppliers:

Contractual requirements

Category	Typical requirement
Incident notification	Notify the customer within 24-48 hours of a security incident that may affect them
Security standards	Demonstrate compliance with ISO 27001 or equivalent, or pass a security assessment
Access control	MFA on all accounts with access to customer data or systems
Data protection	Encryption at rest and in transit for all customer data
Vulnerability management	Regular patching with defined SLAs (e.g., critical patches within 72 hours)
Right to audit	Allow the customer (or their auditor) to assess your security posture
Sub-processor management	Disclose and manage security of your own sub-processors
Business continuity	Demonstrate backup and disaster recovery capabilities

Assessment requirements

Beyond contractual clauses, your customers may also require:

Completion of a security questionnaire (such as SIG, CAIQ, or a custom one)
Evidence of penetration testing results (within the last 12 months)
Proof of employee security training
A copy of your incident response plan
Details of your data processing locations and practices

Which suppliers are most affected?

Not all suppliers face the same level of scrutiny. The impact depends on what you provide and what access you have:

NIS2 vs ISO 27001 — Requirements Comparison
◈NIS2 Only
Mandatory incident reporting to authorities (24h / 72h)
Board-level personal liability for cybersecurity
Supply chain security obligations for essential entities
Sector-specific regulatory obligations
⬡Shared Requirements
Information security risk management
Access control and identity management
Business continuity and disaster recovery
Security awareness and training
◇ISO 27001 Only
Internal audit and management review cycles
Statement of Applicability (SoA) documentation
Formal certification and third-party audit
◈NIS2 Only
Mandatory incident reporting to authorities (24h / 72h)
Board-level personal liability for cybersecurity
Supply chain security obligations for essential entities
Sector-specific regulatory obligations
⬡Shared Requirements
Information security risk management
Access control and identity management
Business continuity and disaster recovery
Security awareness and training
◇ISO 27001 Only
Internal audit and management review cycles
Statement of Applicability (SoA) documentation
Formal certification and third-party audit
The centre column shows requirements that both NIS2 and ISO 27001 share

MSPs and MSSPs are doubly affected: They likely fall under NIS2 directly (ICT service management B2B is in Annex I) AND they face supply chain requirements from their customers. This creates both an obligation and an opportunity — if you can demonstrate NIS2-level security, you become the preferred supplier.

The business case: why this is an opportunity

Supply chain security requirements aren't just a burden — they're a competitive differentiator.

If you're ready, you win deals. When a NIS2 entity evaluates suppliers, the one that can demonstrate strong cybersecurity practices gets the contract. The one that can't, doesn't.

If you're not ready, you lose deals. Organisations under NIS2 are legally required to assess their supply chain. If you can't satisfy their requirements, they will find a supplier who can — regardless of your price or relationship history.

Consider this:

~160,000 organisations in the EU fall directly under NIS2
Each one has dozens to hundreds of suppliers
All of these suppliers will face new cybersecurity requirements
The organisations that prepare early will have a significant competitive advantage

How to prepare as a supplier

Step 1: Understand what your customers will need

Start conversations with your key customers now. Ask them:

Are they in scope for NIS2?
What cybersecurity requirements will they be adding to supplier contracts?
What timeline are they working towards?
Do they have a specific security questionnaire or assessment process?

Step 2: Assess your current security posture

Map your existing security measures against what NIS2 entities typically require. Key areas:

Do you have MFA on all accounts with access to customer data?
Can you notify customers of a security incident within 24-48 hours?
Do you encrypt customer data at rest and in transit?
Do you have a patch management process with defined SLAs?
Can you provide evidence of penetration testing?
Do you have an incident response plan?
Is your staff trained in security awareness?

Step 3: Close the gaps

Prioritise based on what your customers are likely to require first:

MFA everywhere — cheapest, fastest, biggest impact
Incident notification process — your customers will need this for their own NIS2 reporting
Encryption in transit and at rest — table stakes for any modern supplier
Documented security policies — even basic ones demonstrate maturity
Regular vulnerability scanning and patching — with defined SLAs
Security awareness training for all staff

Step 4: Be proactive

Don't wait for your customers to ask. Being proactive shows leadership:

Create a security page on your website summarising your security practices
Prepare a security questionnaire response in advance
Get certified — ISO 27001 is the gold standard, but even Cyber Essentials or similar schemes add credibility
Offer transparency — proactive communication about your security posture builds trust

A note for MSPs and MSSPs

If you're a managed service provider or managed security service provider, you're in a unique position:

You likely fall under NIS2 directly (ICT service management B2B, Annex I)
Your customers expect you to help them become NIS2 compliant
You face supply chain requirements from your own customers who are under NIS2

This creates a powerful business case: if you invest in NIS2-level security and can demonstrate it with assessments and reports, you can:

Retain existing customers who need NIS2-compliant suppliers
Win new customers who are looking for suppliers that understand NIS2
Offer NIS2 compliance as a service — helping your customers with their own assessments

Key takeaway

NIS2's supply chain requirements mean that cybersecurity is no longer just about protecting your own organisation. It's about being a trustworthy link in a chain that spans the entire European economy.

Whether NIS2 applies to you directly or not, if your customers are in the EU and in the 18 covered sectors, NIS2 will affect your business. The question is whether you'll be ready when they come asking.

Find out where you stand

Our free NIS2 quickscan assesses your organisation against all 10 Article 21 measure categories — including supply chain security. Even if NIS2 doesn't apply to you directly, the scan shows how ready you are to meet the requirements your customers will impose.