← All posts

NIS2 Supply Chain Security: What Article 21 Requires from Your Suppliers

NIS2 does not just regulate your own cybersecurity posture. Article 21 requires organisations in scope to address security risks that originate in their supply chain — including the security practices of vendors, software providers, and managed service providers who have access to your systems or data.

This is one of the most practically demanding aspects of NIS2 for SMEs, and one of the least well understood. This guide explains what the obligation covers, how to assess your suppliers, and what contractual protections you need in place.

Why Supply Chain Is Explicitly in Scope

The inclusion of supply chain security in NIS2 is a direct response to the scale of recent attacks exploiting third-party access. The SolarWinds compromise, the Kaseya ransomware incident, and numerous managed service provider breaches demonstrated that targeting suppliers to reach their customers is an effective and increasingly common attack vector.

Under NIS2, regulators cannot accept "our supplier was compromised" as an adequate defence. You are responsible for managing the risk that your suppliers introduce — and for being able to evidence that you have done so.

What Article 21 Specifically Requires

Article 21(2)(d) requires organisations to implement measures addressing "security in supply chains, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."

This requires you to:

  • Identify which suppliers have access to your systems, networks, or sensitive data
  • Assess the security practices and posture of those suppliers
  • Contractually require appropriate security standards from suppliers with significant access
  • Monitor ongoing supplier compliance rather than treating it as a one-time exercise
  • Include supply chain risk in your organisation's broader risk register and risk management framework

The level of scrutiny required is proportionate to the risk a supplier poses — a cloud provider with access to all your data warrants more rigorous assessment than a courier service.

How to Classify Your Suppliers

Start by segmenting your supplier base by risk:

Critical suppliers — those with privileged access to your systems, data, or infrastructure. Managed IT service providers, cloud platforms holding operational data, security software vendors, payroll and HR systems. These require formal security assessment and contractual security obligations.

Important suppliers — those with limited but meaningful access, or suppliers whose failure would cause operational disruption. CRM platforms, communication tools, facilities management with physical access. These warrant a lighter-touch questionnaire and contractual data protection obligations.

Low-risk suppliers — those with no system access and no access to sensitive data. Typically your standard commercial suppliers. Standard contractual protections and periodic review are sufficient.

How to Assess Critical Suppliers

For critical suppliers, your assessment should cover:

  • Do they hold any recognised security certifications? (ISO 27001, SOC 2, Cyber Essentials)
  • What is their patch management and vulnerability disclosure process?
  • How do they handle access management and MFA for staff with access to your systems?
  • What is their own incident response and notification process? Will they notify you promptly if a breach could affect you?
  • Do they have a documented business continuity and disaster recovery plan?
  • How do they manage their own supply chain and sub-processors?

ShieldIQ's vendor questionnaire module includes a standard assessment covering each of these areas, with automatic risk scoring and integration into your risk register.

Contractual Requirements

Contracts with critical suppliers should include:

  • A requirement to maintain appropriate technical and organisational security measures
  • Notification obligations — the supplier must notify you promptly in the event of a security incident that could affect your organisation
  • The right to audit the supplier's security practices (or accept third-party audit reports)
  • Sub-processor controls — suppliers cannot engage their own sub-contractors with access to your data without your knowledge and approval
  • Data return and deletion obligations on contract termination

For suppliers who also act as data processors under GDPR, a Data Processing Agreement covering these obligations is already required.

Ongoing Management

Supply chain security is not a one-time due diligence exercise. Suppliers change their infrastructure, staff, and sub-contractors. Their security posture can deteriorate. New vulnerabilities emerge in software you rely on.

Build a cadence into your supplier risk programme: annual reassessment of critical suppliers, updated questionnaires when contracts renew, and monitoring of disclosed vulnerabilities in software your critical suppliers provide.

How ShieldIQ Supports Supply Chain Security

ShieldIQ's vendor risk module allows you to maintain a classified supplier inventory, send and track security questionnaires, auto-generate risks from poor responses, and link supplier risks to your NIS2 compliance posture. Supplier risk is visible alongside your other GRC data — not managed in a separate spreadsheet.

Run a free NIS2 assessment to see your current supply chain security posture →