Home Blog Supply Chain Security
Supply Chain

NIS2 Supply Chain Security: What You Need to Know About Vendor Risk

May 2026
BALTUM Bureau
6 min read

Supply chain attacks have become one of the defining cyber threats of our era. The SolarWinds compromise, the Kaseya attack, and countless smaller incidents have demonstrated that adversaries increasingly target the trusted relationships between organizations and their suppliers. Rather than attacking a hardened enterprise directly, attackers exploit a weaker link in the supply chain to gain access to multiple downstream targets simultaneously.

NIS2 responds to this threat directly: vendor security is no longer a best practice — it is a legal obligation. Article 21(2)(d) explicitly requires organizations to address security in supply chain relationships, including the relationships between suppliers and their own service providers. If your vendors have poor security, that is now your compliance problem.

What NIS2 Requires for Supply Chain Security

NIS2 Article 21(2)(d) mandates that in-scope organizations implement measures addressing "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."

This means you must:

  • Identify suppliers and service providers that are relevant to the security of your network and information systems
  • Assess the cybersecurity practices of those suppliers
  • Manage and monitor risks arising from those relationships on an ongoing basis
  • Consider the overall quality and resilience of the products and services your vendors provide
  • Address vulnerabilities in commercially available ICT products and services from your supply chain

The obligation extends beyond your direct suppliers. If a critical service you rely on is itself dependent on a high-risk sub-supplier, that risk must be part of your assessment. NIS2 effectively requires a view of your supply chain that goes at least one level deep.

What This Means in Practice

Translating Article 21(2)(d) into operational reality means building a structured approach to vendor security — not a one-time questionnaire exercise, but an ongoing program. In practice, this involves:

  • Vendor security questionnaires: Structured assessments of supplier security controls, policies, and certifications (ISO 27001, SOC 2, etc.)
  • Security clauses in contracts: Contractual obligations requiring suppliers to maintain specific security standards, notify you of incidents affecting your data or systems, and permit audits
  • Ongoing monitoring: Regular re-assessments, incident notification requirements, and tracking of publicly known vulnerabilities affecting vendor products
  • Right to audit: The ability to request evidence of supplier security measures or conduct independent assessments
Key insight: NIS2 does not require you to achieve perfect security in your supply chain — that would be impossible. It requires you to demonstrate that you have identified the risks, assessed them, and taken proportionate measures to address them. Documentation of your process is as important as the process itself.

Which Suppliers Matter Most?

Not every supplier carries the same risk. For NIS2 purposes, you should prioritize the suppliers and service providers that have the greatest potential to compromise your network and information systems if they were breached or failed. These typically include:

  • Critical IT infrastructure vendors — providers of firewalls, endpoint security, network equipment, and identity management systems
  • Cloud service providers — infrastructure-as-a-service, platform-as-a-service, and software-as-a-service providers that host or process critical data or applications
  • Managed service providers (MSPs) — third parties with privileged remote access to your systems
  • Software vendors — providers of business-critical applications, especially those with elevated system access or data processing functions
  • Outsourced services — providers of outsourced IT operations, security monitoring, or data processing
  • Telecommunications providers — organizations providing connectivity to your systems

How to Build a Vendor Risk Program

A practical NIS2-compliant vendor risk program can be built in four stages:

Step 1

Supplier Inventory

Create a complete inventory of all suppliers and service providers with access to or dependency on your network and information systems. Include internal details: what systems they access, what data they process, what services they provide.

Step 2

Risk Classification

Classify each supplier by risk level — critical, high, medium, or low — based on the access they have, the criticality of the services they provide, and the potential impact of a breach or failure. Apply a tiered approach: higher scrutiny for higher-risk suppliers.

Step 3

Assessment Process

For critical and high-risk suppliers, conduct structured security assessments: questionnaires, review of certifications and audit reports (ISO 27001, SOC 2 Type II), and where necessary, on-site or remote audits. Document your findings and track remediation.

Step 4

Contractual Requirements

Embed security requirements in all contracts with critical and high-risk suppliers: minimum security standards, incident notification timelines (align with your NIS2 reporting obligations), right to audit, data processing obligations, and termination rights for serious security failures.

Supply Chain Security and ISO 27001

If your organization is ISO 27001 certified or working toward certification, you already have a framework for supplier security. ISO 27001:2022 Annex A includes four supplier-related controls that map closely to NIS2 requirements:

ISO 27001:2022 Annex A — Supplier Controls

  • 5.19 — Information security in supplier relationships: Policies and processes for managing supplier security risks
  • 5.20 — Addressing information security within supplier agreements: Contractual security requirements for suppliers
  • 5.21 — Managing information security in the ICT supply chain: Managing security risks related to ICT products and services from the supply chain
  • 5.22 — Monitoring, review and change management of supplier services: Ongoing oversight and re-assessment of supplier security

If you have implemented these controls well, you have a solid foundation for NIS2 supply chain compliance. The key difference is that NIS2 converts these best practices into a legal obligation with regulatory enforcement. A gap assessment can confirm whether your existing controls are sufficient or whether your supplier program needs strengthening to meet the NIS2 standard.

Start With Your Top 10 Critical Vendors

If you're at the beginning of your supply chain security journey, don't attempt to assess every vendor simultaneously. Start with your top 10 most critical suppliers — the ones whose breach, failure, or malicious action would have the most significant impact on your operations and your NIS2 obligations. Build your process there, document what you learn, and expand the program systematically.

A supplier inventory, a risk classification, initial assessments for your top-tier vendors, and updated contractual clauses — completed within 6 months — puts you in a defensible position with your national authority and demonstrates the kind of proportionate, documented approach that NIS2 supervisors look for.

Assess Your Supply Chain Risk

BALTUM Bureau offers supply chain risk assessment as part of our comprehensive NIS2 consulting services. We help you identify critical vendors, build your assessment framework, and meet the Article 21(2)(d) requirements with confidence.

Contact BALTUM for Supply Chain Assessment
NIS2 Incident Reporting Back to Blog