NIS 2
February 2026
NIS 2 and supply chain security: What your third-party vendors need to know
By Swapna De., Managing Director, AuditVantage® GmbH
NIS 2 does not stop at your organisation's boundary. Supply chain security is an explicit Article 21 obligation. What does that mean in practice for how you work with your vendors, and what does it mean for vendors who serve NIS 2 customers?
What Article 21(2)(d) actually says
Article 21(2)(d) of the NIS 2 Directive requires entities to take "supply chain security" measures, "including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." The German implementation via NIS2UmsuCG operationalises this through specific due diligence and contractual obligations.
This is not a box-ticking vendor questionnaire. It is a continuous risk management obligation covering your entire vendor portfolio, with particular focus on suppliers whose compromise could disrupt your essential or important service.
The most common supply chain breach pattern in 2024 and 2025 was compromise of a smaller vendor that had privileged access to a larger customer. NIS 2 is explicitly targeting this pattern.
What you owe your vendors as a NIS 2 entity
Risk-based tiering. Not every vendor warrants the same scrutiny. Vendors with privileged access, critical data, or operational dependency sit in a higher tier and warrant more intensive controls.
Contractual security requirements. Security clauses, audit rights, incident notification obligations, and right-to-terminate language appropriate to the risk tier.
Ongoing assessment. Initial due diligence is not enough. Material changes to the vendor's posture, incidents, or scope require reassessment. A typical cadence is annual for critical vendors.
Incident flow-through. Your incident reporting obligations under Article 23 extend to incidents originating at or through vendors. Your contracts need to ensure you hear about them in time.
What this means if you are the vendor
Expect NIS 2 customers to ask you for: a documented information security programme (ISO 27001 or equivalent evidence), incident notification commitments with tight timelines, DPA and SCCs for any personal data processing, vulnerability management and patching commitments, and contractual right-to-audit.
Vendors that can satisfy these requests quickly win contracts. Vendors that take six months to respond to a security questionnaire get replaced.
The practical next step
Classify your vendor portfolio by risk tier this quarter. Map existing contracts to identify where security clauses are weak or absent. Prioritise contract renegotiation for the top tier. And build a standard security addendum, one document, consistently applied, that saves your legal team and your vendors time.
Frequently asked questions
Related questions on this topic, answered from the audit chair.
Do I need to cascade NIS 2 requirements to my subcontractors?+
Yes. Article 21(2)(d) requires supply chain security as one of the ten mandatory cybersecurity risk-management measures. This includes assessing the security of suppliers and service providers, ensuring contractual security obligations, and managing supply chain risk on an ongoing basis. The obligation flows down: your subcontractors are part of your supply chain, and their failures can become your reportable incidents.
What contractual clauses should I add to supplier agreements?+
At minimum: defined security obligations aligned to your risk tier, breach and incident notification obligations with timelines that allow you to meet your own NIS 2 reporting deadlines, audit rights or assurance equivalents, sub-processor disclosure and approval, and termination rights for material security failures. For critical suppliers, ongoing assurance obligations (independent audit, evidence of certification, security questionnaires) are standard.
What documentation does NIS 2 supply chain security require?+
A supplier register with risk classification, supplier risk assessments, security clauses in contracts, evidence of supplier security posture (certifications, audit reports, attestations), and a process for ongoing review. The documentation must allow you to demonstrate, at audit or under regulatory inquiry, that you understand which suppliers handle which information assets and what security obligations apply to each.
How do automotive OEMs handle supply chain security differently?+
Automotive OEMs cascade TISAX requirements down to suppliers, with assessment levels (AL 1, AL 2, AL 3) determined by the sensitivity of the information shared. Prototype protection at AL 3 is significantly stricter than general TISAX. The TISAX label is the contractual evidence the OEM relies on. NIS 2 supply chain obligations apply in parallel where the automotive supplier itself is in scope of NIS 2.
Can I rely on a supplier certification as evidence of supply chain security?+
Certifications such as ISO 27001 or SOC 2 are useful evidence, but they do not by themselves discharge your NIS 2 supply chain obligation. The certification tells you the supplier operates a management system to a defined standard; it does not tell you the specific services you consume are within the certified scope, or that the supplier handles your specific information assets to that standard. The risk assessment is yours.
What happens if my supplier has a security incident?+
If the incident significantly affects your operations or the essential or important service you provide, your incident reporting obligation under Article 23 is triggered regardless of where the incident originated. Your contracts should require timely supplier notification so you can meet your own 24-hour early warning and 72-hour notification deadlines. Delays in supplier notification do not extend your regulatory timeline.