NIS 2 does not stop at your organisation's boundary. Supply chain security is an explicit Article 21 obligation. What does that mean in practice for how you work with your vendors — and what does it mean for vendors who serve NIS 2 customers?

What Article 21(2)(d) actually says

Article 21(2)(d) of the NIS 2 Directive requires entities to take "supply chain security" measures, "including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." The German implementation via NIS2UmsuCG operationalises this through specific due diligence and contractual obligations.

This is not a box-ticking vendor questionnaire. It is a continuous risk management obligation covering your entire vendor portfolio, with particular focus on suppliers whose compromise could disrupt your essential or important service.

The most common supply chain breach pattern in 2024 and 2025 was compromise of a smaller vendor that had privileged access to a larger customer. NIS 2 is explicitly targeting this pattern.

What you owe your vendors as a NIS 2 entity

Risk-based tiering. Not every vendor warrants the same scrutiny. Vendors with privileged access, critical data, or operational dependency sit in a higher tier and warrant more intensive controls.

Contractual security requirements. Security clauses, audit rights, incident notification obligations, and right-to-terminate language appropriate to the risk tier.

Ongoing assessment. Initial due diligence is not enough. Material changes to the vendor's posture, incidents, or scope require reassessment. A typical cadence is annual for critical vendors.

Incident flow-through. Your incident reporting obligations under Article 23 extend to incidents originating at or through vendors. Your contracts need to ensure you hear about them in time.

What this means if you are the vendor

Expect NIS 2 customers to ask you for: a documented information security programme (ISO 27001 or equivalent evidence), incident notification commitments with tight timelines, DPA and SCCs for any personal data processing, vulnerability management and patching commitments, and contractual right-to-audit.

Vendors that can satisfy these requests quickly win contracts. Vendors that take six months to respond to a security questionnaire get replaced.

The practical next step

Classify your vendor portfolio by risk tier this quarter. Map existing contracts to identify where security clauses are weak or absent. Prioritise contract renegotiation for the top tier. And build a standard security addendum — one document, consistently applied, that saves your legal team and your vendors time.