NIS2 and Supply Chain Security: How Supply Chains Become Compliance Risks

NIS2 explicitly obliges companies for the first time to secure their supply chains. This means: risk assessment for all critical suppliers, contractual security requirements, and continuous monitoring.

TL;DR

The SolarWinds hack in 2020 demonstrated how devastating supply chain attacks can be. A compromised software update infected over 18,000 organizations worldwide. NIS2 draws conclusions from this.

What NIS2 Specifically Requires

Article 21 of the NIS2 Directive requires affected companies to implement measures for “supply chain security, including security between each company and its direct suppliers or service providers.” Specifically, this means:

Risk assessment: Identification and evaluation of cybersecurity risks for all critical suppliers
Contractual requirements: Security clauses in supplier contracts (patch management, incident notification, audit rights)
Monitoring: Continuous monitoring of the security status of key suppliers
Documentation: Verifiable documentation of all measures for audits

The Cascade Effects

NIS2 directly affects over 30,000 companies in Germany. But the supply chain requirements act like a multiplier: Even suppliers that are not subject to NIS2 themselves are indirectly regulated through contractual requirements from their customers. Estimates suggest over 100,000+ indirectly affected companies.

Practical Example: Software Supply Chain

A medium-sized manufacturing company uses 47 different SaaS services and 12 critical software products from third-party providers. Under NIS2, it must:

Inventory all software suppliers
Conduct a risk assessment for each supplier
Include security requirements in contracts
Regularly check if suppliers meet the requirements
Maintain an emergency plan for the failure of critical suppliers

Tools and Frameworks

For practical implementation, the following are recommended:

SBOM (Software Bill of Materials): Inventory of all software components and their dependencies
SecurityScorecard / BitSight: External risk assessment of suppliers
ISO 27036: Standard for information security in supplier relationships
NIST CSF Supply Chain Risk Management: Comprehensive framework for supply chain security

Key Facts

NIS2 Article 21 explicitly requires supply chain security

Over 100,000 companies in Germany indirectly affected

SBOM becomes the standard for software supply chains

Contractual security clauses will be necessary for all suppliers

SolarWinds, Kaseya, and Log4j have accelerated regulation

Fact: The NIS2 reporting obligation requires an initial report to the competent authority within 24 hours.

Fact: Under NIS2, managing directors are personally liable for implementing cybersecurity requirements.

Frequently Asked Questions

My supplier is not subject to NIS2. Do I still need to take action?

Yes. Your obligation to secure the supply chain exists regardless of whether your supplier is subject to NIS2. You must assess the risk and take appropriate measures.

How do I prioritize my suppliers?

Based on their criticality to your business and their access to your systems and data. A SaaS provider with access to customer data is more critical than an office furniture supplier.

Further Articles

NIS2 Directive: What Companies Need to Know

Cyber Insurance 2026

Zero Trust: The 7 Most Common Mistakes

How Does NIS2 Differ from the GDPR?

The GDPR protects personal data, while NIS2 secures the cybersecurity of networks and information systems. NIS2 requires technical and organizational measures, reporting obligations within 24 hours, and regular risk assessments – with significantly shorter deadlines than the GDPR.

About the author: Benedikt Langer

Read article

Compliance

NIS2