Supply Chain Security Requirements in NIS2

Article 21(2)(d): The Legal Requirement

Article 21 of NIS2^[1] establishes ten minimum cybersecurity risk-management measures. Paragraph 2(d) specifically requires “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.” This extends the entity's security perimeter beyond its own organisational boundaries.

Article 21(3) elaborates: entities must assess vulnerabilities specific to each direct supplier, evaluate overall product quality and cybersecurity practices (including secure development procedures), and consider results of coordinated security risk assessments at EU or national level. This creates a technical due diligence obligation requiring active assessment beyond contractual assurances. Recital 85 reinforces that supply chain security extends throughout the full lifecycle of ICT products and services, from design through end of life.

What Constitutes “Appropriate” Measures

NIS2 requires “appropriate and proportionate” measures, assessed by risk exposure, entity size, incident likelihood and severity, and societal impact. A large essential entity providing critical digital infrastructure faces different expectations than a medium-sized important entity in food production.

Foundational elements for any compliant programme: identify supply chain dependencies (especially suppliers whose compromise could affect in-scope services); assess critical suppliers' cybersecurity posture through direct assessment, certifications, or documented methodologies; establish contractual provisions addressing security requirements, incident notification, and audit rights; and implement ongoing monitoring of supplier risk profiles.

The European Union Agency for Cybersecurity (ENISA)^[2] recommends regular supply chain risk assessments, supplier inventories with criticality ratings, minimum security requirements by supplier tier, and integration of supply chain risk into overall risk management. The ACN^[3] in Italy references ENISA guidance as a benchmark for adequacy.

Critical Vendor Identification

Not all suppliers require the same scrutiny. A tiered approach allocates resources proportionately. Critical vendors are those whose products or services are integral to in-scope service delivery, or whose compromise could directly affect confidentiality, integrity, or availability. Common categories: infrastructure providers (cloud, hosting, network), software vendors processing sensitive data, managed service providers with privileged access, and physical security providers. For PE portfolios, critical vendors often include shared services provided by the PE firm or centralised portfolio entities.

Assess criticality across several dimensions: degree of system/data access, replaceability (sole-source dependencies create higher risk), geographic and jurisdictional factors, and the supplier's own supply chain dependencies—risk cascades through subcontractor tiers.

Contractual Security Requirements

Contractual provisions formalise security expectations. Effective clauses should address: minimum security standards (referenced toISO 27001^[4], NIST CSF^[5], or sector-specific standards); incident responsenotification aligned with or shorter than NIS2 timelines; audit and assessment rights for compliance verification; subcontracting controls with flow-down of security requirements; and termination provisions for security failures.

For Private Equity portfolio companies, achieving consistent contractual coverage often requires systematic contract review and renegotiation. Prioritise updates based on supplier criticality and remaining contract term—address highest-risk relationships first while planning for comprehensive coverage at renewal.

Ongoing Monitoring

Supply chain security is not satisfied by point-in-time assessment. Suppliers may experience personnel turnover, financial distress, acquisitions, or security incidents that alter their risk profile. For critical suppliers, continuous monitoring through security rating services, threat intelligence, and regular assessments provides near-real-time visibility. For less critical suppliers, annual or biennial reassessment supplemented by event-driven reviews provides proportionate coverage.

Define escalation triggers: a material decline in a critical supplier's security posture should initiate enhanced assessment, remediation requirements, contingency planning, or transition to alternatives. Document triggers, escalation processes, and response options to ensure monitoring generates actionable governance outcomes.

Vendor Assessment Programme Design

Integrate identification, assessment, contractual, and monitoring elements into a coherent lifecycle. Begin with supplier inventory and criticality classification. A three-tier model is typical: Tier 1 (critical) receives comprehensive assessment, stringent contractual requirements, and continuous monitoring; Tier 2 (significant) receives standard assessment and periodic monitoring; Tier 3 (routine) receives light-touch assessment and standard terms.

Combine questionnaire-based evaluation (SIG, CAIQ, or NIS2-aligned bespoke), evidence review (certifications, audit reports, policies), and for Tier 1, direct technical assessment such as penetration testing of supplier interfaces or security architecture reviews.

PE Portfolio Supply Chain Governance

PE firms must ensure each portfolio company implements appropriate measures while accommodating variation in size, sector, maturity, and supplier ecosystems. At portfolio level, establish a supply chain security policy framework with minimum standards, standardised templates for questionnaires and contractual clauses, and centralised procurement of security rating services to create economies of scale.

Portfolio-level visibility enables identification of concentration risks invisible at entity level. If multiple companies depend on the same critical supplier—a shared cloud provider, ERP vendor, or payment processor—that supplier's compromise creates correlated risk across the portfolio.

Cross-Border Considerations

Suppliers outside the European Union may be subject to foreign government access requirements (US CLOUD Act, China's National Intelligence Law) creating potential conflicts with EU data protection and security obligations. Assess jurisdictional risks for suppliers processing sensitive data or accessing critical systems. Monitor EU-level coordinated supply chain assessments under Article 21(3) and incorporate findings into risk management.

For PE-backed entities, cross-border supply chain considerations are particularly relevant during international expansion or when acquisition targets have supplier relationships in elevated-risk jurisdictions.Technical due diligence should include supply chain security assessment as a standard component.