NIS2 y riesgo de cadena de suministro TIC: lo que las empresas necesitan saber

NIS2 Supply Chain Risk: What Article 21 Requires from Your ICT Vendors and Subcontractors

The NIS2 Directive — Directive (EU) 2022/2555 — is the EU's updated framework for supply chain cybersecurity EU 2025 compliance and beyond. It entered into force on 16 January 2023, with a Member State transposition deadline of 17 October 2024. Among its most operationally demanding provisions is the NIS2 Article 21 supply chain security obligation: in-scope entities must manage and assess the cybersecurity risks arising from their relationships with direct suppliers and service providers. For NIS2 directive 2025 compliance, that obligation does not stop at your own perimeter — it extends to every ICT vendor and subcontractor whose compromise could cascade into your systems.

KEY DEFINITION — NIS2 ART. 21(2)(d) + RECITAL 85

Supply Chain Security — Directive (EU) 2022/2555

Article 21(2)(d) NIS2: Essential and important entities must adopt cybersecurity risk-management measures that include "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." The measures must be proportionate to the risk, taking into account the entity's exposure, size, implementation costs, and the likelihood and severity of incidents.

Recital 85 NIS2: The legislature explicitly addressed the supply chain dimension, noting that "the security of network and information systems is increasingly dependent on supply chains" and that entities should assess "the overall quality of products and cybersecurity practices of their suppliers and service providers." Recital 85 also acknowledges that supply chain risk varies by sector — entities in different sectors face different threat profiles from their vendor ecosystems.

Recital 86 NIS2: Reinforces that assessments should consider documented evidence of cybersecurity practices in the vendor's own supply chain — meaning the obligation flows down the chain, not just to your immediate suppliers. Entities are expected to contractually require their direct vendors to maintain security standards that are themselves auditable.

NIS2 SUPPLY CHAIN RISK — ENISA & EC DATA

29%

Of total NIS investment by EU operators of essential services is now allocated to third-party risk and supply chain security measures — up from under 15% in 2021. Source: ENISA NIS Investments Report 2024.

160,000+

Entities estimated to fall within NIS2 scope across the EU — approximately ten times more than under the original NIS Directive. The expansion covers medium and large enterprises in 18 critical sectors, including ICT service management, digital infrastructure, and manufacturing. Source: European Commission NIS2 Impact Assessment, SWD(2020) 345.

58%

Of significant cyber incidents reported to EU national CERTs in 2023 involved a compromised third-party supplier or ICT service provider as the initial access vector — making supply chain compromise the leading single root cause category. Source: ENISA Threat Landscape 2024.

€10M / 2%

Maximum administrative fines for essential entities under NIS2 Art. 34: up to €10 million or 2% of global annual turnover, whichever is higher. For important entities: up to €7 million or 1.4% of global annual turnover. Source: Directive (EU) 2022/2555, Art. 34(4)–(5).

Who does NIS2 apply to — and what is the difference between essential and important entities?

NIS2 applies to medium-size and large organisations operating in sectors listed in Annexes I and II of the Directive. Annex I covers "highly critical sectors" — energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Annex II covers "other critical sectors" — postal and courier services, waste management, chemicals, food, manufacturing of certain products (medical devices, machinery, motor vehicles, electrical equipment), digital providers, and research.

The distinction between essential entities and important entities is primarily a supervisory and penalty question, not a question of which substantive obligations apply. Both categories must implement the same ten risk-management measures in Article 21 — including supply chain security under Art. 21(2)(d). For NIS2 important entities compliance, the obligations are identical in text; the regulatory oversight is lighter. NIS2 essential entities ICT vendors and subcontractors are subject to the same assessment requirements as those supplying important entities — the difference lies in how regulators oversee compliance and what fines apply if they fail.

Criteria

Essential Entities (Annex I)

Important Entities (Annex II)

Sector examples

Energy, banking, transport, health, digital infrastructure, ICT service management

Manufacturing, food, chemicals, postal services, digital providers (DNS, TLD, cloud)

Supervisory regime (Art. 32–33)

Proactive (ex ante) supervision — authorities can audit without prior incident

Reactive (ex post) supervision — audits triggered by incident or complaint

Maximum fine (Art. 34)

€10M or 2% global annual turnover

€7M or 1.4% global annual turnover

Supply chain obligation (Art. 21(2)(d))

Mandatory — same text applies to both categories

Transposition deadline

17 October 2024 (Member States); entities register and comply per national law

One practical consequence of this structure: if your organisation is a medium-size manufacturer of machinery (Annex II, important entity), you face the same supply chain security assessment obligation as a large bank (Annex I, essential entity). The implementation standard — proportionate to your size, exposure, and risk — differs. The legal obligation does not.

IgeraFincas — NIS2 Compliance Assistant

Compliance Manager — Mid-size Logistics Company

We're a mid-size logistics company operating across four EU Member States. Does NIS2 apply to us, and if so, what do we need from our software vendors?

IgeraFincas

Likely yes — transport (including logistics) is an Annex I highly critical sector under NIS2.

Here is the quick scoping checklist:

— Transport entities with 50+ employees or €10M+ annual turnover fall within NIS2 scope as essential entities (road transport operators with 250+ employees) or important entities (medium-size road transport operators). Your national competent authority's registration process confirms exact classification — several Member States have already opened registration portals.

— Under Art. 21(2)(d), you must assess the cybersecurity risks from your direct suppliers and service providers. This means your ERP provider, your transport management system (TMS), your cloud infrastructure vendor, and any SaaS tools handling operational or personal data are in scope for supply chain risk assessment.

— Concretely, for each critical ICT vendor you should request: evidence of their own cybersecurity programme (ISO 27001 certification or equivalent), their incident notification SLAs, their subcontractor list, and their data processing locations. Refuse or delay in providing this is itself a due diligence red flag.

— Under Art. 23, if a vendor incident causes a significant impact on your service delivery, you must notify your national CSIRT within 24 hours of becoming aware. Your contracts should require vendors to notify you within a shorter window so you can meet that obligation.

IgeraFincas maintains ISO 27001-aligned security documentation, a transparent subcontractor list, and contractual incident notification within 4 hours of a confirmed major incident — exactly what NIS2 Art. 21 supply chain assessments require from your document management vendors.

Compliance Manager — Mid-size Logistics Company

What's the fastest way to structure the vendor assessment? We have over 40 ICT suppliers.

Need an AI document tool that is already NIS2 supply chain-ready?

IgeraFincas provides documented security practices, subcontractor transparency, and contractual incident notification — the evidence package your NIS2 Art. 21(2)(d) supply chain assessment needs from every critical ICT vendor.

See IgeraFincas Security Documentation

What does Article 21 actually require — and how does it extend to ICT vendors and subcontractors?

Article 21(1) sets the headline obligation: essential and important entities must take "appropriate and proportionate technical, operational and organisational measures" to manage cybersecurity risks. Article 21(2) then specifies ten categories of measure that these policies must, at minimum, address. Supply chain security under Art. 21(2)(d) is one of the ten — alongside incident handling (Art. 21(2)(b)), business continuity and crisis management (Art. 21(2)(c)), encryption (Art. 21(2)(h)), and access control policies (Art. 21(2)(i)).

The supply chain obligation has three functional layers:

Identification of supply chain risk: Entities must identify which direct suppliers and service providers present cybersecurity risks — not just list every vendor, but assess which relationships could expose their network and information systems to attack, disruption, or unauthorised access if the supplier is compromised. ICT vendors with access to your systems, data, or infrastructure are the primary category of concern.

Assessment of supplier security practices: Per Recital 85, the assessment should consider "the overall quality of products and cybersecurity practices" of suppliers. In practice this means requesting and reviewing supplier security certifications (ISO 27001, SOC 2 Type II), penetration test summaries, vulnerability disclosure policies, and patch management procedures.

Contractual security requirements: The results of the assessment must be translated into contractual obligations — binding the supplier to maintain specific security standards, notify you of incidents within defined timeframes, and provide audit cooperation. ENISA's supply chain security guidelines for operators of essential services recommend that contracts specify minimum security baselines and trigger rights for security review on request.

NIS2 subcontractor obligations are addressed in Recital 86: entities should seek information about their direct suppliers' own supply chain security practices. This does not mean conducting due diligence on every second-tier vendor — that is operationally infeasible. It means asking your critical ICT vendors whether they themselves assess their subcontractors, and factoring the answer into your risk rating of that vendor relationship.

What do the NIS2 incident reporting obligations mean for your vendor contracts?

Article 23 NIS2 requires essential and important entities to notify their national computer security incident response team (CSIRT) or competent authority of any "significant incident" on a tight timeline: an early warning within 24 hours of becoming aware, a detailed incident notification within 72 hours, and a final report within one month. A "significant incident" is defined in Art. 23(3) as one causing severe operational disruption or financial losses, or affecting other persons through considerable damage.

The 24-hour early warning window creates a direct supply chain contract requirement. If a significant incident originates from a compromised ICT vendor — a software update containing malware, a cloud provider outage, a breach of a shared authentication system — your organisation becomes aware of the incident via the vendor, not independently. Unless your vendor contract requires the vendor to notify you promptly, you may miss the 24-hour window through no fault of your own systems team.

Best practice, endorsed by ENISA's supply chain risk management guidelines, is to require critical ICT vendors to notify you of any security incident affecting services they provide to you within four hours of the vendor classifying the incident as major. This gives your organisation time to assess significance, activate your own incident response procedures, and meet the Art. 23 notification obligation on time. This is a contractual clause — it must be in your vendor agreements, not just your internal policies.

STEP-BY-STEP GUIDE

5 Steps to Assess Your NIS2 Supply Chain Risk

1

Build a complete ICT supplier inventory

List every ICT vendor, cloud provider, SaaS platform, and managed service provider your organisation uses. For each, document what systems or data they can access, what business function they support, and whether a disruption or compromise of their service would affect your operations or customers. This is your baseline — without it, a supply chain risk assessment cannot be scoped.

2

Classify suppliers by criticality — prioritise the top tier

Apply a criticality rating to each supplier: high (direct access to core systems or sensitive data, single point of failure), medium (significant operational dependency, multiple alternatives exist), low (ancillary services). Focus your Art. 21(2)(d) assessment effort on high-criticality vendors first. Most organisations with 40+ ICT suppliers have 5–10 that are genuinely critical — start there.

3

Request and review vendor security documentation

For each critical vendor, formally request: current ISO 27001 or equivalent certification, most recent penetration test executive summary, vulnerability management policy, their own supply chain security practices summary, and a list of subcontractors with access to your data or systems. A vendor that cannot or will not provide these documents within 10 business days should be escalated to contract renegotiation — and the risk rating increased.

4

Update contracts with NIS2-aligned security clauses

Contracts with critical ICT suppliers should be updated to include: minimum security standards (aligned to ISO 27001 or the supplier's documented framework), a 4-hour incident notification obligation for major incidents affecting your services, audit cooperation rights, subcontractor change notification requirements, and a right to terminate if the supplier's security posture materially deteriorates. These clauses are the contractual operationalisation of Art. 21(2)(d).

5

Document the assessment and integrate it into your NIS2 risk management framework

Art. 21(1) requires measures that are "appropriate and proportionate" — and your competent authority's supervisory inspections will ask for evidence that the assessment was conducted, not just asserted. Document each vendor's risk rating, the evidence reviewed, the conclusions reached, and the contractual or operational measures taken. Review the assessment at least annually, and trigger an interim review whenever a critical vendor notifies you of a significant change to their infrastructure, subcontractors, or security posture.

How should NIS2 third-party risk management be documented to satisfy supervisory inspections?

NIS2 third-party risk management is not a one-time exercise — it is an ongoing programme that competent authorities can inspect at any point, particularly for essential entities subject to ex ante supervision under Art. 32. The key principle is that proportionate measures must be demonstrably implemented, not merely described in an internal policy. Supervisors look for evidence of actual assessment activity: vendor questionnaires sent and received, security certifications reviewed, contracts updated, and risk ratings recorded.

ENISA's supply chain cybersecurity guidelines recommend maintaining a structured vendor risk register that maps each critical supplier to the specific NIS2 Art. 21 risk categories they present exposure for: supply chain (Art. 21(2)(d)), incident handling (Art. 21(2)(b)), business continuity (Art. 21(2)(c)), and access control (Art. 21(2)(i)). For each entry, the register should record the last assessment date, the evidence reviewed, the risk rating, and the mitigation measure in place — whether contractual, technical, or procedural.

One frequently underestimated documentation obligation concerns management responsibility. Art. 20 NIS2 requires management bodies to approve cybersecurity risk-management measures and oversee their implementation — and management bodies can be held personally liable for infringements. This means NIS2 third-party risk management decisions — including the decision to onboard a critical ICT vendor without a completed security assessment — should be formally documented at board or senior management level, not delegated entirely to the IT or compliance function without oversight.

How does NIS2 supply chain compliance apply to AI and document management tools?

AI tools and document management platforms occupy a specific risk position in NIS2 supply chain assessments. These tools typically sit at the intersection of three risk factors: they process sensitive or confidential documents, they integrate with other core systems via APIs, and they are often SaaS products operated by vendors whose own infrastructure includes cloud subcontractors. From an Art. 21(2)(d) perspective, this combination pushes most AI document tools into the high-criticality category for any organisation handling regulated or sensitive information.

What should you ask your AI document tool vendor in a NIS2 supply chain assessment? The checklist maps directly to Recital 85's "quality of products and cybersecurity practices" standard:

Data processing locations: Where are documents stored and processed? Are any subcontractors outside the EEA involved in processing your data?

Access controls: What authentication mechanisms protect access to your documents? Is multi-factor authentication mandatory? What are the access review procedures?

Security certifications: Does the vendor hold ISO 27001 certification, SOC 2 Type II, or an equivalent independently audited standard?

Incident notification: What is the vendor's commitment for notifying you of security incidents affecting your data or service availability?

AI model infrastructure: If the tool uses third-party AI model APIs (e.g. for language processing), are those API providers themselves assessed as part of the vendor's supply chain?

IgeraFincas, an AI document tool designed for EU regulatory environments, is built with these requirements in mind. It provides documented security practices, transparent processing locations within the EEA, contractual incident notification commitments, and a clear subcontractor chain — the evidence base your NIS2 Art. 21 supply chain assessment requires. For compliance managers seeking to demonstrate due diligence over their AI vendor portfolio, tools that come with this documentation ready are materially easier to assess and approve than those that treat security questionnaires as an afterthought.

Simplify your NIS2 vendor assessment with a compliant AI document tool

IgeraFincas is designed for EU-regulated environments — with EEA data processing, ISO 27001-aligned security practices, and contractual incident notification. Request our NIS2 supply chain documentation pack.

Explore IgeraFincas

KEY TAKEAWAYS

NIS2 Art. 21(2)(d) requires both essential and important entities to assess and manage cybersecurity risks arising from direct supplier and service provider relationships. EU cybersecurity supply chain NIS2 obligations apply regardless of your entity category — the supervisory intensity and fines differ, the substantive supply chain security requirement does not.

Recitals 85–86 extend the expectation beyond your direct vendors: you should seek evidence that your critical ICT suppliers themselves assess their own supply chains. Ask your vendors about their subcontractor lists and their own third-party risk practices.

Art. 23's 24-hour early warning obligation for significant incidents creates a direct contract requirement: your critical ICT vendors must notify you of incidents promptly enough for you to meet your own reporting timelines. Four-hour incident notification from vendor to customer is the emerging contractual standard.

Essential entities face proactive (ex ante) supervision by competent authorities under Art. 32 — regulators can audit supply chain practices without waiting for an incident. Document your supply chain risk assessments and keep them current.

AI document tools and SaaS platforms that process sensitive data and connect to other core systems via APIs typically fall in the high-criticality vendor category under a proportionate NIS2 risk assessment. Prioritise these in your assessment programme.

Maximum fines: €10 million or 2% of global annual turnover for essential entities; €7 million or 1.4% for important entities (Art. 34). Both figures are per-infringement ceilings, not annual caps — repeated or ongoing violations compound the exposure.

Editorial Note — Last Updated June 2026

This article reflects NIS2 obligations as of June 2026. Regulatory requirements are drawn from Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, Articles 21 (cybersecurity risk-management measures), Article 23 (reporting obligations), Articles 32–33 (supervisory measures), Article 34 (general conditions for imposing administrative fines), Annexes I and II (scope), and Recitals 85–86 (supply chain security). Statistical data sourced from: ENISA NIS Investments Report 2024; ENISA Threat Landscape 2024; European Commission NIS2 Impact Assessment SWD(2020) 345; ENISA Guidelines on Supply Chain Cybersecurity for Operators of Essential Services, 2021 (updated guidance published 2024). References to ENISA supply chain recommendations reflect ENISA's published technical guidelines, not legally binding ENISA standards.

Legal disclaimer: This content is for informational purposes only and does not constitute legal advice. NIS2 compliance obligations depend on each organisation's sector, size, and Member State of establishment — national transposing legislation varies across the EU. Entities should seek qualified legal counsel in relevant Member States and engage their national competent authority for formal classification and compliance guidance. The NIS2 implementation landscape continues to evolve as Member States finalise transposing legislation and as the European Commission publishes implementing acts under Arts. 21 and 23.

NIS2 y riesgo de cadena de suministro TIC: lo que las empresas necesitan saber

COMPARTIR

Productos relacionados

IgeraFincas

Artículos relacionados

RAG vs ChatGPT para Contratación Pública: La Diferencia Clave

NIS2: guía para entidades esenciales e importantes — qué exige la directiva en 2026

GDPR + EU AI Act: cómo se solapan y qué debe hacer tu empresa en 2026