NIS2.it.com
Back to blog
Supply Chain
NIS2 Supply Chain Security: 5 Clauses to Require from Your Suppliers

NIS2 Supply Chain Security: 5 Clauses to Require from Your Suppliers

7 min read
SM

Sophie Martin

Legal Analyst — EU Digital Law

In early 2024, a European manufacturing company suffered a significant breach. The attacker did not target the company directly — they exploited a maintenance contractor's VPN credentials. The company was NIS2-compliant on its own systems. The supplier was not. The result: 18 days of production downtime, EUR 3.5 million in losses, and a formal inquiry from the national competent authority.

This is precisely the scenario that Article 21(2)(d) of Directive 2022/2555 is designed to prevent.

What NIS2 Requires for Supply Chain Security

Article 21 of Directive 2022/2555 requires essential and important entities to implement risk management measures that explicitly cover supply chain security. This includes direct suppliers and service providers — not just internal systems.

Four concrete obligations flow from this article. First, assess risks from direct suppliers and service providers, with specific attention to ICT service providers (MSPs, cloud providers, SaaS vendors). Second, incorporate cybersecurity clauses into supplier contracts. Third, continuously monitor the security posture of critical suppliers. Fourth, maintain documented evidence of these assessments for regulatory review.

The ENISA Technical Implementation Guidance confirms that supply chain risk management must be systematic, documented, and proportionate to the criticality of the supplier.

Why Suppliers Are Your Largest Attack Surface

According to ENISA, 62% of significant security incidents in 2023 involved third-party access. MSPs and cloud service providers account for the majority of these vectors. A supplier without mandatory multi-factor authentication (MFA) on shared access is an open door. A subcontractor storing your data outside the EU without contractual safeguards creates simultaneous NIS2 and GDPR exposure.

The regulatory risk is compounded: a breach originating from an unsecured supplier will be treated as your compliance failure, not the supplier's.

5 Concrete Contractual Clauses

Clause 1: Right to Security Audit

Your contract must grant your organisation (or an appointed third-party auditor) the right to conduct security audits of the supplier's systems and processes, with a maximum 30-day notice period. The supplier must cooperate fully and provide access to relevant systems, documentation, and event logs. Without this clause, you have no mechanism to verify that contractual security commitments are being maintained.

Clause 2: Incident Notification Obligation — 24 Hours

The supplier must notify you of any security incident that could affect your systems or data within 24 hours of detection. This directly mirrors Article 23 of Directive 2022/2555. You have 24 hours to alert your national competent authority — that timeline is impossible to meet if your supplier waits 72 hours to inform you.

Clause 3: Minimum Security Standards

Define precise technical requirements: MFA mandatory for all access to your systems, data encryption in transit (minimum TLS 1.2) and at rest (AES-256), critical security patches applied within 72 hours of release, and a documented privileged access management policy. These standards must be verifiable — the supplier should provide evidence such as ISO 27001 certification, SOC 2 Type II reports, or independent vulnerability scan results.

Clause 4: Data Location and Sovereignty

Specify contractually where your data is stored and processed. Transfers outside the EU must comply with GDPR transfer mechanisms (standard contractual clauses, adequacy decisions). Explicitly prohibit further sub-processing of your data without prior written consent. For sectors with heightened sensitivity (health, finance, critical infrastructure), consider requiring EU-only data residency.

Clause 5: Liability and Penalties

Define contractual penalties for security obligation failures: a fixed penalty per incident not notified within the required timeframe, compensation for direct damages resulting from the supplier's security failure, and a right to terminate without penalty in the event of a material security breach. These penalties must be proportionate — significant enough to incentivise compliance, not so severe as to deter suppliers from accepting the contract.

How the NCSC and National Authorities Will Verify Compliance

During an audit or incident investigation, national competent authorities can request your supplier contracts, your third-party risk register, and evidence of regular supplier assessments. ENISA guidance makes clear that "regular" means at minimum annually for critical ICT suppliers, and following any significant security incident involving the supplier.

Your third-party risk register must document each supplier with system access, the associated risk classification, active mitigation measures, and the date of the last formal assessment. Auditors will look for this register specifically.

Where to Start

Identify your 10 most critical suppliers — those with access to your information systems, those processing sensitive data, and those whose unavailability would halt your operations. For each, assess whether your current contract contains the 5 clauses above.

Incorporate these clauses at the next contract renewal. For contracts with more than 12 months remaining, consider a contractual amendment. For new procurement, include these requirements in the initial specification.

NIS2 (article 21, directive 2022/2555) does not require you to certify every supplier overnight. It requires you to demonstrate active risk management — through contracts, documented assessments, and a maintained register.

*This article is for informational purposes only and does not constitute legal advice. For advice specific to your organisation, consult a qualified legal professional.*

This article is provided for informational purposes only and does not constitute legal advice.