NIS2 and Supply Chain Security

For years, security leaders have warned that your weakest vendor could become the origin of your biggest breach. Regulators are now acting on that warning. With NIS2, the EU has made supply chain security a bigger part of the picture in its effort to strengthen and harmonize cybersecurity across the Union.

This is Brussels acknowledging a painful truth: in an interconnected digital-first economy, one compromised supplier can ripple into systemic disruption. Whether it’s malicious external code or a compromised vendor, the risks are evident in several of the most high-profile breaches this decade. Even recently,

But understanding those risks and doing something meaningful about them calls for more than updated contracts or checkbox audits. In this blog, we’ll look specifically at what NIS2 demands on the supply chain front, and how forward-thinking companies are reframing the challenge as an opportunity to build real resilience.

Supply Chain Security Under NIS2: What the Regulation Actually Demands

Diving into the 73-page document that is the EU’s NIS2 Directive, the first notable mention of what the EU wants is that Member States should, through their national cybersecurity strategies, help small and medium-sized enterprises to address the challenges faced in their supply chains.

One tricky thing about understanding NIS2 and supply chain security is how it leans on more high-level advice rather than focusing on direct prescriptive language. The key part of understanding what’s needed at a company level comes in Article 21 of the document, which states that essential and important entities need to “take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services”.

Elaborating on what those measures must include, the directive refers to 10 distinct categories. Among these categories is “supply chain security, including security-related aspects concerning the relationships between each entity and its direct

suppliers or service providers”. The most prescriptive part of what supply chain security entails from NIS2’s standpoint highlights things like:

• Vulnerabilities specific to each direct supplier and service provider
• The overall quality of supplier cybersecurity practices, including their secure development procedures
• The outcomes of EU-coordinated supply chain risk assessments, where relevant

The third bullet is the murkiest. Article 22 allows the EU’s Cooperation Group (alongside the Commission and ENISA) to conduct coordinated supply chain risk assessments of “critical ICT services, systems, or products.” But it doesn’t specify which suppliers fall into scope, how often this will happen, or how companies should incorporate the findings of the assessments.

In practice, this creates a compliance paradox. Organizations are told to “take into account” assessments that may not yet exist, about suppliers that may or may not be deemed critical. They’re expected to evaluate vague qualities like “overall cybersecurity practices” without any standardized criteria or shared supplier attestation frameworks.

For CISOs and risk managers, this creates both a compliance and operational headache: you’re responsible for supply chain due diligence, but left to interpret what “adequate” looks like without a clear rubric. This ambiguity raises the stakes for organizations trying to build a defensible, risk-based supply chain security program; one that doesn’t just meet the spirit of NIS2, but also withstands future regulatory scrutiny.

Strengthening Supply Chain Resilience

There’s no getting around the fact that NIS2 is a complex piece of legislation. Such is the complexity, in fact, that some Member States have missed the October 2024 deadline for transposing the requirements into National Law. The most prudent approach for your business to get in line with what NIS2 expects here is to proactively define and document your own supply chain security measures using available best practices and frameworks.

Here are practical ways to interpret and act on NIS2’s expectations, even in the absence of concrete checklists.

1. Use Established Frameworks as a Benchmark

Start with globally recognized frameworks that cover third-party and software supply chain risks:

• NIST Cyber Supply Chain Risk Management (C-SCRM) offers structured guidance on identifying and mitigating risks across the ICT supply chain.
• ISO/IEC 27036 (Parts 1–4) focuses specifically on supplier relationships, including secure development and procurement security.
• ENISA Guidelines on Securing the Supply Chain also provide specific insights tailored for EU organizations.

Mapping your internal practices to one or more of these frameworks gives you a defensible posture and a vocabulary to communicate supply chain expectations with partners.

2. Assess the Cybersecurity Maturity of Suppliers

To evaluate the “overall quality of cybersecurity practices”, look beyond security questionnaires. A few steps you can take:

• Use third-party risk platforms to monitor suppliers’ digital footprint and exposure.
• Incorporate supplier security into procurement contracts, including the right to audit, minimum security controls, and incident response SLAs.
• Request secure software development attestations, such as adherence to ISO/IEC 27034, SSDF (NIST’s Secure Software Development Framework), or SLSA (Supply-chain Levels for Software Artifacts).

For high-risk or critical suppliers, deeper engagement, like shared risk assessments or technical due diligence, may be necessary.

3. Identify Vulnerabilities Specific to Each Direct Supplier or Service Provider

This part of NIS2 is particularly challenging because it requires risk contextualization. Some practical approaches:

• Map supplier access and dependencies: Create a visual dependency graph of which suppliers have access to sensitive data, infrastructure, or privileged credentials.
• Profile threat models based on supplier roles: A cloud hosting provider presents different risks than a managed service provider or firmware vendor. Tailor your assessments accordingly.
• Look at recent CVEs or breaches associated with supplier products: For example, if a supplier’s software stack relies heavily on open-source components with a history of supply chain exploits (e.g., Log4Shell), factor that into your evaluation.

Where possible, enrich this picture with input from your internal threat intel team, CTI providers, or threat-led red teams.

4. Monitor and Reassess Continuously

Because NIS2 encourages a continuous risk management posture, don’t treat supplier reviews as a one-and-done activity:

• Set reassessment cadences based on supplier criticality.
• Monitor for indicators of compromise (IOCs) or public breach disclosures related to suppliers.
• Use internal attack path modeling to determine whether a compromise at a supplier could plausibly escalate to your own environment.

Why Supply Chain Consulting Matters Under NIS2

For most companies, the real challenge of NIS2 and supply chain security is turning broad, principle-based mandates into tailored, defensible action across a complex supply chain. And that’s precisely where specialized consulting adds value.

This includes:

• Mapping interdependencies across vendors, services, and systems—often across borders and jurisdictions.
• Differentiating between commodity suppliers and critical dependencies that warrant deeper oversight.
• Understanding how a partner’s software development lifecycle (SDLC) impacts your risk profile, especially when secure-by-design language is vague or self-attested.
• Reconciling compliance with operational realities: how much supplier visibility is feasible, how much control you have over subcontractors, and where liability ends.

An experienced consulting partner like DIESEC brings an external perspective to these challenges. We’ll help identify risk blind spots you don’t see internally, benchmark your supply chain security posture against industry peers, and prepare you for NIS 2’s supply chain requirements with a clearly documented approach to third-party risk.

To get started with NIS2 Consulting, visit this page and tell us about your company’s sector size, and financial bracket. We’ll be in touch to discuss if NIS2 applies to you and, if so, how we can support you!