NIS2 Article 21 includes supply chain security among the mandatory cybersecurity risk management measures that all essential and important entities must implement. The requirement covers security in network and information systems supply chains — including the security aspects of the relationships between entities and their direct suppliers or service providers.

This is a significant and often underestimated compliance obligation. Organisations that have implemented strong cybersecurity controls internally but have not assessed or addressed the cybersecurity risks arising from their supply chain are not compliant with NIS2’s Article 21 requirements.

What NIS2 Supply Chain Security Requires

The supply chain security requirement in NIS2 Article 21(2)(d) requires entities to assess and address supply chain risks — specifically, the vulnerabilities specific to each direct supplier and service provider, and the overall quality of the products and cybersecurity practices of their suppliers. Entities must take into account the results of coordinated security risk assessments of supply chains carried out by competent authorities where available.

In practical terms, this requires: identification of the suppliers and service providers that have access to the entity’s network and information systems or that provide components critical to those systems; assessment of the cybersecurity posture of those suppliers; and management of risks identified in that assessment — whether through contractual requirements, audit rights, supplier improvements, or risk acceptance with appropriate rationale.

The Scope Challenge: How Far Down the Chain?

A common question in supply chain security programmes is how far down the supplier chain the assessment obligation extends. NIS2 specifically references “direct suppliers” — the entities in the immediate supplier tier. It does not explicitly require assessment of suppliers’ suppliers (the second and third tiers), though it acknowledges that supply chain risks may originate further up the chain.

Pragmatically, the approach should be risk-based: direct suppliers with significant access to critical systems or sensitive data, or whose products are critical components of systems the entity relies on for essential services, warrant the most thorough assessment. Lower-risk direct suppliers may be assessed through questionnaires or by reference to their own compliance certifications. The assessment effort should be proportionate to the risk the supplier relationship represents.

The Intersection with DORA and ISO 27001

For organisations in the financial sector, NIS2 supply chain requirements overlap significantly with DORA’s ICT third-party risk management requirements. For organisations with ISO 27001 certification, the NIS2 supply chain requirements overlap with ISO 27001 Annex A control A.5.19 (Information security in supplier relationships). Where these programmes are running in parallel, the supply chain risk assessment work can be designed once and applied to all three frameworks — avoiding the duplication of running separate supply chain programmes for each regulatory or certification requirement.

This integration is not automatic — it requires deliberate programme design. But organisations that treat their supply chain security programme as a shared asset serving multiple compliance obligations will find the total compliance cost significantly lower than organisations that implement each programme independently.

At Bitsecura, we design supply chain security programmes that satisfy NIS2’s requirements and integrate with other applicable frameworks — avoiding the duplication of parallel programmes where the requirements overlap. If you need to build or strengthen your supply chain security programme, talk to us here.


Bitsecura provides NIS2 compliance consulting and cybersecurity services for essential and important entities. Learn more about our NIS2 services.