Artifact GuideEU

NIS2 Article 21 Supply Chain Security Program

A practical program outline for NIS2 supply chain security covering direct suppliers, service providers, supplier selection, contract clauses, lifecycle monitoring, and evidence.

Grounded in NIS2 Article 21, Commission Implementing Regulation (EU) 2024/2690, and ENISA implementation guidance for security, procurement, legal, compliance, and management-body reviewers.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
9

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

NIS2 treats supply chain security as a minimum cybersecurity risk-management measure, not as a procurement preference. Article 21 requires essential and important entities to address security-related aspects of relationships with direct suppliers and service providers, including supplier-specific vulnerabilities, product quality, cybersecurity practices, and secure development procedures.

Section 1

What NIS2 requires from a supply chain security program

Article 21(2)(d) names supply chain security as one of the measures that must be included in an all-hazards cybersecurity risk-management baseline. The program should therefore be tied to the entity's network and information systems, services, and direct supplier or service-provider relationships.

Article 21(3) makes the supplier review more specific: entities must take into account vulnerabilities specific to each direct supplier and service provider, the overall quality of products, the cybersecurity practices of suppliers and service providers, and their secure development procedures. Where Article 22 coordinated risk assessments of critical ICT supply chains are relevant, those results also need to feed the program.

  • Define which direct suppliers and service providers support NIS2-relevant network and information systems or services.
  • Assess supplier-specific vulnerabilities, cybersecurity practices, secure development procedures, and product or service quality before relying on a supplier.
  • Connect supplier risk findings to risk treatment, contract clauses, monitoring, and management reporting.
  • Use Member State implementing rules and competent-authority guidance for local supervisory expectations.
Sources for this answer
Directive (EU) 2022/2555 (NIS2), Article 21
Article 21(2)(d) requires supply chain security for relationships with direct suppliers and service providers; Article 21(3) lists supplier-specific vulnerabilities, product quality, cybersecurity practices, and secure development procedures.
European Commission - NIS2 Directive overview
Commission overview of the directive's scope, sectors, and cybersecurity risk-management policy context.
Section 2

Policy and supplier selection criteria

For digital-sector entities covered by Implementing Regulation (EU) 2024/2690, the Annex requires a supply chain security policy governing relations with direct suppliers and service providers. ENISA's guidance explains that the policy should identify the entity's role in the supply chain and communicate that role to direct suppliers and service providers where possible.

Supplier selection should not be limited to price, availability, or a questionnaire score. The program should record selection and contracting criteria that cover cybersecurity practices, secure development, ability to meet cybersecurity specifications, jurisdictional and ownership considerations where relevant, supply resilience, supplier incident history, and lock-in risk.

  • Maintain a supply chain security policy aligned with the entity's network and information security policy and risk-management process.
  • Classify direct suppliers and service providers by the ICT products, ICT services, or ICT processes they provide and by the risk they create.
  • Use supplier selection criteria that test cybersecurity practices, secure development, service resilience, transparency, and ability to meet security specifications.
  • Record how procurement decisions considered NIS Cooperation Group, ENISA, national authority, or Article 22 critical supply-chain risk assessment outputs when those are applicable.
Sources for this answer
Implementing Regulation (EU) 2024/2690, Annex point 5.1
Sets technical and methodological supply-chain requirements for the covered digital entities, including a supply chain security policy and supplier/security clauses.
ENISA - NIS2 technical implementation guidance
Provides implementation guidance and evidence examples for supply chain policy, supplier criteria, supplier registry, monitoring, and contract evidence.
Section 3

Contract clauses and operational controls

The implementing regulation expects supplier and service-provider contracts to specify appropriate security clauses. ENISA's guidance lists practical clause areas such as cybersecurity requirements, supplier staff awareness or certification requirements where appropriate, background-verification requirements where appropriate, incident notification to the entity without undue delay, vulnerability handling, termination obligations, audit rights, cooperation with competent authorities, and exit arrangements.

These clauses should be operational, not decorative. The program should connect them to onboarding, access control, vulnerability reporting, secure acquisition, maintenance windows, incident communication, service continuity, data return or disposal, and supplier offboarding.

  • Include cybersecurity requirements and service-level expectations for ICT products, ICT services, and ICT processes.
  • Require suppliers and service providers to report incidents or vulnerabilities that present a risk to the entity's network and information systems.
  • Define remote access limits, maintenance authorization, continuity support, data handling, termination, transition, and disposal obligations.
  • Keep contract or SLA evidence mapped to the supplier risk tier and to the controls it supports.
Sources for this answer
Implementing Regulation (EU) 2024/2690, recitals and Annex
Explains that covered entities should specify adequate security clauses in contracts with direct suppliers or service providers.
ENISA - NIS2 technical implementation guidance
Lists supplier-contract evidence and clause topics including incident reporting, vulnerability handling, audit cooperation, termination, and exit process documentation.
Section 4

Evidence to maintain

A NIS2 supply chain security program should produce evidence that can be reviewed by management, auditors, and competent authorities without reconstructing the supplier story from email. The evidence should show which suppliers are direct suppliers or service providers, what they provide, how they were assessed, which contract requirements apply, and how their risk is monitored over time.

For covered digital entities, ENISA points to evidence such as the supply chain security policy, evidence that the entity's role was communicated to suppliers where possible, supplier and service-provider evaluation records, risk analysis results, contract or SLA evidence, incident records tied to suppliers, supplier exit documentation, and a registry of direct suppliers and service providers.

  • Supply chain security policy and approval or review record.
  • Registry of direct suppliers and service providers with contact points and supplied ICT products, ICT services, or ICT processes.
  • Supplier classification, selection criteria, risk analysis results, and evaluation notes.
  • Signed contracts, SLAs, security addenda, vulnerability-reporting terms, incident-notification terms, audit rights, and exit provisions.
  • Monitoring records, supplier incident records, policy review evidence, and remediation tracking after significant supplier changes or incidents.
Sources for this answer
ENISA - NIS2 technical implementation guidance
Provides concrete examples of supply-chain evidence, including supplier registry, policy review evidence, evaluation evidence, and contracts aligned to the policy.
Implementing Regulation (EU) 2024/2690, Annex point 5.2
Requires covered entities to maintain and keep up to date a registry of direct suppliers and service providers.
Section 5

Common scoping traps

The first trap is treating every vendor the same. NIS2 focuses on risk to network and information systems and services, so a direct supplier of critical ICT services should receive deeper review than a low-risk administrative vendor. The second trap is treating a certificate as a complete answer; certificates can support assurance, but Article 21 still requires the entity to consider supplier-specific vulnerabilities and cybersecurity practices.

Free and open source software also needs careful handling. ENISA notes that open communities may not be direct suppliers or service providers where there is no contractual relationship beyond a standard licence, but direct suppliers that integrate open source components can still be asked for risk assessment, maintenance, dependency, and vulnerability evidence.

  • Do not assume a supplier questionnaire satisfies Article 21 unless it leads to risk treatment, contract terms, monitoring, and evidence.
  • Do not apply direct-supplier clauses to open source communities without checking whether a supplier or service-provider relationship actually exists.
  • Do not ignore supplier access, maintenance connections, managed services, or cloud services when mapping supplier risk.
  • Do not rely only on annual review when significant supplier incidents, service changes, or risk changes occur.
Sources for this answer
Directive (EU) 2022/2555 (NIS2), Article 21 and Article 22
Requires supplier-specific assessment and consideration of coordinated critical ICT supply-chain risk assessments where applicable.
ENISA - NIS2 technical implementation guidance
Explains direct supplier/service-provider evidence, lifecycle monitoring, supplier categorisation, and considerations for free and open source software.
Section 6

Implementation checklist for NIS2 supply chain security

Use this checklist to turn Article 21 supply chain obligations into an auditable program. It should be adapted to the entity's sector, Member State implementation, service criticality, and supplier risk profile.

The checklist is strongest when procurement, security, legal, business continuity, incident response, and management reporting use the same supplier inventory and risk records.

Does NIS2 require a supply chain security program?

Yes. Article 21(2)(d) requires supply chain security as part of cybersecurity risk-management measures, including security-related aspects of relationships between each entity and its direct suppliers or service providers.

What should a NIS2 supplier review cover?

Article 21(3) points to vulnerabilities specific to each direct supplier and service provider, the quality of products, supplier cybersecurity practices, and secure development procedures. The implementing regulation and ENISA guidance add policy, selection criteria, contract, monitoring, registry, and exit evidence for covered digital entities.

  • Identify direct suppliers and service providers that provide ICT products, ICT services, or ICT processes supporting NIS2-relevant services.
  • Approve and maintain a supply chain security policy with supplier selection, contracting, monitoring, and review rules.
  • Create supplier criteria covering cybersecurity practices, secure development, ability to meet security specifications, service resilience, and relevant jurisdictional or ownership risks.
  • Map contract clauses to supplier risk tier, including security requirements, incident notification, vulnerability handling, audit cooperation, continuity support, and exit obligations.
  • Maintain a direct supplier and service-provider registry with contacts and supplied ICT products, ICT services, or ICT processes.
  • Review supplier risks after significant changes, supplier incidents, service changes, or new authority guidance, and record corrective measures.
Sources for this answer
Directive (EU) 2022/2555 (NIS2), Article 21
Primary legal source for Article 21 supply chain security and supplier-specific assessment requirements.
Implementing Regulation (EU) 2024/2690
Technical and methodological requirements for covered digital entities, including supply chain policy, supplier contracts, registry, and monitoring.
Recommended next step

Build a NIS2 supply chain security workflow around Article 21

Sorena can help convert supplier inventories, contract clauses, risk reviews, and source citations into a reusable NIS2 supply chain security workflow.

Research workflow
Open Research Copilot for NIS2

Ask source-linked questions about Article 21 supply chain controls, direct suppliers, service providers, contract evidence, and implementation guidance.

Explore next step
Talk to Sorena
Talk through implementation

Review your supplier registry, contract clause map, monitoring process, and NIS2 supply chain evidence gaps with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Primary legal source for Article 21 cybersecurity risk-management measures, including supply chain security and supplier-specific assessment factors.
"supply chain security"
ENISA - NIS2 technical implementation guidance
enisa.europa.eu
Referenced sections
  • Explains direct supplier/service-provider evidence, lifecycle monitoring, supplier categorisation, and considerations for free and open source software.
"direct suppliers and service providers"
Implementing Regulation (EU) 2024/2690
eur-lex.europa.eu
Referenced sections
  • Technical and methodological requirements for covered digital entities, including supply chain policy, supplier contracts, registry, and monitoring.
"direct suppliers and service providers"
Implementing Regulation (EU) 2024/2690, Annex point 5.1
eur-lex.europa.eu
Referenced sections
  • Sets technical and methodological supply-chain requirements for the covered digital entities, including a supply chain security policy and supplier/security clauses.
"establish a supply chain security policy"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.