The supply-chain clause, line by line.

What the directive actually says.

From Article 21(2) of Directive (EU) 2022/2555: essential and important entities shall take appropriate technical, operational and organisational measures to manage cybersecurity risks. Subsection (d) names supply chain specifically:

"supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers"

Article 21(2)(d) — NIS2 Directive 2022/2555

That is a deceptively short sentence. The rest of this page unpacks what regulators have started to mean by it, what evidence holds up under scrutiny, and what most mid-market entities miss when they try to satisfy it.

What "direct suppliers and service providers" actually covers.

The clause names "direct suppliers" — your Tier 1 vendors. But Recital 85 expands the practical scope. Covered entities should consider:

"the overall quality and resilience of products and services, the cybersecurity risk-management measures embedded in them, and the cybersecurity practices of their suppliers and service providers, including their secure development procedures."

Recital 85 — NIS2 Directive 2022/2555Read on EUR-Lex

Two things hide in that recital. First — you are not just buying a product or service; you are inheriting the security posture of the people who built it. Second — "their suppliers and service providers" means your Tier 1's Tier 1: your sub-processors. The directive does not ask you to audit the entire chain, but it does ask you to consider how the chain affects you.

In practice, the direct/indirect distinction matters less than the criticality distinction. A printer maintenance contractor is technically a direct supplier; nobody expects you to do the same depth of work on them as on the cloud platform that hosts your customer data.

How a 200-person Slovak utility implements 21(2)(d).

Hypothetical, illustrative — patterns drawn from regional mid-market practice, not from any single client.

The entity is a 200-person regional water utility headquartered near Žilina. It became an essential entity under Annex I when Slovakia's NIS2 transposition (Act No. 366/2024) entered into force on 1 January 2025. Its supervisory authority is the Národný bezpečnostný úrad (NBÚ).

Its supplier portfolio is small but high-stakes — roughly 35 critical suppliers. The top of the list: the SCADA platform vendor, the smart-meter management cloud, the billing-system MSP, the geographic information system, and a handful of hardware integrators that touch the OT network during maintenance windows. Each of those carries a sub-processor list that adds another 60–80 entities the utility has to consider, even if not formally assess.

The implementation of the five artefacts:

• 01The inventory lives in a single register, owned by the IT lead. Each supplier tagged by the OT zone they touch and the data classification they handle. Sub-processors of the SCADA platform and the smart-meter cloud are listed separately, refreshed quarterly against the vendor's published list.
• 02Three tiers — Critical (SCADA, smart-meter cloud, billing MSP), Important (the rest of the regulated-data touchers), and Routine (everyone else). Tier assignments are signed by the IT lead and reviewed by the board annually.
• 03Critical-tier suppliers are reassessed every 6 months — SOC 2 Type II, sub-processor list, breach-disclosure history, business-continuity test results, contract clauses verified. Important-tier annually. Routine-tier attestation-only at contract renewal.
• 04Decisions are recorded with the date, the evidence package they were based on, the named reviewer, and the next review date. Hash-anchored so the package cannot be quietly amended after the fact. This is the artefact the NBÚ inspector will reach for first.
• 05Material-change triggers documented: vendor breach disclosure, sub-processor addition, certificate expiry, change of corporate ownership. Each triggers an out-of-cycle review with a named owner and a 30-day completion target.

Most of the utility's actual NIS2 supplier-assurance work concentrates on the five critical suppliers. The structure exists for the rest, scaled appropriately.

Four claims that do not satisfy the clause.

Where to verify everything on this page.

The directive itself is the source of truth. ENISA and the NIS Cooperation Group are the two bodies producing the operational guidance auditors are starting to use. None of these are vendor-controlled — verifiability is the point.

• NIS2 Directive (2022/2555)

  Article 21(2)(d) and Recital 85 — the load-bearing clauses for supply-chain risk-management.

• ENISA Technical Implementation Guidance v1.0

  The European Union Agency for Cybersecurity's practitioner guidance on implementing NIS2 risk-management measures, including supply-chain.

• NIS Cooperation Group ICT Supply Chain Toolbox

  Coordinated guidance from EU Member States on assessing and managing risks in the ICT supply chain.

One product per artefact — same five-artefact frame.

Supply Chain Assurance was built around exactly the five artefacts above. Not coincidence — the product was scoped from the practitioner side, against the same clause this page unpacks. Mapping:

We do not claim the product makes you NIS2-compliant — that is the entity's decision and the auditor's judgement. We claim the product gives you the evidence structure those judgements need.

Two or three years from now, supplier assurance is table stakes.

Not because regulators say so — because customers say so. The companies that get there first, with defensible programmes, will win contracts. The companies that do not will lose them.

That is the operational shift Article 21(2)(d) is quietly forcing. The directive uses one sentence. The implementation takes years.

Where this leads, depending on where you are.