NIS2 has a lot of clauses. Most of them are about controls inside your own four walls — incident response, multi-factor authentication, business continuity, the usual cybersecurity hygiene list. Article 21(2)(d) is the one that breaks that pattern. It’s the clause that pushes responsibility outward — making your security posture partly dependent on the security of the suppliers you depend on.
It reads, in the directive’s own language:
"supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers"
That’s a deceptively short sentence. Let me unpack what regulators have started to mean by it, and what evidence you should be preparing now.
What "direct suppliers and service providers" actually covers
The directive says "direct suppliers" — your Tier 1 vendors. But Recital 85 expands the practical scope: covered entities should consider "the overall quality and resilience of products and services, the cyber security risk-management measures embedded in them, and the cybersecurity practices of their suppliers and service providers, including their secure development procedures."
Two things hide in that recital. First, you’re not just buying a product or a service — you’re inheriting the security posture of the people who built it. Second, "their suppliers and service providers" means your Tier 1’s Tier 1 — your sub-processors. The directive doesn’t ask you to audit the entire chain, but it does ask you to consider how the chain affects you.
In practice, the direct/indirect distinction matters less than the criticality distinction. A printer maintenance contractor is technically a direct supplier; nobody expects you to do the same depth of work on them as on the cloud platform that hosts your customer data.
What regulators are actually asking for
This is where it gets practical. The directive deliberately leaves the how open — technical, operational, and organisational measures "appropriate" to the risk. That word "appropriate" is doing a lot of work.
Based on the early guidance from competent authorities and the questions auditors are starting to ask, the operational baseline is roughly:
A maintained inventory of suppliers handling regulated services or processing regulated data. Not a CSV in someone’s email. A live list, with each entry tagged by the service they provide and the data they touch.
A documented risk classification. Not every supplier deserves the same scrutiny. A defensible programme tiers them — by data sensitivity, by service criticality, by replaceability. Tier 1 (or however you label it) gets full assessment. Lower tiers get lighter touch.
Evidence of an actual assessment, per supplier, per cadence. What did you ask? What did they answer? What evidence did they provide? Who reviewed it? When? When does it need re-reviewing?
A defensible decision trail. This is the one most companies are missing. Approving a supplier is easy. Showing — in three years, after staff turnover, possibly under regulator scrutiny — how you approved them, and that the evidence behind that approval was current at the time, is the part that takes infrastructure.
A reaction plan for change. Suppliers’ postures drift. Certificates expire. Sub-processors are added. Breaches happen. Your programme has to react to those events as first-class triggers, not wait for next year’s review.
Common SMB misconceptions
A few patterns worth naming:
"We have a SOC 2, so we’re covered." SOC 2 is a control-effectiveness audit. It’s evidence about your supplier’s posture. It’s necessary, often, but it’s not the same thing as you having assessed and decided. NIS2 is asking you to make a decision about them. The SOC 2 helps; it doesn’t substitute. (More on this in a future post on why SOC 2 doesn’t satisfy NIS2.)
"We do an annual review, that’s enough." Annual works for stable suppliers in stable contexts. It doesn’t work for cloud platforms that update sub-processors quarterly, or for services where breach disclosure happens mid-cycle. The directive expects you to react to material change, not just calendar dates.
"We’re an SMB, the depth of programme expected is lower." Sort of. The proportionality principle is real — a 50-person manufacturer isn’t expected to run the same supplier-assurance machine as a tier-one bank. But the form of the obligation is the same. You still need the inventory, the classification, the assessment, the trail. The depth scales; the structure doesn’t.
"Our customer’s questionnaire is the assessment." No. Answering a customer’s questionnaire is evidence about you that they use to assess you. It’s not your assessment of your suppliers. If a regulator audits you, they’ll want to see how you assessed Vendor X — not how Vendor Y assessed you.
The minimum defensible posture
If you’re reading this and realising you’re behind, here’s the rough order to catch up:
First, compile the inventory. Even rough. Every supplier handling regulated services or data, with the service named and the data type tagged.
Second, tier them. A two- or three-tier scheme is fine for most SMBs.
Third, gather evidence proportionate to tier. Top-tier: SOC 2 or ISO 27001, sub-processor list, security policy, breach history, business continuity plan. Lower tiers: less, but document why.
Fourth — and this is the part most organisations skip — write down your decision. Each supplier, why they’re approved, on what evidence, for what review window, signed by who. This is your audit defence.
Fifth, build the reaction plan. Who watches for material change? What triggers a re-review? What’s the path to suspending a supplier if a critical issue surfaces?
That’s the floor. Most SMBs we’ve worked with can build it in 60–90 days if they’re committed. The question is what you build it with — spreadsheets and email, which works until it doesn’t, or infrastructure that compounds across reviews.
Where this is going
Two or three years from now, supplier assurance will be table stakes for any business in a regulated supply chain. Not because regulators say so — because their customers say so. The companies that get there first, with defensible programmes, will win contracts. The companies that don’t will lose them.
That’s the operational shift Article 21(2)(d) is quietly forcing. The directive uses one sentence. The implementation takes years.
If you’re working through your supplier assurance programme and want a second pair of eyes, book a call — happy to share what we’ve seen work.