Move supplier assurance off spreadsheets. Private pilot opening soon.→ Join the pilot
SHARDSCybersecurityDriving Security Forward
NIS2 directive

What NIS2 actually requires of your suppliers

A practitioner explainer of the EU’s expanded cybersecurity directive — what’s changed, who it covers, what evidence regulators are starting to ask for, and how it differs across member states.

What is NIS2?

The Network and Information Security Directive 2 (Directive 2022/2555) is the EU’s expanded cybersecurity framework, replacing the original 2016 NIS Directive. EU member states had until 17 October 2024 to transpose it into national law. Most member states did so on or shortly after that date — though enforcement is ramping through 2025 and 2026 as competent authorities staff up and publish guidance.

NIS2 substantially expands the scope of regulated entities, raises the security control bar, introduces personal liability for management bodies, and — critically for our customers — extends explicit supply chain risk management obligations to every covered entity.

Who does it cover?

NIS2 covers two categories of regulated entity:

Essential entities (Annex I): Energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure (including cloud and DNS), ICT service management, public administration, space.

Important entities (Annex II): Postal and courier services, waste management, chemicals, food production and distribution, manufacturing (medical devices, electronics, electrical equipment, machinery, motor vehicles, transport equipment), digital providers (online marketplaces, search engines, social platforms), research.

Both categories must comply with the same security obligations. The threshold for being "covered" is generally based on size (50+ employees or €10M+ turnover) plus sector activity, but national transposition varies — see the country section below.

What does Article 21 require?

Article 21 is the operative cybersecurity-controls article. It requires every covered entity to implement appropriate technical, operational, and organisational measures across at least these areas:

  • Policies on risk analysis and information system security
  • Incident handling
  • Business continuity (backup, disaster recovery, crisis management)
  • Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers (this is Article 21(2)(d) — the supply-chain clause)
  • Security in network and information systems acquisition, development, and maintenance
  • Policies and procedures to assess effectiveness of cybersecurity risk management measures
  • Basic cyber hygiene practices and cybersecurity training
  • Policies on the use of cryptography and encryption
  • Human resources security, access control policies, and asset management
  • Multi-factor authentication, secured communications, and emergency communications

The supply chain provisions — Article 21(2)(d)

This is the clause that triggers the work our product exists to make easier. It requires you to assess the cybersecurity posture of your direct suppliers and service providers, and to consider the overall quality of your suppliers’ own cybersecurity practices and secure development procedures.

In practice, this means you need to:

  • Maintain an inventory of suppliers handling regulated services
  • Assess the cybersecurity posture of each one
  • Reassess on a defined cadence and on material change
  • Document the evidence of those assessments
  • Demonstrate to a regulator on request

For most SMBs, this is the part of NIS2 that creates the most operational friction.

We’ve written a longer explainer of this clause specifically — what NIS2 Article 21(2)(d) actually requires of your suppliers — including what evidence to prepare, common SMB misconceptions, and the minimum defensible posture.

Fines and enforcement

NIS2 introduces administrative fines deliberately on a scale comparable to GDPR:

  • Essential entities: up to €10 million or 2% of total worldwide annual turnover, whichever is higher
  • Important entities: up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher

Fines apply for breaches of the cybersecurity risk management measures (Article 21) and the incident reporting obligations (Article 23). Member states can also impose periodic penalty payments and other administrative measures, and management bodies can be held personally accountable — boards are not insulated from NIS2 enforcement actions in the way they often are from operational compliance failures.

How NIS2 differs across countries

Each EU member state transposes the directive into national law with some local variation — deadlines, thresholds, sector inclusions, supervisory authority structures all differ. We’re building country-specific guides for the markets we serve.

How Shards helps you comply

Shards Supply Chain Assurance is built specifically for the Article 21(2)(d) supply chain provisions. We turn supplier assessment from a spreadsheet exercise into a structured, defensible programme:

  • A maintained supplier inventory, tiered by risk
  • Evidence requests sent and tracked
  • Decision logs that survive staff turnover and audit scrutiny
  • Drift detection that flags certificate expiries and posture changes
  • Exports built for regulator review

Learn more about the product

Need a sanity check on your NIS2 supplier programme?

Book a NIS2 readiness call — 20 or 50 minutes. No prep needed; bring the questions you’re stuck on.

Book a NIS2 readiness call
Newsletter

Get NIS2 updates from a regional practitioner.

One email a month. Genuine practitioner notes — no marketing fluff.

We use your address only to send you the newsletter. Unsubscribe any time.