What is NIS2?
The Network and Information Security Directive 2 (Directive 2022/2555) is the EU's expanded cybersecurity framework, replacing the original 2016 NIS Directive. EU member states had until 17 October 2024 to transpose it into national law. Most member states did so on or shortly after that date — though enforcement is ramping through 2025 and 2026 as competent authorities staff up and publish guidance.
NIS2 substantially expands the scope of regulated entities, raises the security control bar, introduces personal liability for management bodies, and — critically for our customers — extends explicit supply chain risk management obligations to every covered entity.
Who does it cover?
NIS2 covers two categories of regulated entity:
Essential entities (Annex I): Energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure (including cloud and DNS), ICT service management, public administration, space.
Important entities (Annex II): Postal and courier services, waste management, chemicals, food production and distribution, manufacturing (medical devices, electronics, electrical equipment, machinery, motor vehicles, transport equipment), digital providers (online marketplaces, search engines, social platforms), research.
Both categories must comply with the same security obligations. The threshold for being "covered" is generally based on size (50+ employees or €10M+ turnover) plus sector activity, but national transposition varies — see the country section below.
What does Article 21 require?
Article 21 is the operative cybersecurity-controls article. It requires every covered entity to implement appropriate technical, operational, and organisational measures across at least these areas:
- Policies on risk analysis and information system security
- Incident handling
- Business continuity (backup, disaster recovery, crisis management)
- Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers (this is Article 21(2)(d) — the supply-chain clause)
- Security in network and information systems acquisition, development, and maintenance
- Policies and procedures to assess effectiveness of cybersecurity risk management measures
- Basic cyber hygiene practices and cybersecurity training
- Policies on the use of cryptography and encryption
- Human resources security, access control policies, and asset management
- Multi-factor authentication, secured communications, and emergency communications
The supply chain provisions — Article 21(2)(d)
This is the clause that triggers the work Supply Chain Assurance exists to make easier. It requires you to assess the cybersecurity posture of your direct suppliers and service providers, and to consider the overall quality of your suppliers' own cybersecurity practices and secure development procedures.
In practice, this means you need to:
- Maintain an inventory of suppliers handling regulated services
- Assess the cybersecurity posture of each one
- Reassess on a defined cadence and on material change
- Document the evidence of those assessments
- Demonstrate to a regulator on request
For most mid-market buyers, this is the part of NIS2 that creates the most operational friction.
We've written a longer explainer of this clause specifically — what NIS2 Article 21(2)(d) actually requires of your suppliers — including what evidence to prepare, common mid-market misconceptions, and the minimum defensible posture.
Fines and enforcement
NIS2 introduces administrative fines deliberately on a scale comparable to GDPR:
- Essential entities: up to €10 million or 2% of total worldwide annual turnover, whichever is higher
- Important entities: up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher
Fines apply for breaches of the cybersecurity risk management measures (Article 21) and the incident reporting obligations (Article 23). Member states can also impose periodic penalty payments and other administrative measures, and management bodies can be held personally accountable — boards are not insulated from NIS2 enforcement actions in the way they often are from operational compliance failures.
How NIS2 differs across countries
Each EU member state transposes the directive into national law with some local variation — deadlines, thresholds, sector inclusions, supervisory authority structures all differ. We're building country-specific guides for the markets we serve.
How Supply Chain Assurance helps you comply
Supply Chain Assurance is built specifically for the Article 21(2)(d) supply chain provisions. It turns supplier assessment from a spreadsheet exercise into a structured, defensible programme:
- A maintained supplier inventory, tiered by risk
- Evidence requests sent and tracked
- Decision logs that survive staff turnover and audit scrutiny
- Reviewer-flagged certificate expiries with re-review prompts on the calendar — automated drift detection on the v2 roadmap
- Machine-readable exports built for regulator review
Want a quick reality check?
Twenty questions across four NIS2 categories — governance, supplier risk, incident response, and evidence. You get a directional readiness score, a per-article gap report, and an honest steer on where to focus next. It's not a substitute for a formal assessment, but it's a real reality check, and it's free.