SaaSFort
NIS2 Article 21 supply chain

NIS2 Supply Chain Security: What Article 21(2)(d) Requires

NIS2 Article 21(2)(d) requires essential and important entities to address "security in supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." In plain terms: you must assess the cybersecurity of the suppliers your operations depend on, and you must document that assessment.

Get the €39 Audit Pack Run free scan (60s)

Which suppliers need to be assessed

NIS2 does not require you to assess every vendor. ENISA guidance focuses on suppliers who could affect the availability, confidentiality, or integrity of your services. In practice, this means: cloud infrastructure providers (AWS, Azure, GCP), SaaS tools with access to your customer data or production systems, network providers, and managed service providers (MSPs) who have admin access to your environment.

Suppliers who only provide commodity services with no access to data or systems (office supplies, couriers) do not need a cybersecurity assessment. Focus your effort on the tier-1 suppliers listed in your asset inventory.

What a supplier security assessment should cover

For each significant supplier, collect: their external security posture (a recent scan result or equivalent), their certification status (ISO 27001, SOC 2, or equivalent), their incident notification process (will they tell you within 24 hours if their system is breached?), and their access control documentation (who has access to your environment, under what conditions).

For SaaS suppliers, the fastest way to assess external posture is to run a free scan at saasfort.com/scan against their domain. A B-grade or above with DMARC enforcement and valid TLS is the baseline. If a supplier scores below C, ask them for their remediation timeline before accepting the risk.

How to document the supply chain assessment for a BSI audit

Create a supplier register with columns for: supplier name, service provided, data or system access level, last assessment date, assessment result (grade or certification), and risk decision (accepted, conditional, remediation required). For each significant supplier, attach the evidence: their scan result, certification copy, or completed questionnaire.

BSI auditors want to see a process, not just a one-time snapshot. Show that your supplier assessments are reviewed at least annually and triggered by significant changes (new supplier, major version upgrade, security incident at the supplier).

What to send your own customers who ask for your NIS2 assessment

If you are the supplier being assessed, your customers need the same evidence: an external scan result, your certification status, your incident notification process, and confirmation of who in your organisation is the security contact.

The €39 audit pack produces a PDF covering the external-posture section: your A-F grade, 60 controls mapped to NIS2 Article 21 and ISO 27001 Annex A, and a dated cover letter addressed to your customer's auditor. For a full supply chain assessment kit including the governance sections, the security-scan hub covers each use case scenario.

Related use cases

The security scan by use case hub maps each common scenario to the relevant scan controls: SOC 2 prep, NIS2 registration, ISO 27001 audit, enterprise procurement, cyber insurance, and more. Pick the one that matches your situation.

Frequently asked questions

Does NIS2 require me to assess every supplier or just the critical ones?
ENISA guidance and BSI interpretation focus on suppliers who could meaningfully affect your security posture or service availability. You do not need to assess every vendor. Start with suppliers who have access to your production systems, customer data, or critical infrastructure. Document your selection criteria so an auditor can see how you determined which suppliers are in scope.
Can I use a supplier's ISO 27001 certification instead of running my own scan?
Yes. A current ISO 27001 certificate covering the relevant services is acceptable evidence for NIS2 supply chain assessments. Check the scope of the certificate to confirm it covers the service you rely on. If the certification does not include external-posture controls, a scan result complements it by covering the observable technical layer.
What if a supplier refuses to provide security evidence?
Document the refusal and apply a risk rating. For critical suppliers, a refusal to provide evidence is itself a risk to escalate. Options: accept the risk with a written risk decision, require the supplier to produce evidence within a defined window as a contract condition, or switch suppliers. BSI auditors expect you to show that you manage supplier risk, including how you handle non-cooperative suppliers.
How often do I need to reassess my suppliers under NIS2?
NIS2 requires assessments but does not set a fixed reassessment interval. BSI guidance suggests annual reviews for critical suppliers, supplemented by event-triggered reviews after significant incidents or major changes. Keep your supplier register dated so auditors can see the cadence.

Need the evidence document this week?

The free scan shows your A-F grade in 60 seconds. The €39 audit pack adds the dated PDF mapped to NIS2 Article 21 and ISO 27001 Annex A, ready to attach to a questionnaire or auditor file.

Get the €39 Audit Pack Run free scan

One-time payment, no subscription, no account on the first scan.