Your suppliers are your attack surface
Modern business depends on suppliers — cloud services, IT partners, consultants, subcontractors. Each such connection is a potential entry point for attackers. NIS2 recognises this and makes supplier security an explicit requirement.
The reality: When you give a supplier access to your systems or data, you share your risk with them. But the responsibility remains with you.
What does NIS2 require?
NIS2 Article 21 — Supplier Security:
Organisations shall take appropriate measures regarding:
- Security aspects of supplier relationships
- Security quality of suppliers’ products/services
- Cybersecurity practices of suppliers, including development processes
- Suppliers’ vulnerability management and reporting
Consequence: You cannot blame the supplier in case of an incident. You are responsible for having managed the risk.
Common supply chain risks
The supplier lacks sufficient security measures. Their weaknesses become your weaknesses.
The supplier has more access than necessary. Larger attack surface in case of breach.
The supplier doesn't notify you of incidents. You don't know you're exposed.
The supplier's sub-suppliers are unknown. Risk chain extends uncontrollably.
Who is responsible for what during an incident? Unclear contracts lead to delays and conflicts.
Critical dependency on one supplier. If they fail, you fail.
5 steps for effective vendor compliance
- Inventory and classify List all suppliers with system access, data handling or business-critical importance. Classify by risk level: Critical, High, Medium, Low. Focus resources on the critical ones.
- Define security requirements Create requirement levels adapted to classification. Critical suppliers: ISO 27001 or equivalent, penetration testing, incident reporting. Lower risk: basic security policies.
- Conduct assessment Use standardised questionnaires. Request documentation. For critical suppliers: consider on-site or virtual audit. Verify answers, don't trust blindly.
- Update contracts Ensure contracts include: security requirements, incident reporting obligations, audit rights, sub-supplier requirements, liability for security breaches, exit clauses.
- Monitor continuously Vendor compliance is not a one-off project. Annual review of critical suppliers. Monitor news about breaches. React to changes.
Questions to ask suppliers
Basic questions (all suppliers)
- Do you have a documented information security policy?
- How do you handle security incidents?
- Do you have any security certifications (ISO 27001, SOC 2)?
- How quickly can you notify us of an incident?
- Which sub-suppliers do you use that affect us?
Advanced questions (critical suppliers)
- Can we see your latest penetration test report?
- How often do you conduct security reviews?
- What security training do your staff receive?
- How do you handle patching and vulnerabilities?
- What is your RTO/RPO for services to us?
- How do you ensure security at your sub-suppliers?
Contract checklist
Must have:
- Reference to your security requirements
- Obligation to maintain security standards
- Incident reporting within [X] hours
- Right to security audit
- Requirement for approval of sub-suppliers
Should have:
- SLA for security-related issues
- Liability for security incidents
- Obligation to inform about changes
- Backup and disaster recovery requirements
- Exit clauses and data handling at termination
Red flags
"It's confidential" is not an acceptable answer to basic security questions.
If they can't show policies and procedures, they probably don't have mature processes.
"We've never had incidents" is rarely true. Either they don't investigate, or they're not honest.
If they don't know which sub-suppliers handle your data, it's a serious warning sign.
Practical tips
Prioritise correctly
Not all suppliers need the same level of review. A cloud supplier handling customer data requires deeper scrutiny than an office supplies vendor.
Use standards
Questionnaires like SIG (Standardized Information Gathering) or CAIQ (Consensus Assessments Initiative Questionnaire) save time and provide comparability.
Automate where possible
Manual supplier management doesn’t scale. Use tools to handle assessments, reminders and documentation.
Be prepared to act
If a supplier doesn’t meet requirements, have a plan. Can they improve? Are there alternatives? What compensating controls can be implemented?
How Securapilot can help
Securapilot’s supplier module streamlines vendor compliance:
- Supplier register — Centralised overview with classification
- Questionnaires — Standardised assessments per risk level
- Risk assessment — Automatic risk scoring based on responses
- Reminders — Automatic follow-up of reviews
- Document management — All certificates and reports in one place
- Dashboard — Overview of supplier landscape
Book a demo and see how we can help you take control of supplier risks.
Frequently asked questions
What is vendor compliance?
Vendor compliance is the process of ensuring your suppliers meet defined security and regulatory requirements. It includes initial assessment, contractual requirements and ongoing monitoring.
Why are suppliers my risk?
Your suppliers often have access to your systems or data. If they suffer a breach, it can directly affect you. NIS2 makes you responsible for managing this risk.
Which suppliers should be reviewed?
Focus on critical suppliers: those with access to sensitive systems/data, delivering business-critical services, or who can impact your ability to deliver your services.
How often should reviews take place?
Initial review before contract. Critical suppliers at least annually thereafter. Important suppliers every two years. All suppliers during significant changes.
