Your security is only as strong as your weakest link
The majority of organizations have dozens or hundreds of suppliers with some form of access to systems or data. Each such connection is a potential attack vector. NIS2 recognizes this and therefore sets explicit requirements for supply chain security.
This isn’t about distrusting your partners — it’s about systematically managing a risk that is otherwise easily overlooked.
Reality check: According to the Ponemon Institute, 62% of cyberattacks come via the supply chain. Attackers know it’s often easier to breach through a smaller supplier than directly through the target organization.
What does NIS2 require?
NIS2 Article 21 — Supply Chain Security:
Organizations shall take appropriate measures to manage cybersecurity risks related to the supply chain, including:
- Security-related aspects of relationships with suppliers
- Security quality of suppliers’ products and services
- Cybersecurity practices of suppliers, including their development processes
- Vulnerability management and disclosure
5-step model for supplier assessment
- Inventory and categorize Start by listing all suppliers that have access to systems, data or premises. Categorize them by criticality: Critical (business impact if unavailable), High (significant impact), Medium, Low. Focus on critical and high categories first.
- Define requirements per category Different suppliers require different levels of security requirements. A critical cloud provider requires comprehensive requirements, while an office supplier requires less. Create requirement levels proportional to risk.
- Conduct assessment Use questionnaires, request documentation, and where necessary conduct audits. Focus on: security policies, incident management, access control, encryption, backup and business continuity.
- Update contracts Ensure contracts contain security requirements, incident reporting (supplier must notify you of incidents), right to audit, sub-supplier requirements, and liability for security breaches.
- Monitor continuously Supplier assessment is not a one-off activity. Establish regular follow-up, monitor suppliers' security status and respond to changes in the risk landscape.
What should be assessed?
Security capability
| Area | Questions to ask |
|---|---|
| Policies | Are there documented security policies? How often are they updated? |
| Certifications | Does the supplier have ISO 27001 or similar? Is the certificate valid? |
| Incident management | How quickly can they report incidents to you? Have they tested their plan? |
| Access control | How is access to your systems/data managed? Is access logged? |
| Encryption | Is data encrypted in transit and at rest? What standards are used? |
| Backup | How is your data backed up? Is recovery tested? |
| Sub-suppliers | Which sub-suppliers are used? How are they controlled? |
Red flags
A supplier that cannot produce basic security documentation likely lacks mature security governance.
If a supplier categorically refuses to provide insight or answer questions, it's a warning sign. Legitimate suppliers understand the need.
If the supplier cannot describe how they would notify you of an incident, you cannot meet your own reporting requirements.
If the supplier uses many sub-suppliers without control, the risk chain extends uncontrolled.
Supplier contract checklist
Security requirements:
- Reference to organization’s security policy
- Specific technical requirements (encryption, access control, etc.)
- Personnel training requirements
- Security incident reporting requirements
Incident management:
- Obligation to report incidents within [X] hours
- Contact channels and escalation process
- Obligation to assist with investigation
- Liability for costs arising from incidents
Audit and oversight:
- Right to conduct security audits
- Access to relevant logs and reports
- Obligation to inform about changes
- Requirement to provide certificates and attestations
Sub-suppliers:
- Requirement for approval of sub-suppliers
- Same security requirements apply down the chain
- List of approved sub-suppliers
Termination:
- How data is returned or destroyed
- Timeframe for transition
- Continued confidentiality after termination
Questions to ask suppliers
Initial screening
- Do you have a documented information security policy?
- Do you have any security certifications (ISO 27001, SOC 2, etc.)?
- How do you handle security incidents?
- How do you protect data you handle on customers’ behalf?
- Which sub-suppliers do you use?
In-depth assessment (critical suppliers)
- Can we receive copies of relevant policies and procedures?
- When was your last penetration test conducted? Can we see the report?
- How do you handle vulnerability patching? What SLAs do you have?
- How is access to our systems/data logged and monitored?
- What are your RTO and RPO for services to us?
- Have you conducted incident exercises in the past year?
Common challenges and solutions
Solution: Prioritize based on criticality and risk. Start with the 10-20 most important. Use self-declarations for lower risk levels.
Solution: Evaluate alternative suppliers. If switching isn't possible, implement compensating controls and document risk acceptance.
Solution: Automate where possible. Use standard questionnaires and vendor management tools.
Solution: Require visibility into sub-suppliers and demand the same standards apply down the chain.
How Securapilot can help
Securapilot’s vendor management module streamlines the entire process:
- Supplier register — Centralized overview of all suppliers
- Risk classification — Automatic categorization based on criticality
- Questionnaires — Standardized assessment forms
- Traceability — Complete history of assessments and decisions
- Reminders — Automatic follow-up notifications
- Reports — Export status for management and audit
Book a demo and see how we can help you take control of supplier risks.
Frequently asked questions
Which suppliers must we assess under NIS2?
Focus on suppliers that have access to your systems, handle your data, or deliver services critical to your operations. This includes IT suppliers, cloud services, operational partners and others with privileged access.
What should be included in supplier contracts under NIS2?
Contracts should contain security requirements appropriate to risk level, incident reporting requirements, right to audit, requirements for sub-supplier control, and clear responsibility allocation for security incidents.
How often should suppliers be assessed?
Frequency depends on criticality and risk. Critical suppliers should be assessed annually, others at longer intervals. All suppliers should undergo initial assessment before contracts are signed.
What do we do if a supplier doesn't meet requirements?
Start with dialogue and remediation plan. If the supplier cannot or will not improve, consider changing suppliers or implementing compensating controls. Document your decisions and risk acceptance.
