An SME can face NIS2 demands even without falling directly within scope. Essential and important entities must manage the security of their supply chain and pass requirements down to software, cloud, maintenance, communications and managed service providers. The response can't be limited to a questionnaire: it requires controls, contracts, tests and verifiable incidents.
Direct and indirect application
Directive (EU) 2022/2555 covers critical sectors and requires the entities within scope to apply risk and incident management measures. The supplier needs to distinguish:
- Direct application: the entity itself falls within scope under the national transposition.
- Contractual requirement: a client within scope imposes supply-chain controls.
- Voluntary practice: controls are adopted for market access and resilience.
The legal classification should be reviewed by entity, size, sector and service. In Spain, at the time of writing, the status and final text of the transposition must be confirmed in the BOE (Spain's Official State Gazette) before claiming specific national obligations.
Why the supply chain is central
Article 21 covers supply-chain security and relationships with direct suppliers. Entities must consider supplier-specific vulnerabilities, the quality of their practices and their secure-development capability.
A small supplier can become an access route into critical clients through:
- Remote credentials.
- Updates.
- Embedded software.
- Backups and data.
- Support access.
- Operational dependency.
- Sub-suppliers.
Risk is assessed by capability, not just by size.
Inventory of services and dependencies
Each service needs a record covering:
- Client and service.
- Systems and data.
- Remote access.
- Committed availability.
- Locations.
- Privileged staff.
- Sub-suppliers.
- Components and software.
- RTO/RPO.
- Incident notification.
- Exit plan.
This makes it possible to answer questionnaires with consistent evidence.
Minimum relevant measures
NIS2 takes an all-hazards approach with proportionate measures, including:
- Risk analysis and security policies.
- Incident management.
- Continuity, backups and recovery.
- Supply-chain security.
- Secure acquisition, development and maintenance.
- Effectiveness assessment.
- Cyber hygiene and training.
- Cryptography.
- Personnel, access and asset security.
- MFA and secure communications where relevant.
The supplier must map each measure to a control, an owner, evidence and a review frequency.
Governance and management
Even when the SME responds through a contract, management must approve risks, resources and exceptions. A security lead, escalation path and review cycle need to be defined.
A minimal structure:
| Role | Responsibility |
|---|---|
| Management | Risk, resources and contracts |
| Security/IT | Controls and monitoring |
| Operations | Continuity and changes |
| Legal/compliance | Scope, clauses and notification |
| Procurement | Sub-suppliers |
| DPO | Personal data and GDPR breaches |
NIS2 and GDPR can overlap on a single incident, but their criteria and recipients are different.
Contracts with clients
Essential clauses:
- Description and criticality.
- Required controls.
- Access and segregation.
- Encryption and keys.
- Vulnerabilities and patches.
- Secure development.
- Subcontracting.
- Incidents and operational deadlines.
- Cooperation and evidence.
- Proportionate audit.
- Continuity and testing.
- Return, portability and exit.
"Complying with NIS2" isn't acceptable without defining what that means. Obligations need to be measurable.
Incident notification
The directive sets out a staged scheme for significant incidents, but the supplier must notify the client well before the client's own deadlines run out. The contract defines an urgent channel, initial information, updates and closure.
Minimum content:
- What happened and when.
- Affected services.
- Impact and scope.
- Indicators and known cause.
- Containment measures.
- Potential personal data involved.
- Next milestones.
- Operational contact.
Full certainty isn't required before raising the alarm. Updates follow as the investigation progresses.
Vulnerabilities and patches
The process covers:
- Intake and triage.
- Severity and exposure.
- Temporary mitigation.
- Development and testing.
- Coordinated disclosure.
- Deployment.
- Confirmation and metrics.
An asset and version inventory is maintained. For software, an SBOM and its dependencies help assess impact, but they need to stay up to date.
Remote access
Support access is high-risk. Controls:
- Individual identity.
- Phishing-resistant MFA where feasible.
- Time-bound approval.
- Bastion or controlled access.
- Least privilege.
- Recording or logs made available.
- Geographic/time restrictions.
- Immediate revocation.
- Periodic review.
Generic supplier accounts must not stay open.
Continuity
The supplier sets realistic RTO and RPO targets and tests backups, restoration, staff, communications and third-party dependencies.
A tabletop exercise is no substitute for an actual restore. The report covers time taken, data recovered, failures and follow-up actions.
Sub-suppliers
The client needs to know about critical dependencies. Before bringing in a sub-supplier, its security, location, continuity, incident handling and exit terms are assessed. The contract allows changes to be notified and controls to be passed down.
"No subcontracting" isn't a valid answer if cloud, support or libraries are relevant dependencies.
Evidence for questionnaires
- Risk assessment policy.
- Asset inventory.
- Access matrix.
- Training records.
- Vulnerabilities and patches.
- Backups and restoration.
- Continuity tests.
- Incidents and lessons learned.
- Supplier assessment.
- Certifications and scope.
- Audits and follow-up actions.
Evidence is shared on a minimised, confidential basis. Secrets or full reports aren't handed over when an extract will do.
Certifications and frameworks
ISO/IEC 27001, ENS (Spain's National Security Framework) or other frameworks can provide evidence, but they don't automatically equate to NIS2 compliance. Scope and controls need to be mapped across.
A certificate that excludes the contracted service doesn't address the client's risk.
90-day plan
Days 1-30
- Classify the entity and its services.
- Inventory clients and dependencies.
- Run a gap analysis against Article 21.
- Fix critical access issues.
Days 31-60
- Update policies, contracts and incident procedures.
- Test backups and continuity.
- Assess sub-suppliers.
- Prepare evidence.
Days 61-90
- Run a drill with the client.
- Close out priority actions.
- Sign off residual risks.
- Put periodic review in place.
Common mistakes
- Claiming it doesn't apply because you're an SME.
- Answering questionnaires without evidence.
- Promising notification timelines you can't meet.
- Keeping shared accounts active.
- Not knowing your sub-suppliers.
- Confusing a backup with a recovery.
- Presenting a certificate that's out of scope.
- Withholding incidents until you're certain.
- Accepting unlimited audit rights.
- Waiting for the transposition to start.
Checklist
- Direct and indirect scope reviewed.
- Services and dependencies inventoried.
- Article 21 risks and controls mapped.
- Management and owners defined.
- Measurable contracts.
- Incidents with a channel and deadlines.
- Remote access secured.
- Vulnerabilities and patches up to date.
- Backups and continuity tested.
- Sub-suppliers assessed.
- Evidence up to date.
Frequently asked questions
Does NIS2 apply to all supplier SMEs?
Not directly in every case. But clients within scope must manage their supply chain and can pass down contractual requirements.
Is ISO 27001 enough on its own?
It helps, but the scope needs checking and the requirements need mapping against NIS2.
How quickly must a supplier report an incident?
Fast enough for the client to meet its own legal deadlines. The contract sets an immediate operational initial alert followed by further updates.
Do we need to wait for the Spanish law?
No, not to improve controls and respond to clients. Specific national obligations do need to be verified once the text is published, though.
Official sources consulted
Summum Consultoría can map scope, contracts and evidence, coordinating NIS2 with ENS, ISO 27001 and GDPR.