NIS2 for suppliers: contracts and evidence

·

An SME can face NIS2 demands even without falling directly within scope. Essential and important entities must manage the security of their supply chain and pass requirements down to software, cloud, maintenance, communications and managed service providers. The response can't be limited to a questionnaire: it requires controls, contracts, tests and verifiable incidents.

Direct and indirect application

Directive (EU) 2022/2555 covers critical sectors and requires the entities within scope to apply risk and incident management measures. The supplier needs to distinguish:

The legal classification should be reviewed by entity, size, sector and service. In Spain, at the time of writing, the status and final text of the transposition must be confirmed in the BOE (Spain's Official State Gazette) before claiming specific national obligations.

Why the supply chain is central

Article 21 covers supply-chain security and relationships with direct suppliers. Entities must consider supplier-specific vulnerabilities, the quality of their practices and their secure-development capability.

A small supplier can become an access route into critical clients through:

Risk is assessed by capability, not just by size.

Inventory of services and dependencies

Each service needs a record covering:

This makes it possible to answer questionnaires with consistent evidence.

Minimum relevant measures

NIS2 takes an all-hazards approach with proportionate measures, including:

The supplier must map each measure to a control, an owner, evidence and a review frequency.

Governance and management

Even when the SME responds through a contract, management must approve risks, resources and exceptions. A security lead, escalation path and review cycle need to be defined.

A minimal structure:

RoleResponsibility
ManagementRisk, resources and contracts
Security/ITControls and monitoring
OperationsContinuity and changes
Legal/complianceScope, clauses and notification
ProcurementSub-suppliers
DPOPersonal data and GDPR breaches

NIS2 and GDPR can overlap on a single incident, but their criteria and recipients are different.

Contracts with clients

Essential clauses:

"Complying with NIS2" isn't acceptable without defining what that means. Obligations need to be measurable.

Incident notification

The directive sets out a staged scheme for significant incidents, but the supplier must notify the client well before the client's own deadlines run out. The contract defines an urgent channel, initial information, updates and closure.

Minimum content:

Full certainty isn't required before raising the alarm. Updates follow as the investigation progresses.

Vulnerabilities and patches

The process covers:

  1. Intake and triage.
  2. Severity and exposure.
  3. Temporary mitigation.
  4. Development and testing.
  5. Coordinated disclosure.
  6. Deployment.
  7. Confirmation and metrics.

An asset and version inventory is maintained. For software, an SBOM and its dependencies help assess impact, but they need to stay up to date.

Remote access

Support access is high-risk. Controls:

Generic supplier accounts must not stay open.

Continuity

The supplier sets realistic RTO and RPO targets and tests backups, restoration, staff, communications and third-party dependencies.

A tabletop exercise is no substitute for an actual restore. The report covers time taken, data recovered, failures and follow-up actions.

Sub-suppliers

The client needs to know about critical dependencies. Before bringing in a sub-supplier, its security, location, continuity, incident handling and exit terms are assessed. The contract allows changes to be notified and controls to be passed down.

"No subcontracting" isn't a valid answer if cloud, support or libraries are relevant dependencies.

Evidence for questionnaires

Evidence is shared on a minimised, confidential basis. Secrets or full reports aren't handed over when an extract will do.

Certifications and frameworks

ISO/IEC 27001, ENS (Spain's National Security Framework) or other frameworks can provide evidence, but they don't automatically equate to NIS2 compliance. Scope and controls need to be mapped across.

A certificate that excludes the contracted service doesn't address the client's risk.

90-day plan

Days 1-30

Days 31-60

Days 61-90

Common mistakes

  1. Claiming it doesn't apply because you're an SME.
  2. Answering questionnaires without evidence.
  3. Promising notification timelines you can't meet.
  4. Keeping shared accounts active.
  5. Not knowing your sub-suppliers.
  6. Confusing a backup with a recovery.
  7. Presenting a certificate that's out of scope.
  8. Withholding incidents until you're certain.
  9. Accepting unlimited audit rights.
  10. Waiting for the transposition to start.

Checklist

Frequently asked questions

Does NIS2 apply to all supplier SMEs?

Not directly in every case. But clients within scope must manage their supply chain and can pass down contractual requirements.

Is ISO 27001 enough on its own?

It helps, but the scope needs checking and the requirements need mapping against NIS2.

How quickly must a supplier report an incident?

Fast enough for the client to meet its own legal deadlines. The contract sets an immediate operational initial alert followed by further updates.

Do we need to wait for the Spanish law?

No, not to improve controls and respond to clients. Specific national obligations do need to be verified once the text is published, though.

Official sources consulted

Summum Consultoría can map scope, contracts and evidence, coordinating NIS2 with ENS, ISO 27001 and GDPR.