NIS2 has been in force since October 2024. Enforcement is accelerating across EU member states, and supply chain security is one of the areas regulators are most focused on. For IT managers at mid-sized Nordic companies, the question is no longer whether to manage supplier risk — it's how to do it in a way that satisfies auditors without requiring a dedicated GRC team.
This guide covers what NIS2 actually requires from you on supplier risk, what evidence you need to produce, and how to build a repeatable process with the resources most teams actually have.
What NIS2 says about suppliers
Article 21 of NIS2 requires essential and important entities to implement risk management measures across ten specific domains. Supply chain security is one of them — specifically, Article 21(2)(d) states that entities must address "security in supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."
What does that mean in practice? The directive doesn't prescribe a specific method, but national supervisory authorities and guidance from ENISA (the EU cybersecurity agency) are converging around several expectations:
- A structured process for identifying and assessing supplier risk — not a one-time exercise, but something repeatable and documented.
- Evidence that you understand your critical dependencies — which suppliers could disrupt your operations or services if they failed or were compromised.
- Documented follow-up on identified weaknesses — auditors want to see that findings from assessments lead to action, not just a report that sits in a drawer.
- Management oversight — someone with authority needs to be accountable for supplier risk, and there should be a reporting mechanism.
The key shift from NIS1: NIS2 explicitly includes supply chain risk as a mandatory control area. Under NIS1, many organisations treated supplier risk as optional. Under NIS2, regulators can issue fines of up to €10 million or 2% of global turnover for non-compliance — and supply chain gaps are a documented enforcement priority.
Who is in scope under NIS2?
NIS2 applies to "essential" and "important" entities in sixteen sectors. The sectors most relevant to Nordic IT managers include:
- Digital infrastructure and digital service providers
- Managed service providers (MSPs) and managed security service providers (MSSPs)
- Banking and financial market infrastructure
- Healthcare and medical device manufacturers
- Energy and utilities
- Transport
- Public administration (in most member states)
- Manufacturing of critical products
The thresholds are broad: companies with more than 50 employees or €10 million in annual turnover in these sectors are likely in scope. If you're reading this and you manage IT for a company in one of these sectors, assume you're in scope and verify with your legal team.
The three things auditors will ask for
Based on the ENISA guidance and early enforcement patterns across member states, NIS2 auditors are focusing on three areas when it comes to supply chain:
1. A supplier inventory with risk classification
You need to know who your suppliers are and which ones create the most risk. This means maintaining a list of suppliers — particularly those with access to your systems, data, or operational processes — and classifying each by their potential impact.
At minimum, each supplier record should capture: what service they provide, whether they have system access, what data they handle, how business-critical they are, and whether you have contractual security requirements in place.
2. Assessment evidence
A list of suppliers isn't enough. You need evidence that you've actually assessed the security posture of your critical and high-risk suppliers. Assessments don't need to be elaborate — a structured questionnaire covering key areas (access controls, incident response, data handling, subcontracting) is sufficient in most cases.
The questionnaire responses need to be documented somewhere you can retrieve them. Emails and spreadsheets get messy; a purpose-built tool creates a cleaner audit trail.
3. Follow-up on findings
This is where most organisations fall short. They send a questionnaire, get responses, note some weaknesses — and then nothing happens. Auditors want to see that identified issues were tracked, assigned, and either resolved or accepted with a documented rationale.
The concept of residual risk is central here: after you've identified risks and taken mitigating actions, what risk remains? Can you show it's going down over time? That's the kind of evidence that demonstrates an active, mature programme.
A practical framework for NIS2 supplier risk
Most IT managers don't have unlimited time for this. Here's a pragmatic approach that covers NIS2 requirements without requiring a dedicated GRC team:
Step 1: Build your supplier shortlist
Don't try to assess every supplier at once. Start with the suppliers that matter most:
- Suppliers with privileged access to your systems or networks
- Suppliers that process personal or sensitive data on your behalf
- Suppliers whose failure would disrupt your operations or services
- Cloud providers and SaaS tools used for core business functions
For most mid-sized companies, this shortlist is 15–30 suppliers. That's a manageable starting point.
Step 2: Classify each supplier by internal risk
Before sending a single questionnaire, assess each supplier based on what you already know: their criticality to your operations, the data they handle, the access they have, and whether you have contractual security obligations in place. This internal classification helps you prioritise which suppliers need the most rigorous assessment.
Step 3: Send structured questionnaires
Use a questionnaire that covers the areas NIS2 and ENISA guidance highlight: access controls, vulnerability management, incident response, business continuity, subcontracting, and (where relevant) data handling under GDPR. Ready-made templates — including NIS2-specific ones — are available in tools like Supplira and save significant time.
Make it easy for suppliers to respond. Send a link they can fill in without creating an account. Set a due date. Send automated reminders.
Step 4: Create findings for every weak answer
A submitted questionnaire with weak answers is not a finding — it's a lead. Convert weak answers into structured findings with a severity rating, a description of the gap, and a recommended action. This is the evidence trail auditors look for.
Step 5: Track and close findings over time
Assign findings. Set target resolution dates. Follow up. When a finding is resolved — the supplier has implemented the required control, for example — close it with a note. The residual risk for that supplier should decrease. This ongoing tracking is what turns a one-time questionnaire exercise into a programme.
Step 6: Report internally
Management needs visibility into supplier risk. A brief quarterly report covering your top suppliers by residual risk, the status of open critical findings, and a trend line showing risk reduction satisfies NIS2's management oversight requirement and gives you something concrete to share with leadership.
How Supplira helps: Supplira covers steps 2–6 out of the box. You get internal risk classification, NIS2-aligned questionnaire templates, automated reminders, structured findings, residual risk tracking, and a one-click executive report — without needing a full GRC platform.
Common mistakes Nordic companies make
Treating NIS2 as a one-time compliance project
NIS2 requires ongoing supplier risk management. A questionnaire campaign that runs once and produces a report satisfies auditors for year one. Year two, they'll want to see the same programme running again — and evidence that you acted on the previous cycle's findings.
Assessing all suppliers equally
A cleaning company with no system access does not need the same assessment as your cloud ERP provider. Tiered assessment — critical suppliers get detailed questionnaires, standard suppliers get lighter-touch reviews — is both practical and appropriate under NIS2.
Keeping everything in spreadsheets
Spreadsheets work for small programmes. At 20+ suppliers across multiple assessment cycles, they become impossible to maintain with integrity. Version control, missing responses, and copy-paste errors all undermine the audit trail you're trying to build.
Not having contractual security requirements
NIS2 explicitly requires entities to address supplier security in contractual arrangements. If your contracts with critical suppliers don't include security requirements, incident notification obligations, and audit rights, you have a gap — regardless of how good your questionnaire process is.
What to prioritise in the next 90 days
If you're starting from scratch, here's a 90-day sequence that creates defensible NIS2 compliance evidence:
- Week 1–2: Build your supplier inventory. Focus on the 15–25 suppliers that matter most. Capture basic context for each.
- Week 3–4: Classify each supplier by internal risk. Identify your critical and high-risk tier.
- Week 5–8: Send assessment questionnaires to your critical tier. Chase responses.
- Week 9–10: Review responses. Create findings. Assign severity and recommended actions.
- Week 11–12: Generate a management report. Establish a cadence for reassessment (annually for standard suppliers, more frequently for critical ones).
At the end of 90 days, you have a documented supplier inventory, evidence of assessments, a findings register, and a management report. That's a credible NIS2 supply chain programme.
Start your NIS2 supplier risk programme
Supplira includes NIS2-aligned templates, residual risk tracking, and executive reporting. Free for up to 3 suppliers — no credit card required.
Get free access