Supply Chain Risk Assessment under NIS2

NIS2 Article 21(2)(d) requires covered entities to assess and manage the cybersecurity risks introduced by their suppliers and service providers. This guide explains what that means in practice.

The legal requirement

What NIS2 Article 21(2)(d) requires

NIS2 Article 21(2)(d) mandates that covered entities address “security in supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.”

This means you must identify which third parties have access to your systems or data, assess the cybersecurity risks they introduce, and take proportionate measures to manage those risks. You must also document this process as part of your broader risk management programme.

Supply chain risk is not an afterthought in NIS2 — it is one of the ten mandatory measure areas under Article 21(2), placed on equal footing with incident handling, business continuity, and access control. Regulators can request evidence that you have assessed your supply chain and taken appropriate action.

Context

Why supply chain risk is a primary attack vector

Software supply chain attacks

Attackers increasingly compromise software vendors and push malicious updates to all customers simultaneously. A single compromised supplier can expose hundreds of organisations at once.

Third-party access and data exposure

Cloud providers, managed service providers, and SaaS vendors often hold or process sensitive operational data. A breach at your supplier is effectively a breach of your organisation.

Inherited vulnerabilities

Open-source dependencies, commercial libraries, and third-party APIs can introduce vulnerabilities that are entirely outside your direct control. These must be identified and monitored.

Step 1

Identify your third-party dependencies

Before you can assess supply chain risks, you need a complete picture of what third parties your organisation relies on. This inventory forms the basis of your assessment.

Categories of third-party dependencies to inventory:
  • Cloud infrastructure providers — IaaS, PaaS, hosting, DNS, CDN providers.
  • SaaS applications — CRM, ERP, HR, communication, and collaboration platforms.
  • Managed service providers (MSPs) — Outsourced IT, security operations, or network management.
  • Software vendors — Commercial software with update mechanisms that could be compromised.
  • Open-source dependencies — Libraries and frameworks your software or systems depend on.
  • Physical and logistics suppliers — Third parties with physical access to your facilities or critical infrastructure.
  • Payment and financial processors — Any third party handling financial data or transactions.
Step 2

What to assess for each supplier

Once you have your inventory, you need to assess the risk each supplier introduces. Not all suppliers carry equal risk — focus your effort on those with access to critical systems or sensitive data.

Access scope

What data, systems, or network segments does this supplier have access to? Is the access privileged? Is it remote?

Criticality

What is the impact on your operations if this supplier is unavailable or compromised? Is there a fallback? How quickly could you switch?

Supplier security posture

Does the supplier hold security certifications (ISO 27001, SOC 2)? Do they publish security policies, incident reports, or a responsible disclosure programme?

Contractual security requirements

Does your contract with this supplier specify security obligations, incident notification timelines, audit rights, and data processing requirements?

Geographic and jurisdictional exposure

Where is the supplier based? Where is your data stored or processed? Are there data sovereignty or legal access risks under local laws?

Dependency chain

Does your supplier itself rely on sub-processors or fourth parties that could introduce additional risk? (Cloud providers using other cloud providers, for example.)

Step 3

What to document

NIS2 compliance requires evidence. Your supply chain risk documentation should be sufficient to demonstrate to a national authority that you have taken a proportionate, systematic approach.

Key documents to maintain:
  • Supplier inventory — A register of all significant third-party dependencies with their access scope and criticality classification.
  • Risk assessment records — For each significant supplier: identified risks, likelihood, impact, and treatment decisions.
  • Contractual security requirements — Evidence that supplier contracts include appropriate security obligations and incident notification clauses.
  • Review dates — Documentation of when each supplier was last assessed and the next planned review.
  • Incident records — Any security incidents linked to supplier access or software, and the response taken.
How the tool helps

How Open Risk Register supports supply chain assessment

Open Risk Register’s NIST SP 800-30 workflow is designed to capture supply chain threats as first-class risk entries. You can conduct a dedicated supply chain assessment as a separate assessment within the tool, or incorporate supply chain threat sources into a broader organisational assessment.

Threat source catalogue includes supply chain actors

The built-in NIST SP 800-30 threat source catalogue includes adversarial third-party suppliers, outsourced IT providers, and software vendors. Select them directly in Step 3 of the assessment.

Document supplier-specific vulnerabilities

Record predisposing conditions related to specific suppliers — insufficient contractual controls, unvetted sub-processors, or reliance on a single critical vendor — in the Vulnerabilities step.

Produce an exportable risk register

The Results step generates a prioritised risk register with supply chain entries clearly identified. Export as JSON or PDF to share with management, auditors, or your national authority.

Assess your supply chain risks now

Free, browser-based, and aligned with NIS2 Article 21(2)(d). No sign-up required.

Open the Tool →