NIS2 has generated a significant volume of guidance, commentary, and concern since it entered into force in January 2023. A lot of that commentary focuses on large enterprises — the essential and important entities directly in scope.
Less attention has been paid to what NIS2 means for the suppliers of those entities. That is where most SMEs sit — and it is where the practical impact is being felt.
The supply chain obligation
Article 21 of NIS2 sets out security measures that entities must implement. Paragraph 2(d) specifically requires measures addressing supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.
This is not optional. Entities in scope must assess and manage supply chain risks. That means they must assess their suppliers.
The assessment does not need to be exhaustive for every supplier. It does need to be proportionate and documented. For critical or significant suppliers, that typically means a structured assessment — not just a tick-box questionnaire.
What your enterprise clients are asking for
In practice, NIS2-affected organisations are translating this obligation into supplier questionnaires, contract addenda, and — increasingly — requests for independent assessment reports.
The questionnaires vary in quality. Some are well-structured. Some are a list of yes/no questions that are difficult to answer meaningfully. In all cases, the underlying question is the same: can you demonstrate that your organisation has thought seriously about what happens when things go wrong?
A written report from an independent operational resilience review is the most credible response to that question. It is structured, evidence-based, and signed off by a named reviewer — not a self-assessment form.
What "in scope" means for an SME supplier
Your organisation does not need to be directly regulated under NIS2 to be affected by it. If you provide:
- IT or managed services to a NIS2-affected entity
- Professional services that are critical to their operations
- Logistics, print, or fulfilment services they depend on
- Any function they could not easily replace in the short term
— then you are in their supply chain, and they are obliged to assess you.
Whether they currently have the maturity to do that well is a separate question. Many do not. But the obligation exists, and it is only being enforced more actively as member states implement the directive.
What good looks like
From a NIS2 perspective, what enterprise clients are looking for in a supplier assessment is:
- Evidence that you have a business continuity plan — even a simple one
- Evidence that you have thought about your own supplier dependencies
- Named incident response ownership
- Some documented process for handling a significant disruption
- Willingness to engage with the assessment process seriously
None of this requires a large programme of work. It requires a structured conversation, some documentation, and the discipline to keep it current.
That is what the Operational Trust Review is designed to produce — for SMEs that need to demonstrate readiness without the overhead of an enterprise compliance programme.
The regulatory note: this is a plain-language overview, not legal advice. NIS2 obligations vary by sector, member state, and entity classification. Consult your legal adviser for definitive guidance.