NIS2 Supplier Readiness

If you supply to large organisations, your resilience is now their concern

NIS2 requires entities in scope to assess and manage risks in their supply chain. That means your enterprise clients are asking questions about your operational resilience — whether or not you are regulated yourself.

For suppliers under scrutiny

If you supply technology, professional services, logistics, or operational functions to organisations in NIS2-affected sectors, you are likely being assessed. Procurement teams are sending questionnaires. Legal teams are adding contract clauses.

Most SMEs are not prepared for the level of documentation these assessments require. An Operational Trust Review produces the evidence you need — in the format enterprise procurement teams expect.

The written report from a Review is structured to be shared directly with an enterprise client as evidence of due diligence. It covers supplier dependency, incident response, decision authority, SOP coverage, and regulatory posture.

Talk to us about your situation
Northgate Print & Mail Ltd
SOP-T-05 · Supplier assessment sample · Fictional example
Assessed

Print fulfilment supplier. Critical path dependency for monthly client communications. Single-site operation. No documented BCP identified at assessment.

Medium
Risk level
None
BCP
Yes
Alt. supplier

Illustrative sample. Not a real assessment.

What NIS2 requires

The NIS2 Directive (EU 2022/2555) requires organisations in essential and important sectors to implement risk management measures and assess the security of their supply chains.

Article 21 specifically requires measures addressing supply chain security — including the relationships between each entity and its direct suppliers or service providers.

This does not mean your SME needs to be NIS2 certified. It means your enterprise clients need to demonstrate they have assessed your resilience posture — and they will ask you to provide evidence.

Regulatory note

This is a plain-language overview of NIS2 supply chain requirements. It is not legal advice. Regulatory obligations vary by sector, member state, and entity classification. Consult your legal adviser for definitive guidance on your obligations.

NIS2 covered sectors

Energy
Electricity, oil, gas, district heating
Transport
Air, rail, water, road, urban transport
Banking
Credit institutions
Financial market infrastructure
Trading venues, CCPs
Health
Hospitals, labs, pharma, medical devices
Drinking water
Supply and distribution
Waste water
Collection and treatment
Digital infrastructure
IXPs, DNS, TLD registries, cloud, datacentres
ICT service management
B2B managed service providers
Public administration
Central and regional government
Space
Ground-based infrastructure operators
Important sectors
Post, waste, chemicals, food, manufacturing, digital providers, research

For enterprise buyers

NIS2 requires you to assess your supply chain. For large enterprises with hundreds of suppliers, that is a significant programme of work. For critical or high-value suppliers, a structured independent review is the most credible form of evidence.

We work with enterprise procurement and legal teams to design supplier assessment programmes — defining criteria, structuring questionnaires, and reviewing the output from key suppliers.

Talk to us about supplier programmes

Supplier Readiness Passport

A structured, portable document that a supplier completes once and shares with multiple enterprise clients. Reduces duplication, standardises evidence, and provides a consistent format that procurement teams can rely on.

Coming 2026–27

Register interest and we will notify you when the Passport programme opens.