NIS2 guide

NIS2 guide · 7 min

Your external security posture under NIS2: what suppliers and customers can see

Under NIS2, your customers are accountable for the security of their suppliers (Article 21(2)(d)), and they increasingly assess that risk from the outside, using only what is publicly visible: your email authentication, your certificates, and what of your infrastructure is exposed to the internet. These are the same signals an attacker sees first. This guide explains the external signals that shape how you are judged as a supplier, why each matters, and how to check and fix them.

Key takeaways

  • NIS2 pushes supplier assessment down the chain; much of it starts with your publicly visible posture.
  • The strongest signals are email spoofability (SPF/DMARC), certificate hygiene and internet-exposed systems.
  • You can see and fix most of these yourself in minutes, before a customer or an attacker does.

Why the outside view matters under NIS2

NIS2 Article 21(2)(d) makes an in-scope company responsible for the cyber risk carried by its direct suppliers. Because a buyer cannot audit every supplier in depth, the practical first pass is the external view: signals visible without any access to your systems. A weak external signal does not prove you are insecure, but it is what a customer notices, what a questionnaire is checked against, and what an attacker probes first. Getting it right is low-cost and high-signal.

Official source: NIS2 Directive on EUR-Lex — Article 21(2) (security measures) and 21(2)(d) (supply-chain security).

The external signals that shape how you are judged

None of these require access to your systems; all are visible from the public internet. They map to the measures NIS2 expects and to how attackers actually operate.

1

Email spoofability (SPF and DMARC)

If your domain publishes no SPF or DMARC record, or DMARC is set to p=none, anyone can send email that appears to come from you. This is the mechanism behind phishing and CEO-fraud (BEC), and it is trivially checkable in your public DNS.

2

TLS certificate hygiene

Expired or soon-to-expire certificates on your main services signal weak operational control and can break trust and availability. Certificate transparency logs also make your certificate history public.

3

Internet-exposed non-production and admin systems

Development, staging or admin hostnames reachable from the internet widen your attack surface and often lack production-grade hardening. They frequently surface in public certificate transparency logs.

4

Leaked credentials and breach exposure

Employee credentials exposed in public breach and infostealer datasets are a direct route in. This is external, public information an attacker can act on before you notice.

5

Web transport hardening (HSTS and headers)

Missing HSTS and related headers are minor individually, but together they indicate how consistently the basics are applied. Assessors read them as a proxy for operational maturity.

See how your suppliers actually score

7-day free trial · no credit card · cancel anytime

How to check it, and keep it right

You can check most of these yourself in minutes, with public tools and your own DNS. The harder part is keeping them right over time: a certificate expires, a new subdomain is exposed, credentials leak. Continuous external monitoring watches these signals for your own domain and for your suppliers, and maps each finding to the relevant NIS2 article, so you see and fix issues before a customer's assessment or an attacker does.

Common mistakes

  • Treating email authentication as done once SPF exists, while DMARC stays at p=none and blocks nothing.
  • Fixing the main website but leaving dev, staging or admin hosts exposed and unhardened.
  • Assuming 'we passed the questionnaire' means the external reality still matches months later.
  • Never checking what public breach data already exposes about your accounts.

See how your external posture maps to NIS2

A sample supplier report (findings, NIS2 mapping and evidence) in two minutes.

7-day free trial · no credit card · cancel anytime

Related guides

How to comply with NIS2: a step-by-step roadmap

The steps to NIS2 compliance in order: confirm scope, register, management accountability (Art. 20), the Article 21(2) measures, supply-chain security, incident reporting (Art. 23) and continuous, evidenced assurance.

Who is in scope for NIS2? Essential vs important entities, sectors and size thresholds

Determine whether NIS2 applies to you: the two tiers, the Annex I/II sectors, the size thresholds, size-independent exceptions, and how the supply chain pulls you in even if you're not designated.

NIS2 for suppliers: you're not designated, but your customers are

Most companies are never designated under NIS2, yet many must comply anyway. How a covered customer's Article 21(2)(d) supply-chain duty flows down to you, what they'll ask for, and how to respond credibly.

NIS2 and the supply chain requirement: what it means in practice

NIS2 requires essential and important entities to assess their supply chain cyber risks. Supplier tiering, 4th-party risk, Art. 23 notification, and what auditors look for.

Supplier cyber risk assessment: what automated NIS2 monitoring checks

All check categories explained: ransomware, dark web leaks, TLS/DNSSEC, cookie security, CVE/EPSS, sanctions, MX blacklists and SAQ. Finding lifecycle and NIS2 article mapping.

NIS2 Art. 21(2): supplier security checklist

Checklist for procurement and security teams: what to ask, what evidence to collect, and how to respond when a supplier falls short. Includes suggested evidence documents.

NIS2 supplier questionnaire (SAQ): what to ask, how to score it, and a free template

What to ask suppliers under Art. 21(2)(d), how to score answers and respond to gaps, why self-attestation needs verification, and a free copy-paste questionnaire template.

NIS2 incident reporting: the 24- and 72-hour deadlines explained

What counts as a significant incident, the Article 23 timeline (24-hour early warning, 72-hour notification, one-month final report), and when a supplier's incident becomes your obligation.

NIS2 and management responsibility: what boards and leadership must know

What NIS2 expects of the management body: approval and oversight duties, personal liability (Art. 20), training, board reporting KPIs, and the penalties under Art. 34.

ISO 27001 and NIS2: what your ISMS already covers, and the gaps it doesn't

If you hold ISO 27001, what carries over to NIS2 and what does not: statutory incident reporting, management liability, registration, and continuous supply-chain assurance: plus how to close the gap.

NIS2 fines and penalties: how much, who is liable, and how to avoid them

What NIS2 penalties are: the Article 34 caps (€10M / 2% for essential, €7M / 1.4% for important entities), the management body's personal liability (Art. 20, Art. 32), non-monetary enforcement, and how to avoid them with continuous, evidenced diligence.

NIS2 vs DORA: how they differ, where they overlap, and which one applies to you

How the two EU regimes differ and overlap, why DORA is lex specialis for financial entities, which applies to you, and what both mean for third-party and supply-chain risk.

GDPR vs NIS2: how they overlap, where they differ, and when one incident triggers both

How GDPR and NIS2 differ and overlap, when one incident triggers both (GDPR Art. 33 72h to the DPA vs NIS2 Art. 23 24h/72h/1-month to the CSIRT), the Art. 35 cooperation and no-double-fine rule, and what both mean for supplier due diligence.

The EU Cyber Resilience Act (CRA): scope, timeline and what it means for your supply chain

What the CRA requires, its phased dates (in force 2024, reporting Sept 2026, full compliance Dec 2027), who is in scope and why pure SaaS often isn't, how it complements NIS2, and what it means for procurement and supplier due diligence.

The EU AI Act: risk tiers, the timeline, and what deployers must do (Article 26)

What the EU AI Act requires: the risk tiers, the phased dates (in force 2024, prohibited Feb 2025, GPAI Aug 2025, high-risk Aug 2026), the Article 26 deployer obligations, how it stacks with NIS2 and the GDPR, and what it means for AI procurement.

NIS2 transposition status: which EU countries have it in force

Which of the 27 EU Member States have written NIS2 into national law and which are still finalising it, and why the gaps reach your supply chain regardless.

NIS2 supplier contract clauses: what to require from your suppliers

The contract clauses that turn NIS2's supply-chain duty into something enforceable: security baseline, incident-notification window, evidence and audit rights, subcontractor flow-down, and how to verify them continuously.

Do your suppliers use AI? NIS2 supplier risk meets the EU AI Act

Suppliers increasingly embed AI in the services you depend on, and so do their suppliers. Where supplier and nth-party AI creates risk under NIS2 Art. 21(2)(d) and the EU AI Act, what to assess, and how to keep visibility.

Vendor impersonation and CEO-fraud (BEC): email spoofing, DMARC and NIS2

One of the most common supply-chain attacks needs no breach: spoofed email that redirects a payment or steals data. How BEC and vendor impersonation work, the SPF, DKIM and DMARC settings that stop them, and how it fits NIS2 Art. 21(2)(d).

Last reviewed: 19 June 2026

This guide is general information about EU law, not legal advice. NIS2 takes effect through each EU Member State's national transposition law, which can differ in detail. Verify the obligations that apply to you with your competent authority or legal counsel.