NIS2 guide

NIS2 guide · 8 min

NIS2 supplier contract clauses: what to require from your suppliers

NIS2 makes you accountable for the cyber risk your suppliers carry (Article 21(2)(d)), and you cannot outsource that accountability. The contract is where the duty becomes real: it is what lets you ask for evidence, get told about incidents in time to meet your own reporting deadlines, and hold a supplier to a security baseline. This is a practical checklist of the clauses that matter, why each one exists, and how to make them enforceable rather than decorative.

Key takeaways

  • The supply-chain duty is yours; the contract is how you discharge it down the chain.
  • Notification timing is the clause that protects your own Article 23 deadlines.
  • A signed clause is not assurance: pair it with a way to verify the supplier continuously.

Why contract clauses, not just a questionnaire

A questionnaire captures a supplier's claims on a single day. A contract creates obligations you can act on: a baseline they must meet, a duty to tell you when something breaks, and a right to check. NIS2 Article 21(2)(d) expects you to manage the security of the relationship with your direct suppliers, and Article 23 can make a supplier's incident your reporting deadline. Neither works on goodwill alone; both need to be written down.

Official source: NIS2 Directive on EUR-Lex — Article 21(2)(d) (supply-chain measures) and Article 23 (incident reporting).

The clauses to include

Adapt the wording to your sector and counsel, but cover each of these. They map directly to the measures NIS2 expects and to the deadlines it imposes.

1

Security baseline mapped to NIS2 measures

Require the supplier to maintain the Article 21(2) measures relevant to the service: risk management, access control, MFA, encryption, vulnerability handling and patching, and tested backups. Reference the measures explicitly so the standard is objective, not a vague 'industry best practice'.

2

Incident notification window

Set a hard deadline (commonly 24 hours) for the supplier to notify you of a security incident affecting your service, a named contact who answers out of hours, and the minimum facts the notice must contain. This is what lets you meet your own 24-hour early warning and 72-hour notification under Article 23.

3

Right to request evidence and to audit

Reserve the right to request evidence of the controls (certificates, test results, scan output) and, for higher-risk suppliers, to audit or commission an independent assessment. Without it, 'we are secure' is unverifiable.

4

Subcontractor (fourth-party) flow-down

Require the supplier to impose equivalent security and notification obligations on its own subcontractors, and to disclose the subcontractors that materially process your data or support the service. Your risk does not stop at your direct supplier.

5

Vulnerability and patching commitments

Define expected timelines for remediating known-exploited and critical vulnerabilities on the systems that serve you, and the obligation to inform you if a relevant vulnerability cannot be fixed in time.

6

Data location and sub-processor transparency

Require disclosure of where your data is processed and stored and which sub-processors are used, with notice before material changes. This supports both your NIS2 supply-chain view and your GDPR obligations.

7

Cooperation, remediation and step-in

Oblige the supplier to cooperate with your incident response and any authority, to remediate findings within agreed timeframes, and grant you remedies (remediation plan, escalation, ultimately termination) if they do not.

8

Survival and return of data on exit

Ensure confidentiality, the evidence obligations and secure return or deletion of your data survive termination, so an exiting supplier cannot become an unmonitored exposure.

See how your suppliers actually score

7-day free trial · no credit card · cancel anytime

Sign it, then verify it continuously

A contract clause sets the obligation; it does not tell you whether the supplier is actually meeting it today. The gap between the signature and reality is where supply-chain incidents happen. Pair the clauses with continuous, external monitoring of each supplier's posture so that when something drifts (an expiring certificate, leaked credentials, a newly exposed service) you see it and can invoke the clause, rather than learning about it from the breach notification.

Common mistakes

  • A vague 'appropriate security measures' standard with nothing objective to enforce.
  • No notification deadline, so you learn of a supplier incident after your own reporting clock has already run.
  • Clauses that stop at the direct supplier and ignore subcontractors.
  • Signing once and never verifying, treating the contract as the end of diligence rather than the start.

See NIS2-grade supplier monitoring

A sample supplier report (findings, NIS2 mapping and evidence) in two minutes.

7-day free trial · no credit card · cancel anytime

Related guides

How to comply with NIS2: a step-by-step roadmap

The steps to NIS2 compliance in order: confirm scope, register, management accountability (Art. 20), the Article 21(2) measures, supply-chain security, incident reporting (Art. 23) and continuous, evidenced assurance.

Who is in scope for NIS2? Essential vs important entities, sectors and size thresholds

Determine whether NIS2 applies to you: the two tiers, the Annex I/II sectors, the size thresholds, size-independent exceptions, and how the supply chain pulls you in even if you're not designated.

NIS2 for suppliers: you're not designated, but your customers are

Most companies are never designated under NIS2, yet many must comply anyway. How a covered customer's Article 21(2)(d) supply-chain duty flows down to you, what they'll ask for, and how to respond credibly.

NIS2 and the supply chain requirement: what it means in practice

NIS2 requires essential and important entities to assess their supply chain cyber risks. Supplier tiering, 4th-party risk, Art. 23 notification, and what auditors look for.

Supplier cyber risk assessment: what automated NIS2 monitoring checks

All check categories explained: ransomware, dark web leaks, TLS/DNSSEC, cookie security, CVE/EPSS, sanctions, MX blacklists and SAQ. Finding lifecycle and NIS2 article mapping.

NIS2 Art. 21(2): supplier security checklist

Checklist for procurement and security teams: what to ask, what evidence to collect, and how to respond when a supplier falls short. Includes suggested evidence documents.

NIS2 supplier questionnaire (SAQ): what to ask, how to score it, and a free template

What to ask suppliers under Art. 21(2)(d), how to score answers and respond to gaps, why self-attestation needs verification, and a free copy-paste questionnaire template.

NIS2 incident reporting: the 24- and 72-hour deadlines explained

What counts as a significant incident, the Article 23 timeline (24-hour early warning, 72-hour notification, one-month final report), and when a supplier's incident becomes your obligation.

NIS2 and management responsibility: what boards and leadership must know

What NIS2 expects of the management body: approval and oversight duties, personal liability (Art. 20), training, board reporting KPIs, and the penalties under Art. 34.

ISO 27001 and NIS2: what your ISMS already covers, and the gaps it doesn't

If you hold ISO 27001, what carries over to NIS2 and what does not: statutory incident reporting, management liability, registration, and continuous supply-chain assurance: plus how to close the gap.

NIS2 fines and penalties: how much, who is liable, and how to avoid them

What NIS2 penalties are: the Article 34 caps (€10M / 2% for essential, €7M / 1.4% for important entities), the management body's personal liability (Art. 20, Art. 32), non-monetary enforcement, and how to avoid them with continuous, evidenced diligence.

NIS2 vs DORA: how they differ, where they overlap, and which one applies to you

How the two EU regimes differ and overlap, why DORA is lex specialis for financial entities, which applies to you, and what both mean for third-party and supply-chain risk.

GDPR vs NIS2: how they overlap, where they differ, and when one incident triggers both

How GDPR and NIS2 differ and overlap, when one incident triggers both (GDPR Art. 33 72h to the DPA vs NIS2 Art. 23 24h/72h/1-month to the CSIRT), the Art. 35 cooperation and no-double-fine rule, and what both mean for supplier due diligence.

The EU Cyber Resilience Act (CRA): scope, timeline and what it means for your supply chain

What the CRA requires, its phased dates (in force 2024, reporting Sept 2026, full compliance Dec 2027), who is in scope and why pure SaaS often isn't, how it complements NIS2, and what it means for procurement and supplier due diligence.

The EU AI Act: risk tiers, the timeline, and what deployers must do (Article 26)

What the EU AI Act requires: the risk tiers, the phased dates (in force 2024, prohibited Feb 2025, GPAI Aug 2025, high-risk Aug 2026), the Article 26 deployer obligations, how it stacks with NIS2 and the GDPR, and what it means for AI procurement.

NIS2 transposition status: which EU countries have it in force

Which of the 27 EU Member States have written NIS2 into national law and which are still finalising it, and why the gaps reach your supply chain regardless.

Last reviewed: 19 June 2026

This guide is general information about EU law, not legal advice. NIS2 takes effect through each EU Member State's national transposition law, which can differ in detail. Verify the obligations that apply to you with your competent authority or legal counsel.