Skip to content
Background Banner
(untitled)
NIS2July 15, 2026 · Iulian Bozdoghina (Lead Auditor and Consultant) · 5 min read

NIS2 Supply Chain Requirements: What Suppliers Outside the Scope Still Owe

NIS2 flow-down explained: why customers send the questionnaire, the five standard contract clauses, and how to answer with evidence you already hold.

Iulian Bozdoghina
Iulian BozdoghinaLead Auditor and Consultant

Executive Summary

NIS2 supply chain requirements come from Article 21(2)(d) of Directive (EU) 2022/2555, which obliges every regulated entity to manage the security of its relationships with direct suppliers and service providers. The directive does not regulate most suppliers directly. It regulates their customers, and those customers pass the obligations down by contract. If your company received an NIS2 questionnaire or a contract addendum with cybersecurity clauses, that is the mechanism at work: your customer is supervised by a national authority, and you are supervised by your customer. This article explains what the law makes your customers demand, the five clauses you will see in the paperwork, and how to respond using evidence you may already hold, including a TISAX® label or an ISO 27001 certificate.

Why NIS2 clauses are landing in your contracts

The short answer: your customer has no choice. An entity in NIS2 scope must implement supply chain security measures or face fines of at least €10 million or 2% of global turnover for essential entities, and €7 million or 1.4% for important ones. Passing requirements to suppliers isn't the customer being difficult. It's the customer complying.

Enforcement has teeth now. Germany's implementation act, the NIS2UmsuCG, has been in force since 6 December 2025 with no transition period, and the BSI registration deadline of 3 March 2026 has already passed for roughly 29,000 German entities. At EU level, the European Commission escalated in July 2026, referring Ireland, Spain, France and the Netherlands to the Court of Justice for failing to transpose the directive, with financial penalties requested. Around 20 of 27 member states have completed transposition, and the Commission's transposition tracker shows the rest closing in. The Netherlands adopted its Cyberbeveiligingswet on 7 July 2026, in force from 15 August.

Regulated entities spent 2025 registering and building their own compliance. In 2026 they are working through their supplier lists. That is why the questionnaires started arriving.

One distinction matters before anything else. If your company itself meets the NIS2 size and sector thresholds, you are in scope directly and flow-down clauses are the least of your concerns; our guide to the essential entity criteria walks through that two-axis test. Everything below assumes you sit outside the direct scope.

What Article 21(2)(d) makes your customers demand

Article 21(2)(d) of the NIS2 Directive requires in-scope entities to address "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." The recitals add that entities should assess the overall quality and resilience of products and services, the cybersecurity practices embedded in them, and the security posture of the suppliers themselves.

In practice, your customer has to do four things: assess the risk each supplier represents, bind suppliers contractually to a security baseline, monitor whether suppliers keep meeting it, and plan for a supplier failing. You will feel each of those four as a document: a risk questionnaire, a contract addendum, a request for periodic evidence, and questions about your continuity planning.

Not every supplier gets the full treatment. Customers triage, and the common test for a critical supplier asks three questions:

  • System access. Does this supplier connect to or access our IT or OT systems?
  • Data access. Does this supplier process or hold our confidential data?
  • Availability impact. Would this supplier's failure disrupt our regulated service?

Meet one criterion and you're likely classified as critical, which means the detailed questionnaire, the contract clauses, and recurring reviews. Meet none and you may only see a light self-declaration. If you deliver IT services, software, engineering data, or anything with a network connection into a regulated customer, assume you are in the first group.

The five clauses you will see in the addendum

Contract language varies, but the substance has converged. In the flow-down paperwork we review, the same five clauses appear again and again:

  1. Security baseline. You commit to technical and organisational measures aligned with Article 21(2) or a recognised standard, most often ISO 27001. Some addenda enumerate the ten Article 21 measure categories directly.
  2. Incident notification. You must notify the customer of security incidents affecting their data or service, typically within 24 to 72 hours. The 24-hour window is becoming the German market standard because it mirrors the customer's own early-warning deadline to the authority.
  3. Audit and evidence rights. The customer may request certificates, assessment reports, or in stricter versions perform audits, on-site or remote.
  4. Subcontractor flow-down. You must impose equivalent obligations on your own subcontractors, which is how the requirements cascade through entire supply chains.
  5. Termination and exit. Security failures become grounds for termination, with obligations to return or destroy data.

None of this makes you NIS2-regulated. The national authority will never audit you, and the statutory fines can't reach you. Your exposure is contractual: sign the clauses unread and you carry obligations without limits; breach them and you face damages or a lost customer rather than a regulator.

How to respond without buying a programme you don't owe

Lead with what you have, not with what the addendum asks for. The pattern we see across supplier engagements is that companies either sign flow-down clauses unread, which stores up liability, or panic and scope a full NIS2 programme they aren't legally required to run. Both waste money. The middle path has four steps.

Our TISAX® and ISO 27001 experts help European automotive suppliers achieve compliance within 95 days.

First, inventory your evidence. An ISO 27001 certificate, a TISAX label, documented policies, awareness training records, and a tested incident response plan answer most questionnaire sections outright. Map what you have before you write a single answer.

Second, negotiate the notification clause before signing. A blanket "24 hours from occurrence" is often not realistic for a small supplier to operate. Push for "24 hours from becoming aware, for incidents affecting the customer's data or services." Customers accept this because it mirrors the directive's own wording about awareness.

Third, bound the audit right. Offer certificates and independent assessment reports as the default evidence, with on-site audits reserved for cause. If you hold a current label or certificate, most customers take it.

Fourth, document your risk position. A short, structured risk assessment covering the systems you use for customer work, with treatment decisions, satisfies the due diligence question and takes days, not months. It is also the artifact that turns the next customer's questionnaire from a project into an afternoon.

There is a commercial upside hiding in the paperwork. Buyers are consolidating toward suppliers who can evidence security without friction. Answering a questionnaire in two days with attachments, while a competitor takes six weeks and a lawyer, is a sales advantage that compounds with every regulated customer you serve.

The German picture: §30 BSIG and the 24-hour clause

Germany transposed the supply chain measure into §30 of the amended BSIG, and the BSI has published dedicated supply chain guidance for regulated companies in its NIS-2 information packages. Two German specifics are worth knowing even if your customers sit elsewhere in the EU, because German automotive and industrial buyers export their contract templates across their supplier base.

The first is the 24-hour incident notification clause discussed above, now common in German addenda. The second is management liability: the NIS2UmsuCG makes managing directors of regulated entities personally responsible for approving and overseeing the risk measures, supply chain included. A Geschäftsführer who can be held personally liable for supplier risk does not treat supplier questionnaires as a formality, which explains the level of detail arriving in German paperwork this year.

Already hold a TISAX label or ISO 27001 certificate? Start there

Both are strong currency in an NIS2 questionnaire, with different reach. ISO 27001 is the standard most flow-down clauses name explicitly; a current certificate plus your Statement of Applicability answers the baseline clause in most contracts on the spot. A TISAX label covers a large share of the Article 21 measure catalogue too. The ENX Association's own expert opinion maps the overlap, and we have broken that mapping down, including the five areas a label does not cover, in our guide to TISAX and NIS2 compliance. For suppliers holding both, the ISO 27001 to TISAX control mapping shows how far one evidence set stretches across frameworks.

What neither covers: customer-specific notification routes, subcontractor flow-down in your own supplier contracts, and the exit obligations. Those three remain contract work regardless of your certification status.

If NIS2 flow-down requirements have reached your contracts and you want the response mapped to evidence you already hold rather than built from zero, talk to us about a structured NIS2 supplier readiness review. We do this for suppliers across the automotive and industrial supply chain, and the first conversation establishes scope, not an invoice.

FAQ

Is my company subject to NIS2 if my customer is?

Not automatically. NIS2 applies to entities meeting its own sector and size thresholds. Supplying a regulated entity does not put you in scope, but your customer is legally required to impose security requirements on you by contract, so you meet NIS2 obligations indirectly.

Can we refuse to sign NIS2 clauses in a customer contract?

You can negotiate, and you should, especially notification deadlines and audit rights. Outright refusal is usually commercial self-harm: your customer cannot waive the requirement, so they will find a supplier who signs.

Does ISO 27001 certification make us NIS2 compliant as a supplier?

It covers the substance of most flow-down security baselines and is the standard most contracts reference. It does not cover customer-specific notification routes or the flow-down obligations to your own subcontractors. Certificate first, contract review second.

What does a NIS2 supplier questionnaire typically ask?

Governance and policies, risk assessment practice, access control, incident response and notification capability, business continuity, subcontractor management, and certifications held. Structured evidence for those seven areas answers most questionnaires on the market.

What happens if we breach an NIS2 clause in a contract?

Contractual consequences, not regulatory ones: damages, termination rights, and in practice removal from the approved supplier list. The statutory NIS2 fines apply only to the regulated customer.

This article describes the rules and contract practice as of July 2026 and is not legal advice. Contract specifics belong with your counsel.

Iulian Bozdoghina

"Iulian Bozdoghina is a veteran cybersecurity strategist with over 15 years of experience in securing automotive supply chains and critical infrastructure. He specializes in TISAX®, ISO 27001, and the emerging NIS2/DORA regulatory landscape."

ISO 27001 Lead AuditorTISAX® SpecialistISO14001 AuditorISO42001 Auditor

Ready to get certified?

Book your free gap assessment today. Our experts will map your current posture against your target framework and give you a clear, honest roadmap to certification.

Book Free Gap Assessment

No commitment required • GDPR compliant • Strategy confirmed via secure link

Related Articles

Continue reading about similar cybersecurity and compliance topics.