NIS2 supply-chain security: what Article 21 expects
Your security is only as strong as your suppliers'. NIS2 makes that explicit. Here's what supply-chain security actually requires.
Why supply chain is in NIS2
Some of the most damaging incidents in recent years entered through a trusted supplier or a piece of widely-used software. NIS2 responds by making supply-chain security one of the ten Article 21 measures; you're expected to manage the risk your suppliers and service providers introduce, not just your own perimeter.
What you're expected to do
- Assess the security posture of direct suppliers and service providers.
- Account for the quality and resilience of the products and services they provide.
- Factor in the results of EU-coordinated security risk assessments of critical supply chains.
- Reflect supplier risk in contracts and ongoing monitoring, not just at onboarding.
The hard part: knowing what connects to what
You can't assess supplier risk you can't see. Most organisations underestimate how many third-party services, integrations and dependencies touch their critical systems, and that map changes constantly.
How Alexus helps
Alexus maintains a live operational graph of your systems and their dependencies, including third-party integrations, so supply-chain exposure is mapped rather than assumed. When a supplier-related incident hits, the blast radius is already visible. This article is general guidance, not legal advice.