Most enterprise teams in scope for NIS2 are working through a familiar checklist. Incident response procedures. Risk management policies. MFA rollout. The 24-hour reporting workflow. These are the visible obligations, the ones that appear in every compliance briefing and vendor presentation.
Supply chain security sits in Article 21 of the directive alongside these requirements. It does not get the same room in the conversation. That is a problem, because it is the one clause that reaches beyond your own perimeter and makes the compliance posture of your vendors your legal responsibility.
The gap is measurable. When Germany's NIS2 registration deadline closed on March 6, 2026, the Federal Office for Information Security had received filings from roughly 11,500 of an estimated 29,500 obligated companies, a registration rate of 38.5 percent. Among the organizations that did register, the most commonly cited compliance challenge in post-registration assessments was not incident reporting or access controls. It was supply chain obligations and vendor documentation. The majority of affected organizations either did not understand what the supply chain clause requires, or understood it and had no practical path to meeting it on their current vendor architecture.
What Article 21(2)(d) Actually Says
The directive is precise. Article 21(2)(d) requires essential and important entities to implement measures addressing "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."
Article 21(3) goes further. It specifies that when implementing these measures, entities must take into account "the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures."
Read together, these provisions create a two-layer obligation. The first layer is contractual and procedural: you need documented security requirements in your vendor relationships, with defined notification timelines and evidence of cybersecurity posture. The second layer is analytical: you need to assess each vendor individually, considering their specific vulnerabilities and the quality of how they develop and maintain their products. A generic vendor questionnaire completed at onboarding does not satisfy either layer under active regulatory scrutiny.
The obligation is not theoretical. In Germany, the NIS2 Implementation Act entered into force on December 6, 2025 with no transition period. Supply chain security requirements apply immediately to approximately 30,000 organizations. The BSI has confirmed it will conduct active audits beginning in 2026, and documentation must be ready for inspection, not assembled after the fact.
The Vendor You Depend On Most Is Your Biggest Gap
For most enterprises in scope for NIS2, the most operationally critical vendor is also the hardest one to assess. That is almost always the ERP system.
ERP platforms sit at the center of financial operations, procurement, logistics, manufacturing, and reporting. They hold more sensitive business data than almost any other system in the organization. They are integrated with dozens of upstream and downstream data flows. And in a significant number of European enterprises, the version currently running is either approaching vendor end-of-life, is already past it, or is operated by a vendor whose security development practices have not been formally reviewed since the system was implemented. The broader challenge of modernizing legacy enterprise infrastructure is pressing enough without a compliance deadline attached. With NIS2 supply chain obligations now active, the urgency compounds.
NIS2 Article 21(3) requires organizations to assess the "secure development procedures" of their suppliers. When a vendor is no longer actively maintaining the version you run, that assessment produces a specific finding: the vendor has no current secure development procedures for your system, because development for your version has ended. That is not a paperwork gap. It is a substantive compliance gap that auditors will identify, and the compensating controls required to address it are significant.
The challenge of keeping legacy enterprise systems compliant under new regulatory frameworks is well documented. As Marka Development's analysis of NIS2 and legacy ERP architectures notes, systems that cannot receive regular security patches because of vendor end-of-life, customization depth, or compatibility constraints require documented compensating controls. Those compensating controls must be verifiable by auditors. When the same system is also your primary NIS2 supply chain risk under Article 21, the documentation burden compounds.
SaaS Is Not Exempt from the Chain
A common assumption in organizations that have moved workloads to cloud and SaaS providers is that this shift reduces their NIS2 supply chain obligations. It does not. It restructures them and, in some ways, makes them more complex.
A SaaS provider that processes your business data is a direct supplier under Article 21. The NIS2 obligation requires you to assess their cybersecurity posture, ensure your contract includes security requirements and breach notification commitments, and maintain documentation that you have done this. The fact that the provider handles security internally does not transfer your compliance obligation. It means your compliance obligation depends on obtaining adequate evidence of what they are doing.
Among the organizations that registered in Germany by the March deadline, the SaaS vendor relationship was the most frequently underestimated aspect of supply chain compliance. Many organizations had dozens of SaaS tools in operational use, no centralized inventory of which ones process business-critical or sensitive data, and no contractual security clauses in agreements that were signed before NIS2 entered into force. Building that inventory, renegotiating or supplementing contracts, and obtaining vendor evidence documentation is a project measured in months. Organizations that have not started it are accumulating audit exposure with each quarter.
The Scale of the Threat Makes This Non-Optional
Part of why Article 21's supply chain requirements exist is that the threat they address is well documented and growing. ENISA's NIS2 Threat Landscape 2025 report places supply chain compromise among the top risks across energy, transport, finance, public administration, and manufacturing. The report specifically highlights a rise in attacks targeting software vendors, cloud integrators, and managed service providers, which are exactly the supplier categories that most NIS2-regulated organizations rely on most heavily.
The underlying pattern is straightforward. A regulated organization may have strong internal controls. But those controls protect the perimeter of the organization's own systems. As one recent breakdown of 2026 cybersecurity trends noted, the dominant shift in the threat landscape is that attackers increasingly enter through trusted relationships rather than external penetration. An attacker who compromises a trusted vendor, particularly one with legitimate and often privileged access to internal systems, enters through a different door. The organization's internal controls do not stop an attack that arrives through a vendor channel, because the vendor channel is, by design, trusted.
This threat model is not new. What NIS2 does is translate it into a legal obligation with financial consequences. It is not sufficient to have good internal security if your vendor relationships are not assessed and documented to an auditable standard. The directive treats the gap between internal controls and vendor risk as a compliance failure, not just an operational risk.
What Auditors Will Actually Look For
Understanding what counts as sufficient compliance under Article 21's supply chain requirements requires thinking about what an auditor would examine, not just what a policy document would say.
An auditor conducting a NIS2 supply chain assessment is looking for evidence, not intentions. Specifically, they will want to see a current inventory of direct suppliers and service providers with access to your network and information systems. They will look for risk classifications of those vendors based on their criticality and access level. They will want to see vendor contracts that include defined security requirements, breach notification commitments, and your rights to obtain evidence of cybersecurity posture. They will examine whether you have assessed each vendor's specific vulnerabilities, including any known CVEs affecting software they supply to you and any end-of-life status for products you run. And they will look for a process that makes this assessment ongoing rather than a one-time exercise.
The last point is important. Article 21's supply chain obligation is framed as a continuous risk management requirement, not a point-in-time audit. A vendor that met your security requirements when assessed eighteen months ago may no longer meet them today, particularly if they have had a breach, changed their security practices, or moved a product to end-of-life. Compliance documentation needs to reflect current vendor posture, and the process for keeping it current needs to be demonstrated.
Most organizations currently have something far short of this. The typical vendor risk program involves an onboarding questionnaire, an annual renewal if the vendor is flagged as high-priority, and a file of responses that are not independently verified. That approach was adequate under previous regulatory expectations. It is not adequate under NIS2.
The Indirect Scope Problem
Article 21's supply chain requirements create an obligation that extends beyond organizations directly classified as essential or important entities. Any supplier that provides products or services to a NIS2-regulated organization will increasingly face pressure to demonstrate their own cybersecurity posture as part of their customers' compliance programs.
This is the indirect scope of NIS2. An SME that is not itself required to comply with the directive may find that its largest customers are now required to assess it, and that customers who cannot obtain adequate security evidence will either require significant contractual changes or terminate the relationship. For suppliers operating in sectors where their customers are predominantly NIS2-regulated, this amounts to de facto compliance pressure even without direct legal obligation.
Italy's National Cybersecurity Agency formalized part of this dynamic in April 2026 with Determination No. 127437/2026, which introduced a formal definition of "relevant supplier" and created a reporting obligation within the agency's compliance framework. Other member states are developing similar mechanisms. The indirect scope of NIS2 is not theoretical; it is becoming operational across European supply chains.
A Realistic Starting Point
The gap between what Article 21 requires and what most organizations currently have is significant. Closing it entirely before an audit requires a structured program that most organizations have not yet started. But there is a realistic starting sequence that addresses the highest exposure areas first.
The first step is inventory. You cannot manage supply chain risk you have not mapped. That means a current, complete list of every direct supplier and service provider with access to your network, information systems, or the data they process. For most enterprises, this inventory does not exist in a form that reflects current operational reality. Building it reveals the scope of the problem in concrete terms.
The second step is classification. Not all vendors create equal exposure under Article 21. A vendor with privileged access to your ERP or core infrastructure is a different risk category from a vendor providing a peripheral communication tool. Prioritizing your assessment and contractual remediation work by criticality is how you allocate limited capacity to the highest compliance exposure.
The third step is contractual alignment. Existing vendor agreements, particularly those signed before 2024, almost certainly do not contain the security requirements, notification commitments, and evidence rights that NIS2 demands. Many of these agreements require renegotiation or supplementary clauses. That process takes time and requires vendor cooperation. Starting it before an audit is announced is the only way to complete it on a timeline that matters.
The fourth step is evidence collection and maintenance. Once vendor assessments and contractual terms are in place, the ongoing obligation is to keep them current. That means a documented process for periodic reassessment, triggered reviews when vendors have incidents or change their security posture, and a central evidence repository that can be produced on regulatory request.
None of this is technically complex. All of it requires organizational attention and sustained effort. The organizations that are most exposed going into the first active NIS2 audit cycle are not the ones that misunderstood the directive. They are the ones that understood it, prioritized other obligations, and assumed supply chain documentation could wait.
The regulators reviewing compliance in 2026 have a different view of how long that can wait.