NIS2 Compliance for Suppliers
Your company may not fall under NIS2 directly: but your customers do. And they will require you to prove cybersecurity compliance.
Why small suppliers are affected by NIS2
NIS2 (Art. 21(2)(d) NIS-2, transposed in Section 30(2)(4) BSIG) explicitly requires regulated companies to secure their entire supply chain. This means every essential and important entity (BSI estimates put the German cohort in the range of roughly 29,500) must contractually require cybersecurity standards from their suppliers.
If your company has fewer than 50 employees or falls below the revenue thresholds, you are not directly regulated by NIS2. But if you provide IT services, software, components, logistics, or any other service to a company that is regulated, you will face NIS2 requirements through your contracts.
This is not theoretical. Large companies are already updating their procurement terms, adding cybersecurity clauses, and requesting compliance evidence from suppliers. Companies that cannot demonstrate adequate security measures risk losing contracts to competitors who can.
Section 30(2) No. 4 BSIG: Supply chain security
Regulated entities must ensure "security of the supply chain, including security-related aspects of the relationships with direct suppliers" (Section 30(2)(4) BSIG, transposing Art. 21(2)(d) NIS-2). This obligation flows down contractually to every supplier in the chain.
Contractual requirements
NIS2-regulated companies must include cybersecurity requirements in supplier contracts. Expect new clauses covering risk management, incident reporting, and access controls. Existing contracts will be renegotiated.
Supplier audits and questionnaires
Your customers will send security questionnaires and may conduct audits. Companies that use nisd2.eu can generate compliance evidence instantly: those without a system scramble for weeks.
Incident notification obligations
If a security incident at your company affects a NIS2-regulated customer, they must send an early warning to the BSI within 24 hours (with full notification within 72 hours and a final report within one month, Section 32 BSIG). They need you to have working incident detection and reporting processes in place.
Competitive advantage
When a regulated company chooses between two suppliers and one can demonstrate NIS2-aligned security while the other cannot: the choice is obvious. Compliance becomes a sales differentiator.
Cyber insurance requirements
Cyber insurers increasingly require supply chain security evidence. Your customers' insurance policies may mandate that their suppliers meet minimum cybersecurity standards.
Risk assessment
Identify and document risks to systems you use for customer work. Doesn't need to be complex: a structured list with treatment plans is enough.
Access control
Who can access customer data and systems? Role-based access, MFA for remote access, and documented user management.
Incident handling
A documented process for detecting, responding to, and reporting security incidents. Your customer needs to know within hours, not weeks.
Business continuity
What happens if your systems go down? Backup strategy, recovery procedures, and tested plans to continue delivering to your customers.
Policies and evidence
Written security policies, training records, and an audit trail proving you follow your own rules. This is what auditors actually check.
Check your exposure
Use our free applicability check to confirm your NIS2 status. Even if you're not directly in scope, identify which of your customers are NIS2-regulated: those contracts will come with new requirements.
Run a gap assessment
Compare your current security practices against the 10 measures in Section 30 BSIG. Most small companies already do some of this informally: the gap is usually documentation, not practice.
Implement the basics
Start with the highest-impact items: access control, backup strategy, incident response process. The nisd2.eu platform walks you through each requirement with pre-built templates.
Build your evidence package
When your customer sends a security questionnaire, you need answers ready. Policies, training records, risk assessments, and technical measures: all documented and exportable.
Review annually
NIS2 compliance is not a one-time project. Schedule an annual review of your risks, update your policies, and refresh employee training. The platform tracks deadlines automatically.
Frequently asked questions
Am I legally required to comply with NIS2 as a small supplier?▾
Not directly: NIS2 applies to companies above the EU medium-enterprise threshold (50+ employees OR (over EUR 10M turnover AND over EUR 10M balance sheet total), per Commission Recommendation 2003/361/EC) in a regulated sector. However, your NIS2-regulated customers are legally required to secure their supply chain (Section 30(2)(4) BSIG, transposing Art. 21(2)(d) NIS-2). This creates a contractual obligation that flows down to you. You will not be fined by the BSI, but you may lose contracts.
What happens if I don't comply?▾
Your NIS2-regulated customers face fines of up to EUR 10M / 2% of global annual turnover (essential entities) or EUR 7M / 1.4% (important entities) if they fail to meet their supply-chain security duties (Section 65 BSIG). They will either require you to comply or replace you with a supplier who can. The practical consequence is lost business, not a BSI fine.
How much does supplier compliance cost?▾
The nisd2.eu platform is free. For a small company (10-50 employees), the main cost is time: typically 2-4 weeks of part-time work to set up initial policies, risk assessments, and processes. Ongoing maintenance is a few hours per quarter.
Can I use NIS2 compliance as a selling point?▾
Absolutely. When you can demonstrate NIS2-aligned security practices with documented evidence, you become a preferred supplier. Some companies are already advertising NIS2 supply chain compliance as a competitive differentiator in RFPs and proposals.
What if my customer hasn't asked yet?▾
They will. The BSI registration deadline passed in March 2026 and many thousands of companies are still catching up on implementation. As they implement NIS2, supply chain security is one of the 10 mandatory measures (Section 30(2)(4) BSIG). Getting ahead of the request positions you as a proactive, trusted partner.
Start your supply chain compliance: free
The nisd2.eu platform guides you through every requirement, generates your evidence package, and keeps you audit-ready. No cost, no credit card.