Suppliers to NIS 2 entities are not automatically NIS 2 entities
Article 2 NIS 2 decides scope based on what you are, not who you sell to. Customer relationships do not pull you in. Your customer's duties land in your inbox through their procurement contract under Article 21(2)(d).
The short version
Whether NIS 2 applies to your company is decided only by Article 2 of the Directive. Two tests. Your sector has to be listed in Annex I or II. And you have to meet the size threshold (medium enterprise under Commission Recommendation 2003/361/EC, with a few regardless-of-size overrides in Article 2(2) to (4)). Who your customers are is not part of the test.
So selling to a NIS 2 customer does not put you in scope. You become a NIS 2 entity only if your own sector plus your own size pass Article 2 on their own. If they do not, you are out of scope, even if every customer on your list is in.
What does travel down the supply chain is contractual, not legal. Article 21(2)(d) tells NIS 2 entities to manage the security of their direct suppliers. The tool they use is the procurement contract: clauses, questionnaires, evidence asks. You feel the pressure because your customer wants the answer, not because a regulator is talking to you.
NIS 2 Directive (EU) 2022/2555, Article 2(1)
This Directive applies to public or private entities of a type referred to in Annex I or II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article, and which provide their services or carry out their activities within the Union.
Scope is tied to two facts about the entity itself: the sector in Annex I or II, and the size threshold. Customer relationships, contracts and supply-chain ties are not in the text and do not extend scope. Article 2(2) to (4) add a few regardless-of-size overrides for specific entity types, but none of them is triggered by being someone's supplier.
NIS 2 Article 21(2)(d) + Commission Implementing Regulation (EU) 2024/2690 §5
supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.
Article 21(2)(d) puts the duty on the NIS 2 entity (the buyer), not on the supplier. CIR 2024/2690 §5 turns that into a supplier security policy with written selection criteria and a supplier risk register. The supplier does whatever the contract says. The regulator only talks to the buyer.
BSIG §30 (Germany)
Besonders wichtige Einrichtungen und wichtige Einrichtungen müssen geeignete, verhältnismäßige und wirksame technische und organisatorische Maßnahmen ergreifen, um Störungen zu vermeiden. Diese Maßnahmen umfassen unter anderem die Sicherheit der Lieferkette einschließlich sicherheitsbezogener Aspekte der Beziehungen zu unmittelbaren Anbietern oder Dienstleistern.
Germany copies Article 21(2)(d) almost word for word into §30 BSIG. The duty hits the entity in scope. It does not declare its suppliers in scope. Other Member States transpose the same Article 21 with the same buyer-side mechanic (NL Cyberbeveiligingswet, AT NISG, FR LPM successor).
Is your sector in Annex I or II?
Annex I (highly critical): energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space. Annex II (critical): postal, waste, chemicals, food, manufacturing of medical devices and machinery, digital providers, research. If your business does not sit in one of these, you are out, no matter who you sell to. A small print shop supplying a hospital is still a print shop.
Are you a medium enterprise or larger?
Threshold is the SME definition in Commission Recommendation 2003/361/EC: at least 50 employees and at least EUR 10 million turnover or balance sheet, or larger. If you are below that, you are out, unless one of the regardless-of-size overrides in Article 2(2) to (4) catches you anyway (e.g. you are the only provider of an essential service, a qualified trust service provider, or a DNS service provider).
Does a carve-out exclude you?
Even if Tests 1 and 2 are yes, Article 2(7) to (11) can take you out (national security, public security, defence, law enforcement) or a more specific EU law can override (DORA financial entities skip Article 21 and Article 23, but still register under Article 27). Being a supplier to a NIS 2 entity is never a carve-out that pulls you in. It is also never a trigger that pulls you in.
Per-entity scope
Article 2 attaches the Directive to a specific entity based on its own attributes. There is no derivative scope. DORA works the same way (financial entities by type and size). The CER Directive works the same way (critical entities by sector). The CRA works the same way (manufacturers of products with digital elements). Each instrument scopes by what the regulated party is, not by who it sells to.
Contracts cascade, not the law
Article 21(2)(d) makes the buyer responsible for managing its supplier security risk. The buyer's tool is the contract. So suppliers feel commercial pressure, not regulatory pressure. The proportionality clause in Article 21(1) governs how much evidence the buyer can ask for: a high-risk software vendor gets a deeper questionnaire, a low-risk office SaaS gets a lighter one. Your job as the supplier is to read those asks as commercial terms, not as orders from a regulator.
BSI / BMI: §28 and §30 BSIG split buyer and supplier
BSIG §28 lists the entity types in scope and runs the size test on the entity itself. §30 BSIG (the supply-chain duty) makes a specific besonders wichtige or wichtige Einrichtung responsible for its supplier relationships. Neither section pulls a non-qualifying supplier into scope. The BSI's applicability check (Betroffenheitsprüfer) tests sector plus size for whoever is running the check, not their customers.
ENISA: scope under Article 2, supplier risk under Article 21
ENISA's implementation guidance treats scope and supply-chain measures as two separate questions. Scope is Annex I or II plus size. Supplier security is one of the controls the in-scope entity runs as part of its own risk management. It does not pull suppliers into NIS 2. The ENISA register under Article 27 only lists entities that are themselves in scope.
Other Member States apply the same per-entity test
The Dutch Cyberbeveiligingswet, the Austrian NISG and the French transposition (replacing LPM for civil sectors) all read Article 2 the same way. A Dutch waste-management firm supplying a Belgian energy operator is in scope only if waste management is one of its own activities and it meets the size threshold in the Netherlands. National authorities cannot stretch the Directive by national law to cover companies that do not qualify on their own.
Our customer is in scope, so we are too.
No. Article 2(1) applies the Directive to you based on your sector and your size. Your customer's status is not in the test. You may still have to honour contractual security clauses the customer puts in front of you. That does not make you a NIS 2 entity. It makes you a contracting party.
NIS 2 cascades down the supply chain.
No. Contracts cascade. The Directive does not. Article 21(2)(d) makes the buyer responsible for managing the security of its direct suppliers. The buyer pushes that into procurement contracts. You owe the buyer (under contract), not the regulator (under NIS 2). Same logic for sub-suppliers: only the direct relationship is in scope of Article 21(2)(d), not the supplier's supplier.
Our customer told us to register with the national authority, so we must.
No. Article 27 registration is required only for entities that are themselves in scope under Article 2 (with extra rules for DNS providers, cloud providers, MSPs and a few others). A customer cannot invent a registration duty for you. If a buyer insists, ask them which Annex entry and which size threshold they think you sit under. If the answer is not in Article 2, the duty does not exist.
If you are the buyer (a NIS 2 entity), your job under Article 21(2)(d) and CIR §5 is to write a supplier security policy with selection criteria, run a supplier risk register, and put proportionate security clauses into the contracts of your direct suppliers. You assess and manage. You do not delegate that to the regulator. CIR §5 says explicitly that you can pick risk-appropriate evidence: ISO 27001 certification, SOC 2 reports, pen-test summaries, secure-development attestations. Article 21(1) lets you scale the evidence depth to the actual risk of the supplier. A high-risk software vendor gets a deeper ask than the company that prints your business cards.
If you are the supplier and your customer is in scope, run the Article 2 test on yourself first. If you do not pass it, you are not a NIS 2 entity. Your customer will still send you contractual security obligations. Read them as commercial terms: negotiate scope, evidence depth, audit rights, breach-notification timing. If you do pass Article 2 on your own, register under Article 27 and meet Article 21 and Article 23 in your own right, regardless of what any single customer asks.
For buyers, the platform turns the Article 21(2)(d) and CIR §5 duty into a working tool: a supplier register with risk tiers, a clause library, an evidence workflow, and a supplier portal where your suppliers answer the questionnaire. You keep the register. Your supplier only sees the questions addressed to them.
For suppliers, the supplier portal lets you answer the security questionnaire once and reuse the answer across customers. The portal makes the commercial nature of the ask visible: you are responding to your customer's procurement policy, not to a regulator. If you do turn out to be in scope on your own under Article 2, the same platform handles your own NIS 2 obligation register from the buyer side.
- Directive (EU) 2022/2555 (NIS 2), Article 2 (scope), Annex I and Annex II (sectors), Article 21(2)(d) (supply chain security) and Article 21(3) (consideration of supplier-specific vulnerabilities).
- Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024, §5 (supply chain security): procurement policy with selection criteria, supplier risk register, contractual security obligations.
- Commission Recommendation 2003/361/EC, Article 2 of the Annex (definition of medium-sized enterprise: at least 50 employees and at least EUR 10 million turnover or balance-sheet total).
- BSIG (Germany) §28 (Einrichtungsarten und Größenkriterien) and §30 (Risikomanagementmaßnahmen, including Lieferkettensicherheit), implementing NIS 2 Arts. 2 and 21.
- ENISA NIS 2 implementation guidance and the Art. 27 entity-register specification: scope under Art. 2 governs whether an entity is registered; supply-chain measures under Art. 21 govern what an in-scope entity does about its suppliers.