Art. 21(2)(d) + Art. 23 NIS 2

A supplier is breached. What does NIS 2 require from the entity?

Article 21(2)(d) NIS 2 places supply chain security on the entity. Article 23 governs incident reporting. Both apply when an affected supplier exposes the entity's own services.

Simon OrzelSimon Orzel·

What this page covers

Article 21(2)(d) NIS 2 requires entities to take appropriate and proportionate measures to address supply chain security risk to their own network and information systems. The duty is on the entity, not on the supplier. The directive does not regulate suppliers that are themselves out of scope; it regulates how the in-scope entity manages them.

When a direct supplier is breached, two separate questions follow. First, has the entity's own service delivery been affected, which can trigger an Article 23 incident report at the level of the entity. Second, is the contractual notification chain under Article 21(2)(d) working, so that the entity learns of the breach within the time agreed and on the agreed channel.

A breach at the affected supplier is not, on its own, a reportable incident for the entity. It becomes one when the breach causes a significant incident at the entity within the meaning of Article 23(3) NIS 2.

Legal anchor
Three layers govern the situation. The directive places the duty, the implementing regulation specifies it for digital infrastructure entities, the national act transposes it.

Article 21(2)(d) NIS 2

supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.

The article addresses the relationship to direct suppliers, not the supplier itself. The entity remains accountable for managing that relationship, including for incidents that propagate from it.

Recital 90 NIS 2

entities should assess and take into account the overall quality and resilience of products and services, the cybersecurity risk-management measures embedded in them, and the cybersecurity practices of their suppliers and service providers, including their secure development procedures.

Recital 90 explains the policy logic behind Article 21(2)(d). It frames supply chain security as an ongoing assessment of the supplier's posture, not a one-time onboarding check.

Article 23(3) NIS 2

an incident shall be considered to be significant if: (a) it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned; (b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

Article 23(3) defines the significance threshold at the level of the entity. A supplier incident is judged through this lens once it reaches the entity's own services.

Three things the entity has to do
Detection, dependency assessment, and a reporting decision. In that order.
Detection

Learn of the breach in time

Article 21(2)(d) operationalises into a contract clause. The affected supplier must notify the entity within a defined time and on a defined channel. Without that clause the entity learns from press releases, which is too late for an Article 23 timeline.

Dependency

Assess the entity's own exposure

The question is not whether the supplier is in trouble. The question is whether the entity's own network and information systems, or the services it provides, are affected. This is a factual exercise: which data, which interface, which dependency, which fallback.

Report

Decide on the entity's own report

If the entity's own services cross the Article 23(3) threshold, the entity files the early warning within 24 hours, the incident notification within 72 hours, and the final report within one month. The report is filed by the entity for the entity, even though the root cause sits at the supplier.

Two principles people get wrong
These are not legal opinions. They are descriptions of what the directive places where.

The duty is on the entity

Article 21 lists measures the entity must adopt. It does not regulate the supplier. If the affected supplier is itself in scope of NIS 2, it has its own duties. Those duties do not replace the entity's duties; they sit in parallel.

Contract before crisis

Recital 90 expects the supplier relationship to be assessed before an incident happens. The notification chain, the cooperation duty, the right to receive evidence: these live in the contract. After a breach is the wrong moment to negotiate them.

National view
Germany transposes the directive through the BSIG. The substantive duty in Article 21(2)(d) is implemented through §30 BSIG, the reporting timeline through §32 BSIG.
Germany

§30 + §32 BSIG

§30 BSIG carries the supply chain risk-management duty into German law. §32 BSIG carries the 24h / 72h / one month reporting structure. The entity reports through the BSI Meldeportal, regardless of where the originating breach occurred.

EU

ENISA Threat Landscape for Supply Chain

ENISA publishes annual material on supply chain attack patterns and notification practice. It is reference material for the entity's risk methodology under Article 21(2)(d), not a separate obligation.

Sector

Sector CSIRT guidance

For digital infrastructure entities, Commission Implementing Regulation 2024/2690 specifies supply chain requirements at the next level of detail. Other sectors follow Article 21(2)(d) directly, refined by national guidance and sector CSIRTs.

Three common misreadings
Each comes up regularly. Each is wrong for a specific reason.
  • "It is the supplier's problem."

    Article 21(2)(d) places the supply chain duty on the entity. The supplier may or may not have its own NIS 2 duties depending on whether it is in scope. The entity's duty exists either way.

  • "The supplier reports, so the entity does not have to."

    A supplier in scope of NIS 2 reports its own significant incident. That report does not satisfy Article 23 for the entity. If the entity's own services reach the Article 23(3) threshold, the entity files separately at the level of the entity.

  • "IT watches the supplier, no need to involve management."

    Article 20 NIS 2 requires the management body to approve the cybersecurity risk-management measures and oversee their implementation. Supply chain monitoring is one of those measures. A silent IT process without management body sign-off does not satisfy Article 20.

Practitioner view

The hard part is rarely the report. The hard part is the dependency assessment under time pressure. If the entity does not already know which supplier touches which service, which data, and through which interface, the first hours after a supplier breach are spent reconstructing that map instead of acting on it.

An asset and supplier inventory that lists, per supplier, the affected service, the data category, and the contractual notification channel turns a supplier breach from an emergency into a routine. The directive does not prescribe the format of that inventory. It does require it to exist in a form the entity can actually use.

How the platform fits

The platform keeps a supplier register linked to the entity's services and a contractual notification field per supplier. When a supplier breach is logged, the affected services surface immediately and the Article 23 reporting timer can start on a clean dependency map.

Management body sign-off on the supply chain risk approach is captured as a one-time approval with a versioned audit trail. The same trail records every supplier breach and the Article 23(3) significance decision the entity made, so the assessment is reviewable later.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Article 20, Article 21(2)(d), Article 23, Recital 90. EUR-Lex.
  • Commission Implementing Regulation (EU) 2024/2690, supply chain requirements for digital infrastructure entities.
  • BSIG (Germany), §30 (risk-management measures), §32 (incident reporting).
  • ENISA Threat Landscape for Supply Chain Attacks, annual edition.
Find out if NIS 2 applies to the entity
Five minutes. Annex I / II sector check plus the size threshold. No account required to see the result.