NIS 2 Supplier Contract Clauses
Article 21(2)(d) NIS 2 obliges entities to address security in their direct supplier and service provider relationships. Article 21(1) decides how far that obligation reaches.
What Article 21(2)(d) Asks For
Article 21(2)(d) NIS 2 lists supply chain security as one of ten minimum cybersecurity risk management measures. The directive is specific about scope: it covers the security-related aspects of the relationship between an entity and its direct suppliers or service providers. It does not regulate the entire supply chain, and it does not require a generic boilerplate clause.
The companion clause is Article 21(1). All measures under Article 21(2), including supplier-relationship security, must be appropriate and proportionate to the risks faced by the entity. Cost of implementation, the size of the entity, the likelihood of incidents and their severity all enter the proportionality test. The same contractual depth is not expected from a 60-person waste utility and a tier-one cloud provider.
The practical question for an entity in scope is therefore not which clauses to copy from a template, but which security-related aspects of each supplier relationship matter, which evidence the entity needs to manage residual risk, and how to record that the risk-based choice was made deliberately.
Article 21(2)(d) NIS 2
supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
One of the ten minimum measures listed in Article 21(2). Note the deliberate limitation to direct suppliers and service providers. The directive does not extend the clause to nth-tier sub-suppliers. Recitals 85 and 90 confirm that the assessment is risk-based and considers the specific vulnerabilities of each supplier and the overall quality of their cybersecurity practices.
CIR 2024/2690, Annex Section 5
The relevant entities shall lay down, implement and apply a supply chain security policy that governs the relationships with their direct suppliers and service providers.
Commission Implementing Regulation 2024/2690 specifies the supply chain measure for digital infrastructure entities only (DNS, TLD registries, cloud, data centres, CDN, managed and managed security services, online marketplaces, search engines, social networks, trust service providers). Section 5 of the Annex lists selection criteria, contractual requirements, monitoring duties and exit handling. For other sectors, national transposition law applies.
§30(2) No. 4 BSIG
Sicherheit der Lieferkette einschließlich sicherheitsbezogener Aspekte der Beziehungen zwischen den einzelnen Einrichtungen und ihren unmittelbaren Anbietern oder Diensteanbietern
The German NIS2UmsuCG transposes Article 21(2)(d) one-to-one into §30(2) No. 4 BSIG. §30(1) BSIG carries the proportionality clause forward. The BSI guidance to date treats supplier-relationship security as a policy plus contract plus monitoring obligation, not as a clause list.
Which suppliers are in scope
Article 21(2)(d) targets direct suppliers and service providers, not the full upstream chain. An entity is expected to identify which suppliers process, transmit or store data the entity depends on, or whose service interruption would affect its essential or important service. Stationery vendors are out of scope, the cloud hoster of the customer database is in scope. The selection criterion is the risk the supplier introduces, not the contract value.
What the contract layer typically covers
BSI guidance and CIR Section 5 describe a supplier-relationship policy that translates into contractual requirements. Common elements regulators look for include a security baseline reference, an incident notification obligation aligned with Article 23 timeframes, transparency over material sub-processors, an audit or evidence right proportionate to the risk, and termination rights on security grounds. The depth is calibrated per supplier risk class, not applied uniformly.
How the entity verifies the supplier
The directive is technology and certificate neutral. Evidence can be a supplier questionnaire, a recognised certification such as ISO 27001 or SOC 2, a recent penetration test report, or a contractual audit clause exercised on a sampling basis. CIR 2024/2690 Section 5 explicitly lists multiple acceptable evidence forms. The entity decides which form is appropriate for the risk class of each supplier and documents that decision.
Direct suppliers only, no automatic flow-down
Article 21(2)(d) names direct suppliers and service providers. It does not impose a contractual flow-down to every nth-tier sub-supplier. Where sub-processor risk is material, the entity addresses it through the direct contract, typically by requiring transparency over critical sub-processors and approval rights for material changes. A blanket flow-down clause is not a directive requirement and is generally unenforceable against parties with no direct contract.
Proportionate to the risk, not a fixed standard
Article 21(1) requires measures to be appropriate and proportionate, taking into account the state of the art, cost of implementation, the entity's size, exposure, likelihood of incidents and their severity. The same proportionality applies to the supplier-relationship clause. A standard purchase order does not need a full audit clause if the supplier risk is low. A managed security service provider warrants a deeper clause than a hardware supplier. The decision is documented, not standardised.
BSI IT-Grundschutz OPS.2 and ORP.4
The BSI baseline IT-Grundschutz building blocks OPS.2 (outsourcing for service users) and CON.7 (outsourcing for service providers) plus ORP.4 (identity and access) describe a supplier-relationship process compatible with Article 21(2)(d). For entities using the §44(2) BSIG Grundschutz shortcut, applying these building blocks is treated as evidence of the supplier-relationship measure.
ENISA Threat Landscape for Supply Chain Attacks
ENISA's repeated reports on supply chain attacks frame the risk picture the directive responds to. ENISA does not publish a contract template. Its work is referenced in the directive's recitals on supply chain risk and informs the Cooperation Group's supplier-risk methodology, but it is not a binding contractual standard.
CIR 2024/2690 Annex Section 5
For the eleven digital infrastructure entity types in the scope of CIR 2024/2690, Annex Section 5 sets a more concrete supplier-policy specification: selection criteria, contractual requirements, monitoring across the contract lifecycle, exit conditions. For all other sectors, this remains useful orientation but not directly binding; the national transposition and authority guidance govern.
A single supplier addendum, signed by everyone, closes Article 21(2)(d).
The directive obliges entities to address the security-related aspects of the relationship, which Article 21(1) ties to a proportionality test per supplier. A single addendum applied uniformly contradicts proportionality and creates either over-contracted small vendors or under-contracted critical providers. The defensible artefact is the supplier-risk policy plus the per-supplier risk classification, with the contract clauses derived from that classification.
ISO 27001 certification on the supplier side replaces all audit and evidence rights.
A recognised certification is acceptable evidence for many supplier risk classes, but Article 21(2)(d) does not name ISO 27001 and does not delegate the obligation to a certifier. The entity remains accountable for the relationship under §30 BSIG. Where the supplier risk is high or the certification scope excludes the service consumed, additional verification rights remain appropriate. CIR Section 5 explicitly lists multiple evidence forms in parallel.
Small suppliers are out of scope of the entity's supplier-security obligation.
Article 21(2)(d) does not exempt small suppliers. The supplier's own NIS 2 scope under Article 2 is a separate question. The entity's obligation is to address the security-related aspects of its direct supplier relationship regardless of the supplier's size, calibrated to the risk that supplier introduces. A two-person backup hoster handling critical data attracts more attention than a thousand-person catering provider.
Auditors looking at supplier security in NIS 2 entities typically ask for three artefacts in order: the supplier-risk policy that sets the classification logic, the supplier inventory with the classification applied, and a sample of contracts from each risk class showing how the policy is reflected. The contract clauses themselves are the last layer, not the first.
Where the entity uses the §44(2) BSIG Grundschutz route, OPS.2 and CON.7 building blocks already structure the supplier-risk policy and the contract layer. Entities outside Germany rely on the equivalent national authority guidance or, for digital infrastructure entities, on CIR 2024/2690 Annex Section 5. The directive itself does not impose a uniform clause list.
The platform's supplier module captures the artefacts an auditor expects: a supplier inventory with risk classification, the linked service or asset, the agreed evidence form per supplier (questionnaire, certification reference, audit clause, point-in-time evidence), and the incident-notification path back into the entity's own Article 23 reporting workflow.
The supplier portal lets direct suppliers respond to questionnaires and upload evidence under a token-based access, so the conversation is documented in one place. The platform does not publish contract templates. It records that the supplier-relationship measure under §30(2) No. 4 BSIG is in place and evidenced per supplier.
- Directive (EU) 2022/2555 (NIS 2), Article 21(2)(d) and Article 21(1), EUR-Lex
- Recitals 85 and 90, Directive (EU) 2022/2555, EUR-Lex
- Commission Implementing Regulation (EU) 2024/2690, Annex Section 5, EUR-Lex
- BSIG §30(2) No. 4 and §30(1), gesetze-im-internet.de
- BSI IT-Grundschutz Kompendium, modules OPS.2 and CON.7, BSI
- ENISA Threat Landscape for Supply Chain Attacks, ENISA