Coordinated risk assessments under Article 22 NIS 2
Article 22 is how the EU assesses strategic supply-chain risk for things like 5G, cloud and managed service providers. The Cooperation Group does the assessment. ENISA and the Commission support it. Entities then have to take the outputs into account when they choose suppliers under Article 21(2)(d).
The short version
Article 22 NIS 2 gives the Cooperation Group, together with the Commission and ENISA, the power to run coordinated risk assessments on the security of supply chains for specific critical ICT services, systems or products. The 5G Toolbox from 2020 was the first worked example. Cloud, managed service providers, identity providers and others can be assessed the same way.
These assessments are EU-level and strategic. They cover technical risk factors and, where needed, non-technical ones too. Non-technical means geopolitics, regulatory environment, ownership and control of suppliers. The 5G Toolbox treated non-EU high-risk vendor risk under exactly that heading.
Article 22 does not bind entities directly. Article 21(3) does. Entities in scope must take the results of coordinated assessments into account when they choose their supplier-security measures under Article 21(2)(d). That is the bridge from EU-level strategy to entity-level procurement.
Article 22(1) and (2) NIS 2 Directive (2022/2555)
(1) The Cooperation Group, in cooperation with the Commission and ENISA, may carry out coordinated security risk assessments of specific critical ICT services, ICT systems or ICT products supply chains, taking into account technical and, where relevant, non-technical risk factors. (2) The Commission, after consulting the Cooperation Group and ENISA, and where relevant relevant stakeholders, shall identify the specific critical ICT services, ICT systems or ICT products that may be subject to the coordinated security risk assessment referred to in paragraph 1.
Article 22 sets up the mechanism. The Cooperation Group runs the assessment. The Commission picks which ICT products, systems and services get assessed. ENISA supports both. The assessments are EU-wide and strategic, not entity-by-entity.
Article 21(3) NIS 2 + CIR (EU) 2024/2690 §5
Article 21(3): Member States shall ensure that, when considering which measures referred to in point (d) of paragraph 2 of this Article are appropriate, entities take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures. Member States shall also ensure that, when considering which measures referred to in that point are appropriate, entities are required to take into account the results of the coordinated security risk assessments of critical supply chains carried out in accordance with Article 22(1).
Article 21(3) is the entity-level effect. If you are in scope and you choose suppliers under Article 21(2)(d), you have to take the Article 22 outputs into account. CIR §5 then sets the operational detail of supplier security at entity level, and procurement evidence depth is governed by the Article 21(1) proportionality clause.
§30(2)(4) BSIG and Cooperation Group participation (Germany)
Security in the procurement, development and maintenance of network and information systems, including handling and disclosure of vulnerabilities.
Germany copies the supplier-security duty into §30(2)(4) BSIG. BMI and BSI participate in the Cooperation Group on behalf of Germany, so Article 22 outputs feed into national guidance. BSI publishes summaries in its Infopakete and sector guidance. There is no separate German statute for Article 22 itself: it is a Cooperation Group mechanism, and the entity-level effect already runs through §30 BSIG.
Who runs it
The Cooperation Group, working with the Commission and ENISA. The Cooperation Group is the standing forum of Member State authorities under Article 14 NIS 2. ENISA brings the technical support and writes much of the underlying analysis. The Commission convenes and steers.
What it covers
The Commission picks the specific critical ICT products, systems and services that get assessed. After consultation with the Cooperation Group, ENISA and where relevant other stakeholders. 5G was the first. Cloud, identity providers, managed service providers and others can follow. Nothing in the text limits it to one technology.
How it lands at entity level
Entities in scope must take the assessment outputs into account when they choose suppliers under Article 21(2)(d). That is the operational handle. Not 'comply with Article 22'. 'Consider Article 22 outputs when picking and managing your suppliers'.
Strategic at EU level, operational at entity level
Article 22 sits at the EU strategic layer. The Cooperation Group, the Commission and ENISA run it. The output is a coordinated read on a particular supply chain. Entities then operationalise that read through Article 21(2)(d) and CIR §5, scaled by the Article 21(1) proportionality clause. The two layers do not collapse into one.
Technical and non-technical risk factors
Article 22(1) explicitly names both. Technical factors are the usual cybersecurity surface: known vulnerabilities, secure development practices, patch behaviour. Non-technical factors are geopolitics, regulatory exposure, ownership and control of the supplier. The 5G Toolbox treated non-EU high-risk vendor profiles under exactly this heading. Article 22 is the only NIS 2 article where non-technical risk is named in the text.
BMI and BSI via the Cooperation Group
BMI and BSI represent Germany in the Cooperation Group. When a coordinated assessment is published, BSI integrates the substance into its Infopakete and sector guidance. §30(2)(4) BSIG carries the entity-level supplier-security duty. The Article 22 output is one input into how a German auditor reads 'appropriate' under §30.
ENISA technical support
ENISA is named in Article 22(1) as the technical partner. It does much of the analytical legwork for coordinated assessments and feeds it into the Cooperation Group. ENISA also keeps the Technical Implementation Guidance for the CIR, which entities then use to operationalise supplier-security duties under Article 21(2)(d).
National transpositions of Article 21(3)
Every Member State transposes Article 21(3) into its own NIS 2 law (Netherlands: Cyberbeveiligingswet, Austria: NISG, Belgium: NIS2-Wet). The duty to take coordinated assessment outputs into account is the same EU-wide. What differs is which national authority publishes guidance and how procurement rules pick up the assessment results.
Article 22 is just the 5G rule.
5G was the first worked example, not the only one. Article 22(2) gives the Commission an open-ended power to pick which critical ICT products, systems and services get assessed. Cloud, managed service providers, identity providers and others can all be brought under it. Treating Article 22 as a 5G-only article underestimates the scope by a wide margin.
We are below the size threshold, so Article 22 does not apply to us.
Article 22 itself does not apply to entities directly. It applies to the EU level. What does apply to you, if you are an in-scope NIS 2 entity, is Article 21(3): you must take coordinated-assessment results into account in your supplier choices under Article 21(2)(d). Your size does not change that duty once you are in scope.
Article 22 is how the EU enforces NIS 2 against suppliers.
Article 22 is a risk-assessment mechanism, not an enforcement tool. It does not impose obligations on suppliers. It produces a coordinated EU read that entities then have to take into account under Article 21(3). Enforcement against entities runs through national supervisors under Articles 31 to 37. Enforcement against suppliers indirectly runs through entity-level procurement clauses under Article 21(2)(d).
Monitor Cooperation Group outputs. BSI summarises them in the Infopakete. ENISA references them in TIG updates. If a coordinated assessment lands on a technology you depend on (5G, cloud, managed service providers), update your supplier-security policy and your supplier register accordingly. Cite the assessment in the record so an auditor sees the link.
The 5G Toolbox is the worked example. Certain high-risk-vendor restrictions flowed through to national procurement rules and from there to entity-level supplier choices. Expect the same pattern when new assessments are published. You do not need to read the full Cooperation Group document. The BSI summary plus a one-line entry on the affected suppliers in your register is enough to show you took the outputs into account.
The supplier register links each supplier to the relevant Article 22 outputs where applicable. If a coordinated assessment classifies a vendor or a vendor category, you tag the supplier with that classification. Your auditor sees both the assessment reference and your treatment decision in one place.
The risk register picks up the same tags. A supplier under a coordinated assessment shows up as a risk entry with the assessment as its source. Treatment, sign-off and ongoing review run through the standard CIR §2 flow. No separate workflow for Article 22 inputs. Same shape as every other supplier risk, just with a stronger external citation.
- Directive (EU) 2022/2555 (NIS 2), Articles 21 and 22 — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Implementing Regulation (EU) 2024/2690 (CIR), Annex §5 — eur-lex.europa.eu/eli/reg_impl/2024/2690/oj
- EU Cybersecurity Toolbox of risk mitigating measures for 5G networks (2020) — digital-strategy.ec.europa.eu
- BSI Act (BSIG), §30(2)(4) as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- ENISA Technical Implementation Guidance for CIR (EU) 2024/2690 (as of May 2026)