NIS 2 and ICT supply chain: concrete obligations and certification

The general rule

The NIS 2 Directive requires “essential” and “important” entities to implement proportionate technical, operational, and organizational measures (Art. 21). Among these measures is the explicit requirement to ensure ICT supply chain security, including relationships with direct suppliers and service providers (Art. 21(2)(d)). Official text: Directive (EU) 2022/2555 (NIS 2), see Art. 21 and 21(2)(d).

Numbering note: supply chain management falls under Art. 21(2)(d), while Art. 24 covers the “use of European cybersecurity certification schemes” to demonstrate conformity with certain Art. 21 requirements. In short: you must manage supplier risk (Art. 21), and you may be required — by the Member State or by a delegated act of the Commission — to use ICT products/services/processes certified under the Cybersecurity Act (Art. 24). See NIS 2 Art. 24: CELEX 32022L2555, and the certification framework under the Cybersecurity Act: Regulation (EU) 2019/881 and ENISA – EU Cybersecurity Certification Framework.

What regulators say

• Luxembourg (ILR). The ILR urges in-scope entities to start preparing now, align with EU/international standards, and notes its role as competent authority for most sectors in Luxembourg (per the NIS 2 transposition bill). See the official NISS FAQ: ilr.lu/faq/niss.
• European Commission / NIS Cooperation Group. The “EU ICT Supply Chain Security Toolbox” guides states and organizations on supplier control measures. See: Toolbox to improve ICT supply chain security and NIS2 page: digital-strategy.ec.europa.eu – NIS2.
• ENISA (EU Agency). ENISA publishes good practices for supply chain cyber risk (mapping, due diligence, contractual clauses, continuous monitoring). Reference: Good Practices for Supply Chain Cybersecurity (June 2023). ENISA also highlights the link between Art. 21(2)(d) and supply chain policy in its NIS 2 technical notes.
• Legal basis for certification. NIS 2 Art. 24 allows Member States to require the use of ICT products/services/processes certified under EU schemes (CSA, Art. 49). Official framework: ENISA – EU Cybersecurity Certification Framework and the CSA text: Publications Office – 2019/881.

How to apply it in practice

Executive objective: demonstrate that relationships with providers and software vendors (cloud, MSSP, integrators, business apps, OT operators, outsourcing) do not introduce unmanaged risks to the availability, integrity, and confidentiality of your services.

Before (design and selection)

1. Supply Chain Security policy required by Art. 21(2)(d): scope, roles (procurement, security, legal), criticality criteria, and tiered requirements by supplier category. Basis: NIS 2 and Toolbox.
2. Map and classify ICT dependencies: who operates critical systems, data location, interconnections. Use ENISA guidance: Good Practices.
3. Baseline requirements by risk category: exportable logs/telemetry, MFA/segmentation, patching policies, SSO/SCIM, encryption, VDP/vulnerability management, incident notification within X hours, RPO/RTO, reversibility/portability.
4. Expected evidence: SOC 2/ISO 27001 are useful but not sufficient. Check fit-for-scope and NIS 2 Art. 21 controls. Consider EU-certified products/services (Art. 24) where relevant schemes exist; otherwise favor open standards and stronger attestations. References: NIS 2 Art. 24 and CSA framework.
5. Contractual clauses: use the Toolbox and ENISA as a practical checklist: proportionate audit rights, security testing, SBOM requirements, patch SLAs, mandatory disclosure (incidents and near misses), measures upon credential exposure, resilience (BCP/DRP), flow-down to subcontractors, termination conditions (erasure/return/secure transfer). Sources: EU Toolbox, ENISA Good Practices.

During (execution and monitoring)

6. Enhanced due diligence: questionnaires based on Art. 21(2) a–j, implementation evidence (policies, test reports, patch metrics), targeted visits/interviews for critical suppliers. See NIS 2 Art. 21.
7. Continuous oversight: security SLAs, quarterly reviews, tracking major vulnerabilities, collecting relevant provider-side logs, joint crisis exercises.
8. IR integration: incident scenarios including providers (e.g., software supply chain attack), alert channels, IoC sharing, dedicated playbooks. Reference: NIS 2 Art. 21(2)(b)(c).

After (lessons learned and improvement)

9. Supplier post-incident reviews, contractual corrective actions, update of classification and requirements.
10. Lifecycle: upon major changes (new SaaS version, relocation, tier-2 subcontractor), reassess exposure and guarantees.

Concrete example (Luxembourg, 2026)

A payment services operator (an “essential” entity) outsources network operations to an MSSP and migrates applications to a public cloud.

• Mapping: the MSSP holds admin access — “critical”. The cloud hosts production data — “very critical”.
• Requirements: MFA/PAM, segmentation, logs exported to the internal SIEM, RTO ≤ 4h, incident notification within 12h, SBOM for sensitive components.
• Evidence: MSSP ISO 27001 + red team reports; for cloud, prefer services covered by a relevant EU certification scheme as soon as available (NIS 2 Art. 24 + CSA).
• Contract: audit rights on NIS 2 controls, patch timelines (7/30/90 days), reversibility, vulnerability management (critical CVEs ≤ 7 days).
• Follow-up: monthly security committee, joint crisis exercises, detection KPIs.

Common pitfalls

1. Paper compliance vs effectiveness: a generic certificate may not cover NIS 2 Art. 21(2)(d)-targeted controls. Refer to the text and Toolbox: NIS 2 Art. 21, Toolbox.
2. Forgetting cascading chains (N+1/N+2): require equivalent obligations for the supplier’s subcontractors. Reference: ENISA 2023.
3. Ineffective audit clauses: vague audit rights or no remediation/security SLA mechanisms. Use the Toolbox to frame evidence, timelines, and corrective measures: Commission – Toolbox.
4. Overlooking Art. 24: where relevant EU schemes exist (or become mandatory), embed them in procurement. See NIS 2 Art. 24 and CSA framework.
5. Insufficient anticipation in Luxembourg: the ILR recommends preparing now; delaying complicates contractual migrations. Source: ILR – NISS FAQ.

Official sources

• Directive (EU) 2022/2555 (NIS 2) – Articles 21 and 24: EUR‑Lex and bilingual CELEX: CELEX 32022L2555.
• EU cybersecurity certification framework (Cybersecurity Act, Regulation (EU) 2019/881): EUR‑Lex text 32019R0881, ENISA overview: ENISA – Certification Framework, Publications Office: 2019/881.
• EU ICT Supply Chain Security Toolbox: digital-strategy.ec.europa.eu and NIS2 page: digital-strategy.ec.europa.eu – NIS2.
• ENISA – Good Practices for Supply Chain Cybersecurity (June 2023): enisa.europa.eu.
• Luxembourg – ILR (competent NIS authority): NISS FAQ: ilr.lu/faq/niss and NISS sector page: ilr.lu/en/sectors/niss.

Note: supply chain obligations stem from NIS 2 Art. 21(2)(d); Art. 24 governs the (potentially mandatory) use of EU certification schemes to demonstrate conformity with certain Art. 21 requirements.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.