← All articles

consultant

NIS 2 and supply chain: the EU Toolbox is a game changer

Adopted on 13/02/2026, the EU ICT Supply Chain Security Toolbox is now the operational benchmark for NIS 2 Article 21(2)(d). In Luxembourg, the ILR will verify its implementation by entities.

Excerpt — On 13 February 2026, the NIS Cooperation Group adopted the EU ICT Supply Chain Security Toolbox. For Luxembourg NIS 2 entities, it is the operational roadmap to meet Article 21(2)(d) — and what the ILR will supervise.

The facts

On 13 February 2026, the European Commission published the EU ICT Supply Chain Security Toolbox, adopted by the NIS Cooperation Group (Member States) together with the Commission and ENISA. Objective: a common approach to identify, assess and mitigate cybersecurity risks in ICT supply chains, with risk scenarios and recommended mitigation measures. Two sectoral risk assessments (connected vehicles and detection equipment) accompany it. Official source: European Commission, publication “Toolbox to improve ICT supply chain security” (13/02/2026). See the document and annexes on the Commission’s website. (digital-strategy.ec.europa.eu)

In Luxembourg, the Law of 5 May 2026 transposes NIS 2. The ILR reiterates that the security measures under Article 21 NIS 2 include “supply chain security” and provides a dedicated page on national measures and obligations. (ilr.lu)

Legal reasoning

  • EU framework. Article 21 of Directive (EU) 2022/2555 (NIS 2) mandates “appropriate and proportionate” measures covering at least 10 areas, including “supply chain security”; entities must consider suppliers’ specific vulnerabilities and the quality/security of their products and secure development practices. (eur-lex.europa.eu)
  • Toolbox as reinforced interpretation. The 13 February 2026 Toolbox provides a common baseline: risk typology (critical dependencies, software integrity, updates, end-of-life support, MSP/MSSP providers), supplier assessment criteria, contract controls, ongoing supervision, and levers to reduce dependencies on “high-risk” suppliers. It is a coordinated recommendation from the NIS Cooperation Group, used by national authorities, including the ILR, to ensure convergent application. (digital-strategy.ec.europa.eu)
  • Interplay with other instruments. Article 24 NIS 2 allows Member States to require the use of certified products/solutions under EU schemes (Cybersecurity Act) to demonstrate compliance with certain Article 21 requirements — a relevant tool for critical supply chain components. (nis2resources.eu)
  • ENISA operational expectations. On 26 June 2025, ENISA issued Technical Implementation Guidance for the NIS 2 implementing act (2024/2690), including a concrete “Supply chain security” chapter: SCRM policy, supplier accreditation criteria, expected evidence, and mappings to standards. Non-binding legally, but the de facto technical yardstick for audits. (enisa.europa.eu)
  • Luxembourg transposition. The ILR, as competent authority, notes on its NIS 2 pages that: (i) the Law of 5 May 2026 mandates these measures; (ii) supply chain is explicitly required; (iii) national info sessions and consultations shape supervision. In practice, your SCRM programme will be assessed against these references. (ilr.lu)

What this changes in practice

For executives, DPOs and CISOs of “essential” or “important” entities, SCRM maturity is now verifiable. Day-to-day governance can be strengthened via structured cyber leadership, while demonstrating alignment with NIS 2 in Luxembourg requires tangible evidence.

  • Formalised SCRM policy. The Toolbox and ENISA expect a supply chain security policy covering supplier segmentation (critical/non-critical), onboarding criteria (secure SDLC, SBOM, known vulnerabilities, patching practices), and governance (risk committee, acceptance thresholds, documented exemptions). Reference: Toolbox (13/02/2026); ENISA Technical Guidance (26/06/2025). (digital-strategy.ec.europa.eu)
  • Pre-contract due diligence and minimum clauses. Contracts with critical suppliers should include: proportionate audit rights, MFA/FIDO2 for remote access, vulnerability/incident notification, remediation timelines, continuous SBOM, maturity obligations (ISO 27001/IEC 62443 by sector), rules for cascading subcontracting and reversibility. These levers are listed in the Toolbox and detailed by ENISA. (digital-strategy.ec.europa.eu)
  • Continuous assessment and evidence. NIS 2 goes beyond initial due diligence. You need: (i) continuous supplier scoring (vulnerability feeds, threat intel, EOL/EOS), (ii) restoration and dependency-break tests, (iii) exit plans for single points of failure, (iv) an SCRM dashboard mapped to the CMDB. These elements demonstrate the proportionality required by Article 21. (eur-lex.europa.eu)
  • Art. 24 and certification. For sensitive building blocks (MSSP, PKI, HSM, IAM), relying on EU schemes (EUCC, EUCS when available) eases demonstrating to the ILR that Article 21 requirements are met, pursuant to Article 24. (nis2resources.eu)
  • Luxembourg alignment. The ILR lists NIS 2 measures and the role of supply chain. Expect to justify supplier choices and critical dependencies during audits, based on the Toolbox + ENISA pair. (ilr.lu)

Concrete examples

  • Bank/PSF cloud: include in the cloud contract SBOM, VEX, patch timelines for exploited vulnerabilities, phishing-resistant MFA, tamper-evident and exportable logs, quarterly reversibility tests; map dependencies of core banking and third-party connectors. (digital-strategy.ec.europa.eu)
  • Digital infrastructure operator: require MSP/MSSP proof of tenant isolation, just-in-time access, and annual third-party audits; plan the fallback to a backup provider. (digital-strategy.ec.europa.eu)

Common pitfalls

  1. “Light” MSP/MSSP contracts. Missing clauses on vulnerability management, 24/72 h notification, environment separation and audit rights fall short of Toolbox/ENISA expectations — risking non-compliance with Article 21(2)(d). (digital-strategy.ec.europa.eu)
  2. Static assessments. One-off due diligence without continuous monitoring (EOL/EOS, critical CVEs, ownership changes, public incidents) is insufficient given the dynamic risks described by the Toolbox. (digital-strategy.ec.europa.eu)
  3. Open-source blind spot. Not requiring SBOM/VEX for open-source components in embedded software/SaaS remains a major gap; the Toolbox and ENISA stress software integrity and transitive dependency management. (digital-strategy.ec.europa.eu)
  4. One-size-fits-all. Applying identical controls to a print vendor and a critical IAM editor breaches NIS 2 proportionality; segmentation and graduated measures are needed. (eur-lex.europa.eu)
  5. Forgetting Article 24. Ignoring EU certification schemes for critical components removes a strong compliance lever — and complicates evidence before the ILR. (nis2resources.eu)

Official sources

  • European Commission — EU ICT Supply Chain Security Toolbox (publication and downloads, 13 February 2026). (digital-strategy.ec.europa.eu)
  • ENISA — Supporting NIS2 implementation through actionable guidance (press release and technical guidance, 26 June 2025). (enisa.europa.eu)
  • EUR-Lex — Directive (EU) 2022/2555 (NIS 2), Art. 21 and recitals on supply chain; Art. 24 (certification). (eur-lex.europa.eu)
  • ILR (Luxembourg) — NIS 2: Law of 5 May 2026, security measures, supply chain. (ilr.lu)

In short: since 13 February 2026, the EU Toolbox provides the operational standard for supply chain security under NIS 2. In Luxembourg, the ILR will check its implementation: a live SCRM policy, hardened contracts, continuous monitoring and, where relevant, EU certification — all as evidence of Article 21 compliance. (digital-strategy.ec.europa.eu) For pragmatic support, see our NIS 2 legal brief or engage dedicated DPO expertise.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →