NIS2 Supply Chain: Why You May Need to Comply Even If You Are Not in Scope
You checked the NIS2 scope criteria: fewer than 50 employees, less than 10 million euro turnover, not in a critical sector. So NIS2 does not apply to you, right? Not so fast. If any of your clients fall under NIS2, they are legally required to assess your cybersecurity. That means NIS2 reaches you through the supply chain, whether you are directly in scope or not.
What NIS2 Actually Says About Supply Chains
NIS2 does not just suggest supply chain security. It mandates it. Article 21(2)(d) of Directive (EU) 2022/2555 requires essential and important entities to implement measures addressing: See our explanation of all NIS2 requirements for the full context.
"supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers"
— NIS2 Directive, Article 21(2)(d)
Article 21(3) goes further, requiring entities to evaluate the "overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures." This is not optional guidance. It is a legal requirement backed by fines of up to 10 million euro or 2% of global turnover.
How This Reaches You as a Supplier
Even though you are not directly regulated, NIS2 creates a cascade effect through your client relationships:
Your client registers as a NIS2 entity
They are legally required to assess their supply chain security.
They create a supplier security policy
NIS2 requires them to set minimum security requirements for all suppliers.
You receive a cybersecurity questionnaire
Your client needs to evaluate your security posture and document the results.
Your contract gets updated
New clauses require you to meet specific security standards, report incidents, and allow audits.
You either comply or lose the contract
Your client cannot work with suppliers who undermine their NIS2 compliance.
What Your Clients Will Ask For
Based on the NIS2 requirements and CCB guidance, expect your NIS2-regulated clients to request:
Certifications and frameworks
- CyberFundamentals (CyFun) Basic certification or self-assessment
- ISO/IEC 27001 certification
- SOC 2 Type II report (especially for IT/cloud services)
- Sector-specific certifications (PCI DSS for payments, etc.)
Documentation and evidence
- Written security policy
- Incident response procedure
- Business continuity and disaster recovery plan
- Penetration test or vulnerability scan results
- Employee security awareness training records
Contractual commitments
- Incident notification within agreed timeframes
- Right-to-audit clauses
- Data processing agreements aligned with security requirements
- Annual security self-assessment or third-party audit
The Belgian Context: CCB and CyberFundamentals
Belgium was the first EU Member State to transpose NIS2 into national law (Law of 26 April 2024). The Centre for Cybersecurity Belgium (CCB) has been clear about supply chain expectations:
This means the CCB explicitly recommends CyFun Basic as the minimum bar for any Belgian company supplying to NIS2 entities. CyFun Basic is not an overwhelming framework. It covers foundational measures that every business should have in place.
Timeline
Also read our guide for SMEs and NIS2 with practical steps you can afford.
Which Suppliers Are Most Affected?
Some suppliers will face supply chain requirements sooner and more intensely than others:
IT service providers and MSPs
NIS2 Recital 86 specifically singles out managed service providers due to their "close integration in entity operations." Ransomware groups like Qilin actively target MSPs because one breach unlocks access to dozens of clients. If you provide IT services to NIS2 entities, you are first in line.
Software vendors
Required to demonstrate secure development procedures and may need to provide Software Bills of Materials (SBOMs).
Cloud and SaaS providers
Expected to provide SOC 2 or ISO 27001 certifications and detailed security documentation.
Professional services (accounting, legal, HR)
Handle sensitive data for NIS2 entities. Will face data security requirements in updated contracts.
Physical suppliers and logistics
Less immediately affected unless handling data or connected systems, but supply chain policies may still reach them.
What to Do About It
You do not need to panic, but you do need to act. Here is a practical approach:
Identify your NIS2-regulated clients
Map which of your clients are in essential or important sectors. Healthcare, energy, transport, banking, digital infrastructure, and public administration are key.
Start with CyFun Basic
The CCB recommends this as the minimum for supply chain entities. It is manageable: foundational cybersecurity measures any business should have.
Document your security posture
Write down what you already do. Many SMEs have reasonable security but no documentation. That is the gap NIS2 exposes.
Prepare for questionnaires
Have answers ready for common supply chain security questions. A completed CyFun Basic assessment gives you 80% of those answers.
Talk to your IT partner
Your MSP or IT partner should be able to help you meet CyFun Basic. If they cannot, that is a red flag.
Turn Compliance Into Competitive Advantage
Most SMEs are not prepared. A 2025 survey found that 34% of SMEs cannot secure the budget for NIS2 compliance. That means the majority of your competitors are still doing nothing. By getting CyFun Basic certified now, you: Keep in mind the upcoming NIS2 deadlines - the sooner you act, the stronger your position.
- Keep existing contracts with NIS2-regulated clients
- Win new business from clients who need compliant suppliers
- Negotiate from strength when clients send questionnaires
- Reduce your own cyber risk in the process
- Position yourself ahead of competitors who wait
Your Next Step
Talk to your IT partner about NIS2 supply chain requirements. They can help you assess where you stand and what you need to do. If they are not familiar with CyFun or NIS2, forward them this article.
Frequently Asked Questions
Is NIS2 supply chain compliance legally required for suppliers?
Not directly. NIS2 regulates your clients, not you. But your clients are legally required to ensure their supply chain is secure. In practice, this means contractual requirements that are just as binding. If you do not comply, you lose the contract.
What is the minimum I need to do?
The CCB recommends CyberFundamentals (CyFun) Basic level as the minimum for supply chain entities. This covers foundational cybersecurity measures like access control, backups, incident response, and security awareness.
When will I start receiving these requirements from clients?
It is already happening. NIS2 entered into force in Belgium in October 2024. Essential entities must submit their CyFun Basic assessment by April 2026. As they prepare, they are building supplier inventories and writing supply chain policies now.
What if I only have a few employees?
Size does not matter for supply chain requirements. Even a 5-person company that supplies IT services to a hospital (essential entity) will face these requirements. NIS2 scope thresholds (50 employees / 10M euro) only apply to direct regulation, not to supply chain obligations.
Can my IT partner help me with this?
Yes. A good MSP or IT partner should be able to guide you through CyFun Basic and help you prepare for client questionnaires. Ask them about their NIS2 and CyberFundamentals experience.