The Supply Chain & ICT Dependencies domain under the NIS2 Lens evaluates whether external dependencies, suppliers, and service providers are governed as integral components of enterprise cybersecurity risk. This domain determines whether your organization truly understands and controls who it depends on, and critically, what happens if those dependencies fail or become compromised.
In the ECIL, supply-chain risk is not treated as peripheral or secondary. It represents imported risk that must be governed with the same rigor, discipline, and oversight as internal systems. Modern enterprises operate within complex ecosystems of vendors, cloud providers, managed service providers, and technology partners. Each connection represents potential vulnerability.
NIS2 regulations recognize this reality and demand that organizations move beyond simple vendor management to comprehensive supply chain security governance. The question is no longer whether you trust your suppliers, but whether you can demonstrate active, continuous management of the risks they introduce into your environment.
Key Principle
External risk must be managed, not assumed. Every supplier relationship introduces cybersecurity exposure that requires active governance.
NIS2 Focus
Regulators expect visibility into dependency decisions and evidence of lifecycle-oriented supplier security management.
Core Purpose & Objectives
Identify & Classify
Critical suppliers and dependencies must be systematically identified, documented, and classified based on their role in supporting essential services and operations.
Assess & Govern
Cybersecurity risks introduced by suppliers are thoroughly assessed and governed through formal processes that match internal security standards.
Enforce Expectations
Security expectations are embedded in contracts and enforced throughout the entire supplier lifecycle, from onboarding through exit.
Mitigate Concentration
Dependency and concentration risks are systematically understood, documented, and mitigated to prevent single points of failure.
The purpose of this domain is to ensure that external risk is managed as a deliberate strategic choice, not merely accepted as an unavoidable consequence of doing business. Organizations must demonstrate that they understand their supply chain exposure and have implemented proportionate controls.
This capability area examines whether your organization truly knows who and what it depends on. It sounds straightforward, but many organizations discover critical dependencies only during incidents or audits. Unidentified dependencies cannot be governed, assessed, or defended.
Comprehensive supplier identification requires cross-functional collaboration between procurement, IT, legal, and security teams. Shadow IT and informal vendor relationships create blind spots that attackers can exploit. NIS2 expects organizations to maintain current, accurate inventories of all ICT service providers and technology suppliers that support critical operations.
Comprehensive Inventory
Identification of all ICT service providers, cloud platforms, managed service providers, and technology suppliers
Dependency Mapping
Detailed mapping of dependencies supporting critical services and business processes
Risk Classification
Classification of suppliers by criticality level, data access, and potential security impact
Clear Ownership
Defined ownership and accountability for each supplier relationship and dependency
This capability area focuses on whether supplier risks are assessed both before and during engagement. Due diligence is a critical control point, not merely a compliance checkbox. Organizations must evaluate supplier security posture with the same rigor they apply to internal security assessments.
Pre-Onboarding Assessment
Comprehensive cybersecurity risk assessments conducted during supplier evaluation and selection processes
Posture Evaluation
Detailed evaluation of supplier security controls, incident history, certifications, and overall security maturity
Contextual Risk Analysis
Consideration of geographic, legal, operational, and geopolitical risks that may affect supplier reliability
Risk Acceptance
Formal documentation of risk acceptance decisions or required mitigation measures before engagement
Effective due diligence requires standardized assessment frameworks, clear risk thresholds, and escalation procedures for high-risk suppliers. Organizations should leverage industry standards, third-party assessments, and security questionnaires while recognizing that self-attestation alone is insufficient for critical suppliers.
This capability area evaluates whether cybersecurity expectations are formally enforced through legally binding agreements. Contracts convert risk expectations into enforceable commitments and provide leverage for ongoing security requirements.
Well-structured supplier contracts include specific security obligations, incident notification requirements, audit rights, and consequences for security failures. These provisions must be negotiated, not simply attached as boilerplate terms that suppliers ignore.
Security Requirements
Specific security controls, standards, and practices embedded directly in contractual terms and service level agreements
Incident Obligations
Clear requirements for incident notification, cooperation during investigations, and timely communication of security events
Audit & Verification Rights
Right-to-audit clauses, security assessment permissions, and requirements for independent security assurance reports
Subcontractor Governance
Requirements for managing subcontractors and fourth-party providers with equivalent security standards
Under NIS2, contractual safeguards must address data protection, security monitoring, incident response cooperation, and regulatory compliance obligations. Organizations should work with legal teams to ensure contracts reflect current threat landscapes and regulatory requirements rather than outdated templates.
Comprehensive security evaluation during supplier onboarding and contract negotiation
2
Periodic Reassessment
Scheduled reviews of supplier security posture, typically annually or based on risk classification
3
Continuous Monitoring
Ongoing awareness of supplier security incidents, breaches, and material changes to services
4
Change Management
Formal processes for evaluating changes in service scope, personnel, or technical infrastructure
5
Remediation & Escalation
Clear mechanisms for addressing identified issues and escalating unresolved security concerns
This capability area examines whether supplier risk is managed continuously, not only at the point of initial onboarding. Supplier security posture evolves over time, both improving and deteriorating. Organizations must maintain awareness of supplier incidents, significant changes, and emerging risks throughout the relationship lifecycle.
Effective monitoring combines periodic formal reassessments with continuous awareness of security events. Organizations should leverage threat intelligence, security ratings services, and industry information-sharing to supplement direct supplier assessments. When suppliers experience security incidents or material changes, organizations must be positioned to rapidly evaluate impact and adjust controls accordingly.
This capability area focuses on whether your organization can withstand supplier failure or compromise. Resilience depends on the ability to identify critical dependencies, understand concentration risks, and maintain viable exit strategies. Organizations that cannot disengage from compromised suppliers have surrendered control of their security posture.
Single Point of Failure Analysis
Systematic identification of suppliers whose failure would significantly impact critical operations or services
Critical service dependencies
Unique capability providers
Data custodians and processors
Concentration Risk Assessment
Evaluation of over-reliance on individual suppliers, geographic regions, or technology platforms
Vendor concentration metrics
Geographic risk diversification
Technology stack dependencies
Exit & Contingency Planning
Documented strategies for supplier substitution, service migration, and emergency disengagement scenarios
Alternative supplier identification
Transition procedures and timelines
Emergency termination protocols
Data & Asset Management
Clear controls for data return, secure deletion, and asset transition during supplier changes or terminations
Under NIS2, supply-chain security must be risk-based, lifecycle-oriented, and supervisable. This domain aligns closely with complementary regulatory frameworks including DORA ICT third-party risk management requirements, ISO/IEC 27001 supplier relationship controls, and SOC 2 vendor and service organization assurance standards.
Evidence supporting this domain must demonstrate active supplier governance, not merely the presence of contracts or policies. Supervisors expect to see documented processes, risk decisions, monitoring activities, and continuous improvement. Static documentation without evidence of ongoing execution will not satisfy regulatory scrutiny.
Representative Evidence Examples
Current supplier inventories with criticality classifications and risk ratings
Documented risk assessment and due diligence records for critical suppliers
Contracts containing specific, enforceable security clauses and obligations
Periodic monitoring reports and documented supplier incident communications
Dependency analysis and concentration risk assessments
Exit planning documentation and contingency procedures
1
Risk-Based
Supplier controls proportionate to criticality and risk exposure
2
Lifecycle-Oriented
Governance from onboarding through relationship termination
3
Supervisable
Clear evidence trail demonstrating active management and decisions
Supervisory Focus
Regulators expect visibility into dependency decisions-why critical suppliers were selected, how risks are managed, and what happens if they fail.
Recognizing common failure patterns helps organizations avoid predictable mistakes. These failures often create systemic risk beyond direct organizational control, making them particularly dangerous from both security and regulatory perspectives.
Unknown Dependencies
Critical suppliers remain unknown or undocumented, creating blind spots in risk management and incident response capabilities
Point-in-Time Assessments
One-time supplier assessments at onboarding with no ongoing monitoring or periodic reassessment of security posture
Unenforceable Contracts
Contracts lacking specific, enforceable security obligations or meaningful consequences for security failures
Vendor Lock-In
Inability to exit or substitute critical providers due to technical, contractual, or operational dependencies
How to Use This Framework
Assess current exposure created by external dependencies and identify gaps in supplier governance
Prepare for NIS2 supervisory focus on supply chains by building comprehensive evidence libraries
Align procurement, legal, and security governance to create unified supplier risk management
Explain dependency risk to executive management in business-relevant terms
Central Question
Supply Chain & ICT Dependencies answer a critical NIS2 question: "Can the organization control the risk it imports from others?"