NIS2Supply chain

NIS2 and IT suppliers: how to handle the supply chain

NIS2 entities must assess their IT suppliers. What to ask, what to require contractually, what to accept as an attestation.

2 min read

TL;DR

NIS2 Article 21 point 4 obliges subject entities to assess the security of their IT suppliers. In practice: questionnaires, attestations, contract clauses and periodic checks. For Italian MSPs it is both a new revenue line and a new risk.

What NIS2 asks of suppliers

Three things:

  1. Cooperation: the supplier must cooperate with the NIS2 customer during incidents.
  2. Transparency: declare its security measures in a verifiable way.
  3. Continuity: maintain adequate availability of services.

What to ask of an IT supplier

A standard 15-20 question questionnaire:

  1. Do you have an approved information security policy?
  2. Are you ISO 27001:2022 certified (or equivalent)?
  3. Are you ISO 27017 and 27018 certified for cloud?
  4. Do you have a documented and tested DR plan?
  5. RTO and RPO targets of your services?
  6. Incident notification procedure?
  7. MFA on all privileged accounts?
  8. Documented patch management?
  9. Periodic vulnerability scanning?
  10. Annual penetration test?
  11. Professional cyber liability insurance?
  12. Encrypted off-site backups?
  13. Support staff trained on cyber?
  14. Logging and SIEM in production?
  15. Procedure for changes affecting security?

Standard contract clauses

Four minimum clauses for contracts with NIS2-relevant suppliers:

  1. Incident notification: supplier notifies the customer within 24h of security incidents potentially affecting the service.
  2. Audit right: customer can audit the supplier with reasonable notice (annual or post-incident).
  3. Sub-suppliers: mandatory disclosure of critical sub-suppliers and scope.
  4. Service continuity: SLA with documented RTO.

What to accept as attestation

For suppliers refusing direct audits (legitimate for large cloud providers), accept:

  • ISO 27001:2022 + applied Annex A;
  • SOC 2 Type II;
  • ENISA EUCS;
  • independent third-party attestations.

Without, replace the supplier.

Sefthy as a NIS2-ready supplier

Sefthy provides NIS2 customers with:

  • ISO 27001:2022, 27017, 27018, 9001 certifications;
  • attestations exportable from the console;
  • SLA with documented RTO;
  • incident notification within 4h of detection;
  • annual audit included in PRO plans.

FAQ

Must I audit every supplier?

No. Only the "critical" ones — those whose interruption affects the NIS2 service of the company.

How often are supplier questionnaires updated?

Annually or after any significant service change.

For the full checklist, NIS2 audit checklist. For technical measures, NIS2 minimum technical measures.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo