Vendor Assurance Under NIS2: What Article 21 Requires for Supply Chain Security
NIS2 Article 21(2)(d) requires continuous supply chain security. Point-in-time vendor assessments are no longer sufficient. Learn what the directive expects and how to meet it operationally.
NIS2 changed the rules for how organisations manage vendor risk. Article 21(2)(d) doesn't just ask whether you've assessed your vendors — it asks whether you can demonstrate continuous supply chain oversight, with documented evidence, at any point an authority requests it. For many organisations, this means rethinking vendor assurance from the ground up.
NIS2 requires operational supply chain security — not just governance. Annual questionnaires and static risk registers don't satisfy Article 21(2)(d). Continuous vendor oversight, structured assessments, and auditable evidence do.
Jump to:
- What Article 21(2)(d) actually says
- Why annual assessments aren't enough
- What continuous vendor assurance looks like
- How a Trust Center operationalises it
- Practical steps to get started
What Article 21(2)(d) Actually Says {#article-21-2d}
Article 21(1) of the NIS2 Directive requires essential and important entities to take "appropriate and proportionate technical, operational and organisational measures" to manage cybersecurity risks. Article 21(2) then lists minimum measures — and point (d) is explicit:
"supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers"
The directive goes further. Article 21(3) requires that when assessing supply chain measures, entities take into account "the vulnerabilities specific to each direct supplier and service provider" as well as "the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures."
This is not a soft requirement. It targets the operational reality of how you manage vendor relationships — not just whether you have a policy that says you should.
In Germany, the NIS2 implementing legislation (NIS2UmsuCG) entered into force on 6 December 2025 with no transition period. Approximately 30,000 organisations are now directly affected. The obligation to demonstrate supply chain oversight is binding today.
Why Annual Assessments Aren't Enough {#annual-not-enough}
Most vendor assurance programs today follow a familiar pattern: send a questionnaire at onboarding, maybe repeat it annually, file the results, and move on. This was adequate under older risk management expectations. Under NIS2, it falls short in three specific ways.
1. The Directive Requires Continuity, Not Snapshots
Article 21(2)(d) refers to "security-related aspects" of vendor relationships — present tense, ongoing. Combined with Article 21(2)(f), which requires "policies and procedures to assess the effectiveness of cybersecurity risk-management measures," the directive expects organisations to demonstrate that vendor oversight is continuous. A questionnaire from twelve months ago doesn't prove anything about today's posture.
2. Vendor Risk Changes Faster Than Assessment Cycles
Certifications expire. Subprocessors change. Policies evolve. A vendor that scored well in January may have introduced a new data processor, changed hosting providers, or let a penetration test lapse by June. If your assessment cycle doesn't keep pace with these changes, you're flying blind between reviews.
3. Authorities Can Request Evidence at Any Time
NIS2 gives competent authorities broad powers to conduct audits, inspections, and information requests. Under Article 32 (for essential entities) and Article 33 (for important entities), authorities can require organisations to provide evidence of compliance with Article 21 — including supply chain measures — at any time. "We'll update our vendor register before the next audit" is no longer a strategy.
What Continuous Vendor Assurance Looks Like {#continuous-assurance}
Meeting Article 21(2)(d) operationally means moving from periodic snapshots to a structured, ongoing process. This doesn't mean assessing every vendor every day. It means having a system that maintains visibility, detects changes, and produces auditable evidence on demand.
Structured Assessments Tied to Frameworks
Vendor questionnaires should be built against recognised frameworks — ISO 27001, SOC 2, NIS2's own requirements — not ad hoc question lists. This ensures consistency across vendors and alignment with the standards auditors will reference. AI-supported questionnaire creation can accelerate this by suggesting framework-aligned questions and filling gaps in coverage.
Consistent, Documented Evaluation
Evaluation should be repeatable and defensible. When an authority asks "how did you assess this vendor?", the answer should be a structured evaluation report — not "our security analyst reviewed it." AI-powered evaluation can score responses against defined criteria, flag contradictions, compare to previous submissions, and generate documented reports with rationale. The human role shifts from doing the evaluation to reviewing and approving it.
Ongoing Monitoring With Portfolio Visibility
Continuous monitoring tracks how vendor scores evolve over time, alerts when certifications expire or scores drop, and provides portfolio-level dashboards that show the overall health of your vendor ecosystem. This satisfies the continuity expectation in Article 21(2)(d) — you can demonstrate, at any point, that you have current visibility into your supply chain's security posture.
Auditable Evidence Trail
Every questionnaire sent, every response received, every evaluation produced, every score change — logged, timestamped, and exportable. This is the evidence layer that turns vendor assurance from an internal process into a compliance asset. When an authority exercises its information request powers under Articles 32 or 33, you produce a report — not a scramble.
How a Trust Center Operationalises Vendor Assurance {#trust-center-operationalises}
An ISMS defines what you require from vendors. A Trust Center operationalises how you verify it. The two are complementary, not competing.
Your ISMS Already Covers Governance
If you have an ISMS aligned with ISO 27001, you likely have policies for supplier relationships (Annex A 5.19-5.23), risk assessment procedures, and internal controls. This is the governance foundation NIS2 expects under Article 20 and parts of Article 21. Keep it.
What's Missing Is the Operational Layer
The gap isn't in policy — it's in execution. Most ISMS solutions don't include tools for distributing questionnaires to vendors, automatically evaluating their responses, tracking score changes over time, or producing on-demand evidence for regulators. They document what you should do. A vendor assurance platform does it.
How the Pieces Connect
The connection between ISMS governance and operational vendor assurance looks like this:
| ISMS (Governance) | Trust Center Vendor Assurance (Operations) |
|---|---|
| Defines vendor risk categories and assessment criteria | Creates and distributes questionnaires based on those criteria |
| Requires periodic vendor review | Automates distribution schedules and reminders |
| Documents evaluation methodology | AI evaluates responses against defined criteria with reports |
| Requires evidence of ongoing oversight | Continuous monitoring with dashboards, alerts, and audit logs |
| Mandates incident communication | Centralised incident workflow with vendor notification |
This isn't about replacing your ISMS. It's about giving it an operational front end that satisfies the supply chain requirements NIS2 introduced.
Practical Steps to Get Started {#get-started}
You don't need to overhaul your vendor assurance overnight. NIS2 expects proportionate measures — and most organisations can build toward compliance incrementally.
Step 1: Categorise Your Vendors by Criticality
Not every vendor requires the same level of oversight. Classify vendors by how critical they are to your operations and how much access they have to your data or systems. Focus your most rigorous assessments on vendors in your highest risk tier.
Step 2: Replace Ad Hoc Questionnaires with Framework-Aligned Assessments
Move from copy-pasted spreadsheets to structured assessments based on ISO 27001, SOC 2, or NIS2 requirements. Use AI-supported questionnaire creation to fill gaps and ensure framework coverage. This creates consistency across your entire vendor base.
Step 3: Introduce AI-Powered Evaluation
Stop spending 30-45 minutes manually reviewing each vendor response. Let AI score responses against your criteria, flag contradictions, compare to historical data, and produce evaluation reports. Review and approve — same rigor, fraction of the time.
Step 4: Set Up Continuous Monitoring
Move from point-in-time to portfolio-level visibility. Track vendor scores over time, set alerts for score drops and expiring certifications, and maintain a dashboard that shows your supply chain's health at any moment.
Step 5: Connect the Evidence
Ensure every questionnaire, evaluation, and monitoring event produces an auditable artifact. When an authority requests evidence of your supply chain security measures, you should be able to produce it in minutes — not days.
NIS2 Vendor Assurance Is About Operations, Not Documentation
The shift NIS2 introduced is clear: managing supply chain risk is no longer about having a policy. It's about demonstrating that you operate a system. That system needs to assess vendors against real frameworks, evaluate their responses consistently, monitor changes over time, and produce evidence on demand.
Organisations that treat vendor assurance as an operational capability — not a documentation exercise — are the ones that will satisfy Article 21(2)(d) without turning compliance into a permanent fire drill.
Sources
- Directive (EU) 2022/2555 (NIS2 Directive) – Full Text – Official Journal of the European Union. The complete NIS2 Directive text, including Articles 20, 21, 32, and 33 referenced throughout this article.
- ENISA – NIS2 Directive Overview – European Union Agency for Cybersecurity. Background on the directive's scope, objectives, and implementation guidance.
- BSI – NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) – Bundesamt für Sicherheit in der Informationstechnik. Germany's implementing legislation, registration requirements, and guidance for affected organisations.
- ISO/IEC 27001:2022 – Information Security Management Systems – International Organization for Standardization. The ISMS standard referenced as the governance baseline, including Annex A controls 5.19-5.23 on supplier relationships.
- ENISA – Implementing Guidance on NIS2 Security Measures – Technical guidance on implementing the risk management measures required by Article 21.
- ENISA – Supply Chain Security Best Practices – Good practices for assessing and managing supply chain cybersecurity risks, directly relevant to Article 21(2)(d).