Watching the tributaries

Currents

The river has tributaries feeding into it. Your suppliers and partners bring their own risks into your environment. NIS2 explicitly requires managing these risks because high-profile incidents such as SolarWinds, Kaseya, and Log4j have shown how supplier compromises can cascade to customers. Weaknesses upstream can pull you under even if your own defences are strong.

Why this matters now

Your obligations include taking appropriate measures to manage supply chain risks, considering vulnerabilities specific to each supplier, including security requirements in contracts, and monitoring supplier security posture over time. If your suppliers are also in scope for NIS2, they have their own compliance requirements. Coordination can prevent duplication while ensuring nothing falls through the gaps.

Map and classify your supply chain

Start with identification:

  • IT systems and software, including SaaS, cloud infrastructure, and managed services

  • Network and telecommunications providers connecting your operations

  • Hardware and equipment suppliers

  • System integrators and consultants with access to your environment

  • Outsourced business processes such as payroll, customer support, or logistics

Classify suppliers by risk and criticality:

  • Critical suppliers are single points of failure, difficult to replace quickly, have access to critical systems or sensitive data, or are essential for service delivery

  • Important suppliers have a significant impact if compromised, access some systems or data, and can be replaced but with disruptive effort

  • Standard suppliers have limited access or impact, are easily replaceable, and provide commodity services

Set and enforce security requirements

Establish minimum security standards, which may include:

  • Security certifications such as ISO 27001 or SOC 2 for critical suppliers

  • Completion of security questionnaires demonstrating baseline controls

  • Incident notification obligations so you know when supplier incidents affect you

  • Audit rights and regular reporting to verify continued compliance

  • Data protection measures meeting your organisation’s standards

  • Business continuity capabilities so supplier failures do not become your failures

Contractual requirements formalise these expectations:

  • Include security baseline requirements in supplier contracts

  • Set incident notification timelines aligning with your own obligations

  • Reserve the right to audit or request evidence as needed

  • Require approval for subcontractors and flow-down of security requirements

  • Define data handling and protection requirements clearly

  • Include termination rights for serious security breaches

  • Address liability and indemnification for security failures

  • Reference NIS2 compliance where suppliers are also in scope

Monitor continuously, not just at onboarding

Regular assessments provide ongoing assurance:

  • Conduct annual security reviews for critical suppliers as a minimum

  • Update questionnaires to capture control changes

  • Verify that certifications remain current

  • Monitor supplier security posture through threat intelligence and industry reports

  • Track supplier incidents to identify emerging risks

Continuous oversight helps catch problems early. Monitor supplier-reported security incidents, vulnerability disclosures, patch updates, financial stability, and compliance with contractual obligations.

Red flags require immediate action, such as:

  • Supplier security incidents affecting your data or services

  • Loss of certifications indicating control failures

  • Significant ownership or control changes altering the risk profile

  • Financial distress threatening business continuity

  • Repeated SLA breaches suggesting operational problems

  • Non-compliance with security contract terms

Plan for contingency and failure

Identify alternative suppliers for critical services before you need them. Maintain relationships with backup vendors, test failover capabilities, and document transition procedures.

Build exit strategies into relationships:

  • Ensure data extraction procedures allow you to retrieve your information

  • Prepare knowledge transfer plans to avoid dependency on supplier expertise

  • Plan realistic transition timelines reflecting complexity

  • Include contract termination clauses protecting your interests

Resilience measures reduce dependency risk. Maintain a diverse supplier portfolio, avoid over-reliance on single vendors for critical functions, consider geographic distribution for disaster resilience, and implement multi-cloud strategies where appropriate.

If you are also a supplier to others

Understand your customers’ NIS2 obligations and how your organisation fits in. Comply with their security requirements, provide reporting and evidence when requested, and maintain your own NIS2 compliance if you are independently in scope.

Take a collaborative approach:

  • Share threat intelligence with trusted suppliers

  • Coordinate incident response when incidents affect multiple parties

  • Participate in sector information sharing

  • Build security partnerships based on trust and transparency, not just contractual obligations

Output

The output of this stage is a supplier inventory with risk classifications, a security requirements matrix mapping controls to supplier tiers, an assessment schedule with results tracking, contractual templates for new suppliers, monitoring procedures that detect problems early, and contingency plans for critical supplier failures.

Contact us to discuss your tributaries and see if we can be of use to you for such mappings and planning.