The EU’s NIS2 Directive is reshaping how organisations approach supplier risk management. Vendor due diligence is a regulatory obligation with real consequences. It's not some optional best practice. Nearly 98% of organisations have a relationship with a third party that has been breached, and 61% experienced a third-party breach in 2023. In response, NIS2 explicitly requires companies to manage supply chain cybersecurity risks as part of compliance.

If one of your suppliers has weak security, it becomes your compliance issue. Senior leadership is accountable for third-party cyber risks and can face penalties if due diligence slips. NIS2 is turning up the pressure: it’s pushing organisations to scrutinise vendors with the same rigour they apply to their own networks.

Modern risk managers must therefore treat vendor risk assessments as critical, not optional. NIS2 is reshaping supplier risk management by making supply chain security a baseline expectation of doing business. A supplier’s cyber incident can now trigger regulatory scrutiny for the client as well. The message is clear, checking your suppliers’ security is now mandatory homework, not an afterthought.

This blog equips you with seven essential questions to ask your suppliers to ensure they, and by extension, you, meet NIS2’s standards. But first, let’s quickly recap who falls in the scope of NIS2 and why even organisations outside its direct scope can’t ignore its impact.

Who is in scope of NIS2 (And why out-of-scope organisations are still affected)

NIS2 Scope: The Directive applies to a wide range of organisations across the EU, expanding on the original NIS Directive. It distinguishes between “essential entities” and “important entities.” Essential entities include energy, transport, banking, healthcare, digital infrastructure, and public administration. Important entities include food production, chemicals, manufacturing of critical products, postal and waste management.

Generally, medium-sized and large companies (50+ employees or over €10 million turnover) in these sectors are in scope. Small and micro enterprises are usually exempt unless uniquely critical. Non-EU companies providing critical services into the EU must designate an EU representative and comply with NIS2 obligations.

Beyond the scope, but still influenced

Even if your company isn’t directly regulated, you’re not off the hook. Regulated customers will flow down NIS2 requirements to their vendors contractually. For example, a small software provider to a hospital or energy firm will likely be asked to meet NIS2-level requirements. Many out-of-scope companies are aligning voluntarily to demonstrate reliability and reduce risk exposure. Secure supply chain management is quickly becoming the norm.

This regulatory cascade is already visible across industries: large enterprises are asking suppliers to evidence cybersecurity controls, complete detailed risk questionnaires, and provide proof of certifications before contracts are renewed. In practice, NIS2 is setting a new baseline of due diligence for every company participating in a digital supply chain.

Seven essential questions to ask suppliers for NIS2 compliance

1. “Do you have a formal cybersecurity risk management program with executive oversight?”

Why it matters: NIS2 demands a risk-based approach to cybersecurity with clear governance and board-level accountability. Leadership must be involved in managing cyber risks, including those posed by suppliers. Without structured oversight, suppliers can't meet NIS2's rigour.

What to look for: A comprehensive security program with formal policies, dedicated security personnel (CISO or security lead), and regular risk assessments. Management involvement through governance committees or board reporting. Example: "We have an ISO 27001-aligned program, with a Security Manager reporting to executives quarterly on risk."

Red flags: No security leadership, lack of formal processes ("We handle issues as they come"), or management not being involved.

2. "Which cybersecurity standards or certifications do you adhere to?"

Why it matters: NIS2 requires suppliers to meet appropriate cybersecurity standards. Recognised frameworks like ISO/IEC 27001, NIST CSF, or SOC 2 indicate formal controls and external validation, helping ensure NIS2 baseline requirements are met.

What to look for: Specific certifications (ISO 27001, ISO 27017, SOC 2) with evidence of regular audits and compliance maintenance. Example: "We're ISO 27001 certified with annual audits and map our controls to NIST CSF."

Red flags: No standards ("We do our own thing"), promises without proof ("We're planning to get certified"), or reluctance to share audit details.

3. "Do you conduct regular security risk assessments and testing (such as penetration tests) on your systems?"

Why it matters: NIS2's risk-based approach requires continuous evaluation of threats and vulnerabilities. Continuous monitoring and periodic testing are now the norm for compliance. One-time assessments aren't sufficient.

What to look for: Scheduled risk assessments (annual/quarterly) plus testing during major changes. External penetration testing, vulnerability scans, or continuous monitoring. Example: "Annual third-party audits, quarterly vulnerability scans, and bi-annual penetration testing by external firms."

Red flags: Stale assessments ("We did an audit years ago"), ad-hoc approaches ("We scan when needed"), or no third-party validation.

4. "How do you manage software updates and patch known vulnerabilities in your systems?"

Why it matters: Many breaches stem from unpatched vulnerabilities. NIS2 expects timely patching as part of cyber hygiene and risk management. Slow patching creates unacceptable risks.

What to look for: Clear patch management routines with defined timelines. Example: "Critical patches applied within 24-72hours. We use automated update management, monitor threat feeds, and maintain asset inventories to ensure complete coverage."

Red flags: No formal schedule ("We patch when we have time"), outdated systems, or inability to articulate their patching process.

5. "What is your incident response plan, and how quickly will you notify us if you experience a cybersecurity incident?"

Why it matters: NIS2 requires reporting significant incidents within 24 hours and detailed reports within 72 hours. Third-party incidents should be treated with the same urgency as internal ones. You need transparent partners who communicate promptly during crises.

What to look for: Documented incident response plan with 24/7 capability and rapid notification commitments.

Example: "24/7 incident response team. Customer notification within 24 hours for impacting incidents, with incident reports within 48 hours. We test our plan through regular drills."

Red flags: No defined process, vague timelines ("We'll investigate fully first, which might take a while"), or lack of preparation ("We haven't had incidents, so no formal plan").

6. "Do you rely on any subcontractors or fourth-party providers, and how do you ensure they are secure?"

Why it matters:NIS2 expects organisations to address security across their entire supply ecosystem. 97% of large financial firms were impacted by fourth-party breaches.Your vendor's vendors are part of your risk landscape.

What to look for: Transparency about subcontractors with rigorous vetting processes. Example: "We use subcontractors for data centre hosting. All must adhere to our security policies, undergo annual risk assessments, and maintain ISO 27001 or equivalent certifications. We flow down security requirements contractually."

Red flags: Uncertainty ("Not sure if we use subcontractors"), no vetting process ("We just trust our sub vendors"), or no contractual security requirements.

7. "Will you agree to contractual terms that enforce NIS2 compliance (e.g. security controls, breach notification, audit rights)?"

Why it matters:NIS2 encourages enforcing cybersecurity measures through supplier contracts.Contracts should bind vendors to security duties, including breach notification and compliance requirements. Resistance to reasonable terms is a major red flag.

What to look for: Enthusiastic acceptance of security clauses. Example: "Absolutely. We have standard addenda for 24-hour breach notification, NIS2 compliance, and customer audit rights. We consider these standard business practices."

Red flags: Pushback on breach notification timelines, refusal of audits, or attempts to water down security requirements ("Just trust us, that clause isn't necessary").

Sidebar: Don't overlook subcontractors & fourth-party risk in the NIS2 era

97% of large financial organisations have suffered breaches through fourth parties. NIS2 implicitly requires vigilance throughout the supply chain. Even if your direct vendor has strong security, weak subcontractors create vulnerabilities.

Managing subcontractor risk: Request lists of significant subcontractors from primary suppliers, especially those handling your data or service delivery. Ensure contracts allow notification of subcontractor changes. Flow down security requirements so vendors impose the same controls on their subcontractors. Leading frameworks now require maintaining a "register of information" on subcontractors and key fourth parties. Visibility is critical, you can't manage what you don't know exists.

Internal checklist for risk teams: What you should be doing now

• ‍Map your Supplier universe: Identify and classify all suppliers by criticality, prioritising essential vendors for due diligence and monitoring‍
• Update due diligence questionnaires: Incorporate the seven questions above into vendor risk assessments‍
• Review and tighten contracts: Add cybersecurity clauses, including NIS2 compliance, 24-hour breach notification, and audit rights‍
• Establish incident protocols: Ensure 24/7 contact info for critical vendors' security teams and include third-party scenarios in incident playbooks‍
• Continuous monitoring: Implement tools for real-time monitoring of critical suppliers' security posture (see our Top 10 Tools for NIS2 Compliance)‍
• Train internally: Ensure procurement, IT, and business owners understand NIS2 due diligence obligations‍
• Engage leadership: Keep executives and the board informed, after all, NIS2 holds leadership accountable

Conclusion: Proactive today, resilient tomorrow

By asking these seven questions, you're not only meeting NIS2 requirements, you're building stronger partnerships. The right suppliers will welcome your scrutiny; many have proactively prepared for these conversations. Non-compliance can lead to hefty fines and personal liability for executives, but thorough supplier due diligence also reduces disruptions and breaches.

Don't wait for incidents or audits to reveal gaps. Start conversations with suppliers now. NIS2 is a chance to fundamentally improve security posture, and not just comply with regulations. A secure, transparent vendor network protects everyone involved.

For further reading, see our piece on supply chain security under NIS2, and view a demo of how 3rdRisk's platform supports NIS2 compliance.

‍