NIS2 Compliance for Suppliers
Your company may not fall under NIS2 directly — but your customers do. And they will require you to prove cybersecurity compliance.
Why small suppliers are affected by NIS2
NIS2 (Section 30 BSIG, measure 4) explicitly requires regulated companies to secure their entire supply chain. This means every essential and important entity — roughly 29,500 companies in Germany alone — must contractually require cybersecurity standards from their suppliers.
If your company has fewer than 50 employees or falls below the revenue thresholds, you are not directly regulated by NIS2. But if you provide IT services, software, components, logistics, or any other service to a company that is regulated, you will face NIS2 requirements through your contracts.
This is not theoretical. Large companies are already updating their procurement terms, adding cybersecurity clauses, and requesting compliance evidence from suppliers. Companies that cannot demonstrate adequate security measures risk losing contracts to competitors who can.
Section 30(2) No. 4 BSIG — Supply chain security
Regulated entities must implement "security measures in the supply chain, including security-related aspects of the relationships between each entity and its direct suppliers or service providers." This obligation flows down to every supplier in the chain.
Contractual requirements
NIS2-regulated companies must include cybersecurity requirements in supplier contracts. Expect new clauses covering risk management, incident reporting, and access controls. Existing contracts will be renegotiated.
Supplier audits and questionnaires
Your customers will send security questionnaires and may conduct audits. Companies that use nis2.eu can generate compliance evidence instantly — those without a system scramble for weeks.
Incident notification obligations
If a security incident at your company affects a NIS2-regulated customer, they must report it to the BSI within 24 hours. They need you to have incident detection and reporting processes in place.
Competitive advantage
When a regulated company chooses between two suppliers and one can demonstrate NIS2-aligned security while the other cannot — the choice is obvious. Compliance becomes a sales differentiator.
Cyber insurance requirements
Cyber insurers increasingly require supply chain security evidence. Your customers' insurance policies may mandate that their suppliers meet minimum cybersecurity standards.
Risk assessment
Identify and document risks to systems you use for customer work. Doesn't need to be complex — a structured list with treatment plans is enough.
Access control
Who can access customer data and systems? Role-based access, MFA for remote access, and documented user management.
Incident handling
A documented process for detecting, responding to, and reporting security incidents. Your customer needs to know within hours, not weeks.
Business continuity
What happens if your systems go down? Backup strategy, recovery procedures, and tested plans to continue delivering to your customers.
Policies and evidence
Written security policies, training records, and an audit trail proving you follow your own rules. This is what auditors actually check.
Check your exposure
Use our free applicability check to confirm your NIS2 status. Even if you're not directly in scope, identify which of your customers are NIS2-regulated — those contracts will come with new requirements.
Run a gap assessment
Compare your current security practices against the 10 measures in Section 30 BSIG. Most small companies already do some of this informally — the gap is usually documentation, not practice.
Implement the basics
Start with the highest-impact items: access control, backup strategy, incident response process. The nis2.eu platform walks you through each requirement with pre-built templates.
Build your evidence package
When your customer sends a security questionnaire, you need answers ready. Policies, training records, risk assessments, and technical measures — all documented and exportable.
Review annually
NIS2 compliance is not a one-time project. Schedule an annual review of your risks, update your policies, and refresh employee training. The platform tracks deadlines automatically.
Frequently asked questions
Am I legally required to comply with NIS2 as a small supplier?▾
Not directly — NIS2 applies to companies above the medium enterprise threshold (50+ employees or EUR 10M+ turnover). However, your NIS2-regulated customers are legally required to secure their supply chain (Section 30 BSIG). This creates a contractual obligation that flows down to you. You won't be fined by the BSI, but you may lose contracts.
What happens if I don't comply?▾
Your NIS2-regulated customers face fines up to EUR 10M or 2% of global turnover for supply chain security failures. They will either require you to comply or replace you with a supplier who can. The practical consequence is lost business, not a BSI fine.
How much does supplier compliance cost?▾
The nis2.eu platform is free. For a small company (10-50 employees), the main cost is time — typically 2-4 weeks of part-time work to set up initial policies, risk assessments, and processes. Ongoing maintenance is a few hours per quarter.
Can I use NIS2 compliance as a selling point?▾
Absolutely. When you can demonstrate NIS2-aligned security practices with documented evidence, you become a preferred supplier. Some companies are already advertising NIS2 supply chain compliance as a competitive differentiator in RFPs and proposals.
What if my customer hasn't asked yet?▾
They will. The BSI registration deadline passed in March 2026 and over 18,000 companies are still catching up. As they implement NIS2, supply chain security is one of the 10 mandatory measures. Getting ahead of the request positions you as a proactive, trusted partner.
Start your supply chain compliance — free
The nis2.eu platform guides you through every requirement, generates your evidence package, and keeps you audit-ready. No cost, no credit card.