NIS2 for suppliers to NIS2-obligated organisations: what should you arrange now?

NIS2 in brief for the supplier chain

Why NIS2 is becoming relevant

NIS2, implemented in the Netherlands as the Cybersecurity Act, obliges organisations in essential and important sectors to demonstrate cybersecurity. That sounds like an internal matter, but NIS2 explicitly goes further. Article 21(2)(d) of the directive states that entities must take measures for "the security of the supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." In plain language: anyone supplying a NIS2-obligated organisation must demonstrably pay attention to cybersecurity. The customer is responsible for ensuring their suppliers don't increase the risk profile of the chain.

At the same time, there's practical pressure that's already noticeable, independent of the legislation itself. In dozens of EU member states, NIS2 has already been transposed into national legislation and is in force. Companies trading internationally or serving foreign clients may already face concrete requirements from procurement processes or contract amendments. Even if the Dutch Cybersecurity Act isn't fully in effect yet, it's wise for suppliers to European organisations not to wait.

What NIS2 is and isn't

NIS2 is a European directive aimed at increasing the digital resilience of critical sectors. It's not a certification standard like ISO 27001. NIS2 doesn't prescribe a specific technical standard and has no audit scheme for suppliers. What it does do is create a duty of care. NIS2-obligated organisations are responsible for the resilience of their chain and will pass that responsibility through via procurement conditions, questionnaires and contract provisions.

NIS2 is also not static. The directive prescribes measures that must be proportional to the risks. This means a small supplier isn't held to the same bar as a critical data centre provider. What you need to demonstrate depends on the role you play in the chain and the risk you represent to the NIS2-obligated client.

Which types of suppliers NIS2 applies to

Essential and important entities

NIS2 distinguishes between essential entities and important entities. Essential entities are active in sectors such as energy, drinking water, transport, banking, healthcare, digital infrastructure and space, and fall under the strictest supervisory regimes. Supervisors can proactively and randomly inspect them, even without an incident having occurred. Fines for essential entities can reach ten million euros or two percent of global annual turnover.

Important entities fall in sectors such as postal and courier services, waste management, chemical industry and digital service providers. Reactive supervision applies to them: the supervisor intervenes based on reports or indications, not preventively. Fines are lower but still up to seven million euros or 1.4 percent of annual turnover. If your organisation is directly active in one of these sectors and exceeds the thresholds of fifty employees or ten million euros in turnover, you may yourself be a NIS2-obligated entity and the obligations apply directly.

When NIS2 doesn't apply yet

If your organisation has fewer than fifty employees and less than ten million euros in turnover, you fall outside the direct applicability of NIS2 in principle, unless you're active in a sector considered critical. Micro-organisations and small businesses are exempt from direct obligations. That doesn't mean they can't be indirectly affected as suppliers when their clients start setting requirements. A small software company with access to the production systems of an energy company will inevitably face security requirements, even if it falls outside the scope of the law itself.

Those active in sectors not on the NIS2 list, and not supplying NIS2-obligated clients, don't need to do anything at this time. But the reach of the law is growing. The expectation is that a significant portion of the fifty thousand suppliers in the Netherlands will encounter NIS2 requirements indirectly at some point.

Grey areas and interpretation

Not every situation is black and white. A SaaS supplier delivering HR software to a healthcare institution that is itself essential indirectly touches NIS2 obligations. The same applies to an IT service provider managing network equipment at a drinking water company. The NIS2-obligated client is required to map risks in the chain and will request information from suppliers for that purpose. Whether you're formally obligated is less relevant in such cases than whether your client considers you a risk.

The most convenient way to determine your position is through the self-assessment tool of the Digital Trust Center (part of the Ministry of Economic Affairs). It helps you estimate whether you fall directly under the Cybersecurity Act. But even if you fall outside it: if you supply NIS2-obligated clients, it's wise to be demonstrably in control. A NIS2 SC QM10 quality mark, a CyberFundamentals Basic certification or an ISO 27001 certification are concrete ways to provide that confidence, without having to set up a complete management system right away.

What you need to arrange now

Basic cybersecurity measures

The starting point for every supplier is establishing demonstrable basic cybersecurity measures. Think of multi-factor authentication for system access, timely updating of software and firmware, automated backups with periodic recovery tests, restriction of access rights based on the principle of least privilege, and a documented policy for handling vulnerabilities.

For suppliers who want to make this demonstrable, the NIS2 Supply Chain certification (NIS2 SC) offers a concrete option. This quality mark was specifically developed for suppliers in the chain and works with three levels: QM10 (basic), QM20 (substantial) and QM30 (high). The lowest level is accessible to companies that haven't yet set up a complete management system but want to demonstrably safeguard basic measures. The CyberFundamentals certification, which aligns with the Belgian approach to NIS2 implementation, is a comparable option for companies already active in the Belgian market or supplying Belgian NIS2-obligated organisations.

Risk management and governance

NIS2 emphasises risk management as a foundation. This doesn't mean you need to build an extensive risk management programme, but it does mean you demonstrably know which risks you face, which assets are important, and which measures you've taken. For a supplier in the chain, this concretely means: know which client data or systems you manage, understand the dependencies, and document which measures you've taken to prevent disruptions.

Governance is about who is responsible. NIS2 makes clear that directors can be held personally liable at essential and important entities. For suppliers who aren't themselves NIS2-obligated, that direct liability doesn't exist, but clients will ask who's responsible for information security. A designated owner of the topic, even if that's the director in small organisations, provides confidence and prevents discussions.

Incident response and reporting obligation

NIS2 sets strict deadlines for reporting incidents to supervisors: an early notification within 24 hours, a more detailed report within 72 hours, and a final report within one month. Directly NIS2-obligated organisations are bound by this. But as a supplier, you also have a role. If your systems or service delivery are part of an incident at a NIS2-obligated client, that client must be able to act quickly. This requires you to provide transparency about what went wrong and when.

So ensure you have at least a basic process for incident handling. It doesn't need to be an extensive playbook, but rather a clear description of who does what when something goes wrong, how clients are informed, and how you document the incident. Clients will increasingly ask during contract negotiations how you handle security incidents that could affect them.

What you don't need to do yet

Full compliance setup

If you're not yourself NIS2-obligated as a supplier, you don't currently need to set up a complete management system meeting all ten NIS2 duty of care measures. That level of setup is reserved for essential and important entities under direct supervision. What's expected from suppliers is proportional to their role and the risk they represent. Those delivering only standard software without access to critical client processes can cover a large part of client expectations with a NIS2 SC QM10 quality mark or CyberFundamentals Basic certification. IT service providers with deep access to critical systems would be wise to work towards ISO 27001 or a higher NIS2 SC level.

The distinction is important. NIS2 has a layered structure: obligations for suppliers are determined by the contractual relationship and risk class, not by a uniform standard that's the same for everyone. The choice for the right level isn't arbitrary but a deliberate consideration based on your role in the chain and your clients' requirements.

Over-documentation

A common mistake is building an extensive documentation setup before anything has actually been implemented. Procedures, policy templates and risk registers are only valuable when they describe reality. Writing fifty pages of policy now without having implemented the measures builds a paper system. Auditors and clients look not only at what's on paper but also at evidence that measures actually work.

Start with the measures themselves: access management, patching, backups, awareness. Document them as simply as possible. You can always expand, but starting with documentation that exceeds practice creates confusion and administrative burden without added value.

Rushed tooling choices

The market for compliance and security tools is large and growing fast. Many suppliers are approached with solutions promising to handle everything at once. The pitfall isn't in using tooling but in choosing without a clear picture of what you need. A platform that brings together your basic measures, risk management and evidence collection saves considerable time compared to working with spreadsheets and separate documents. But the benefit is greatest when you know which standards you want to cover and which level you're aiming for.

Therefore, first determine whether you're going for NIS2 SC QM10, CyberFundamentals Basic or a broader framework like ISO 27001. That determines the scope of what you set up and what functionality you expect from a platform. Those who make this choice deliberately get immediate value from tooling and prevent an implementation having to be adjusted halfway through.

Common misconceptions about NIS2

NIS2 applies at the highest level to all suppliers

A persistent misconception is that all suppliers to NIS2-obligated organisations must comply with the strictest level of the directive. This is incorrect. NIS2 prescribes a proportional approach: the requirements imposed on a supplier must be aligned with the risks that supplier poses to the chain. A cleaning company visiting a data centre has different obligations than an IT service provider with administrative access to critical networks. The NIS2 SC certification explicitly accounts for this with its three levels.

This misconception sometimes causes suppliers to wait unnecessarily long because they set the bar too high. They think they need an extensive certification or complete ISMS before they can show anything. In reality, basic documentation and basic measures can already cover a large part of client expectations.

NIS2 requires direct certification

NIS2 is not a certification standard and doesn't oblige suppliers to obtain a specific certificate. The directive requires NIS2-obligated organisations to manage their supplier risks but leaves open how suppliers demonstrate this. An ISO 27001 certification, a NIS2 SC quality mark, a completed questionnaire or a self-declaration can all suffice, depending on client expectations. What counts is demonstrability, not the specific instrument.

That doesn't mean a quality mark has no advantages. It replaces repetitive questionnaires from multiple clients, provides structure to the setup and makes it easier to demonstrate you're in control. But anyone thinking NIS2 compliance is impossible without certification is unnecessarily holding themselves back.

Only technical measures are sufficient

NIS2 explicitly also addresses the human and organisational side of cybersecurity. Technical measures like firewalls, multi-factor authentication and encryption are necessary but insufficient. Employees must know how to recognise phishing, what to do with a suspected incident, and why certain policy rules apply. Directors must be demonstrably involved in information security decisions.

The reporting obligation is a good example. It only works if employees know they must report suspicious situations and if a clear internal channel exists for this. A technically perfectly secured system with employees who have never been trained and have no idea about procedures doesn't meet the spirit of NIS2.

The relationship between NIS2 and existing frameworks

Connection with ISO 27001

ISO 27001 and NIS2 overlap substantially in content. Both require risk management, access management policies, incident handling, business continuity and demonstrable controls. An ISO 27001 certification already gives a NIS2-obligated client a strong signal that you take information security seriously. DEKRA and other certification bodies confirm that ISO 27001 combined with supplementary documentation is in many cases sufficient to meet NIS2 expectations.

The difference lies in focus. ISO 27001 builds a complete information security management system, including the annual management review and continuous improvement. NIS2 is more results-oriented: it's about demonstrable resilience, not about following a specific management process. For suppliers without ISO 27001 certification, a NIS2 SC quality mark at QM10 level offers a feasible alternative as a starting point.

Relationship with SOC 2

SOC 2 is a reporting standard particularly relevant for service organisations serving North American clients. It addresses similar themes as NIS2 (security, availability, confidentiality) but isn't based on European legislation. A SOC 2 report demonstrating your controls work can be used as evidence with some NIS2-obligated clients but isn't a direct substitute for NIS2 compliance.

For European suppliers already undertaking or considering a SOC 2 journey, it's worthwhile to assess the extent to which that journey also covers NIS2 expectations. In practice, there are many commonalities, but NIS2 specifically emphasises the supplier chain and reporting obligation, two aspects less prominent in SOC 2. A combined approach via a platform managing multiple standards simultaneously can prevent doing the same work twice.

Preparing for future requirements

The European legislative agenda doesn't stand still. The Cyber Resilience Act (CRA) introduces new obligations for manufacturers of products with digital elements, from smart devices to software components. DORA targets the financial sector with strict requirements for digital resilience and supplier management. The trend is clear: the scope of cybersecurity obligations is growing, and supply chain responsibility is becoming a structural part of the European regulatory framework.

Those who invest now in a structured approach to information security build a foundation that's also usable for future requirements. Documentation, risk registers, policies and controls are reusable across multiple standards. The efficiency of one integrated system versus separate, per-standard processes increases with every new framework.

How to approach NIS2 in phases

Start with overview

The first step is always gaining insight. This begins with the question: do I supply NIS2-obligated organisations, and if so, what risks do I represent for them? Then map which assets, systems and data are important for your service delivery to those clients. This doesn't need to be an extensive inventory, but you need the information to make sensible choices about priorities.

Simultaneously assess which basic measures you already have and where the gaps are. An honest self-assessment based on the ten duty of care measures from NIS2 provides direction. Multiple industry organisations and the Digital Trust Center offer free tools for this. This starting point gives structure to what comes next, without committing to obligations you can't yet fulfil.

Improve step by step

NIS2 preparation works best as an ordered improvement process, not as an everything-at-once project. Prioritise the measures with the highest risk reduction: access management, system patching, backups, and employee awareness. Those four categories are also the foundation for NIS2 SC QM10 and CyberFundamentals Basic levels.

Document each measure as soon as you've implemented it. Not in an extensive policy document, but in a clear description of what's being done, who's responsible and how you collect evidence that it works. That evidence is what clients and auditors need. After the basic measures comes tackling risk management, incident handling and supplier management of your own suppliers.

Move with growth

NIS2 compliance isn't a final state but a continuous process. The directive expects organisations to periodically evaluate and adjust their measures based on new risks. For a growing SaaS organisation, this means: more employees requires better access management, new clients in sensitive sectors requires a reassessment of your risk profile, and new technology requires updated controls.

Those who set up this process from the outset as something that scales with the organisation prevent compliance from becoming a periodic catch-up project. This requires a management structure that stays current, not a document that's updated once a year and sits in a folder the rest of the time.

The role of tooling in NIS2

Overview and structure

Once the basic measures are in place and you notice that keeping track of progress is becoming harder, tooling becomes valuable. A central system provides insight into which measures are set up, which evidence exists, and where action is still needed. That overview is also essential when clients ask questions about your security status: you can answer quickly and factually instead of sifting through spreadsheets.

Structure in tooling also helps distinguish between what you do and why you do it. Measures linked to standard requirements and risks are easier to defend with clients and supervisors than loose lists of actions. A well-set-up system makes visible that you're in control, not just that you've done things.

Safeguarding measures

A measure that's been set up once but is no longer current has limited value. Tooling helps ensure measures remain safeguarded. Think of periodic reminders for checking access rights, updating risk assessments, or testing backups. Automatic monitoring via integrations with cloud environments and development tools means you don't have to manually verify whether something still holds.

For suppliers who want to convince their clients of their reliability, demonstrable continuity is at least as important as having the right measures. Evidence that measures structurally work and weren't just refreshed for an audit is more convincing than a corrected document updated once a year.

Continuous insight

NIS2 requires an approach that moves with changes in risks and technology. Tooling that provides real-time insight into the status of controls and makes deviations immediately visible supports that. Signals that something no longer works as intended, an integration showing deviations or a test that no longer passes, are valuable input for timely course correction.

Continuous insight is also relevant for the reporting obligation. When an incident occurs, you need the information to act and report quickly. A system that centrally maintains evidence and incident information makes those short deadlines of 24 and 72 hours feasible instead of a panic moment.

How Tidal Control supports NIS2

Practical support

Tidal Control supports both the NIS2 CyberFundamentals approach and the NIS2 Quality Mark certification (NIS2 SC), including the QM10 level specifically intended as an accessible starting point for suppliers. The platform offers pre-built controls and policy templates that immediately show which standard requirements you already cover and where work is still needed. This lets you start immediately without building from scratch.

Integrations with cloud providers and development tools like Microsoft and AWS make it possible to automate evidence collection. This way, you don't have to manually verify whether configurations are still correct or access rights are current. More than 150 automated tests provide continuous insight into the state of your controls, making it considerably easier to maintain evidence for clients and supervisors.

Structure without complexity

One of the challenges in NIS2 preparation is that it can quickly feel overwhelming, especially for teams doing compliance alongside their other work. Tidal Control serves as one central place for all compliance information. Controls, policy documents, risk assessments and deviations are in one place, clearly organised and accessible to everyone involved.

The supplier management module specifically supports the chain obligation: you can track which suppliers you use, what risks they represent, and what agreements you've made with them. That's precisely the information a NIS2-obligated client needs from you to demonstrate their own chain duty of care, and that you need yourself if you fall under the law.

Scalable towards compliance

Tidal Control is designed for startups, scale-ups and larger organisations, with a layered approach that scales along. Those starting with NIS2 QM10 and later growing towards ISO 27001 or a higher NIS2 level don't need to start over. The controls, evidence and documentation you've built up form the foundation for further expansion. This makes the early-stage investment immediately usable, even if your ambitions grow later.

With a free fourteen-day trial, you can explore the platform before making a decision. This gives a realistic picture of what tooling adds to your NIS2 approach, without committing to a long-term obligation straight away.

Frequently asked questions about NIS2 for suppliers

Which types of suppliers does NIS2 actually apply to?

NIS2 applies directly to organisations designated as essential or important entities: active in critical sectors, with more than fifty employees or ten million euros in turnover. For suppliers not falling into those categories themselves, indirect applicability exists through their clients' chain duty of care. How heavy the expectations are depends on the role you play in the chain and the risk your systems or services pose to the NIS2-obligated customer.

Which NIS2 measures should you arrange now and which not yet?

The measures you should arrange now are the basic measures: multi-factor authentication, timely patching, automated backups with recovery tests, restriction of access rights, and a simple incident process. What you can postpone is a fully developed management system, extensive documentation setups and tooling choices before the basics are in place. Prioritisation depends on the risk level clients assign to you.

What are the biggest misconceptions about NIS2 among suppliers?

The three most common misconceptions are: that the strictest NIS2 level applies to all suppliers (it doesn't, it's proportional), that you need a formal certificate to be demonstrable (not necessarily, a self-declaration or questionnaire can also suffice), and that only technical measures count (human and organisational measures are also part of NIS2 compliance).

How does NIS2 relate to existing frameworks like ISO 27001 and SOC 2?

ISO 27001 covers much of what NIS2 expects in terms of content and is recognised by most clients and supervisors as strong evidence of information security. SOC 2 has overlap but isn't aimed at European legislation and addresses NIS2-specific elements like the reporting obligation and supplier chain less explicitly. An integrated approach via one platform prevents double work when you want to cover multiple standards simultaneously.

When does tooling become necessary to keep NIS2 manageable?

Tooling becomes valuable once you have the basic measures in place and notice that keeping track of progress, collecting evidence and managing deviations costs too much time in spreadsheets or separate documents. For smaller organisations with a limited scope, that may be later than for fast-growing SaaS companies with multiple clients in sensitive sectors. When clients structurally ask for evidence of your security status, that's the signal that a central system earns back its investment.