NIS2 for suppliers to NIS2-obligated organizations: what do you need to arrange now?

This is the chain effect of NIS2, and it affects far more businesses than the law directly designates. This article is about your side of that relationship: why the requirement ends up with you, and how you show that you have your affairs in order.

Why the requirement ends up with you

NIS2-obligated organizations are legally required to manage the cybersecurity of their supply chain. Article 21 obliges them to assess the security of their direct suppliers and anchor it contractually. They cannot outsource that obligation, but they can pass it on. And they do, through questionnaires, contract clauses, and requests to provide evidence.

The reason is simple: a chain is only as strong as its weakest link. A hospital with perfect internal security is still vulnerable if a software supplier with access to patient systems gets hacked. Attackers increasingly choose that route, using a smaller supplier to reach the larger target. That is why the NIS2-obligated client must know and manage the risk posed by its suppliers, and that is why the question ends up with you. The relevant question is therefore not whether you are formally obligated yourself, but whether your client considers you a risk in their chain. If you process client data or have access to their systems, the answer is almost always yes.

What the requirement looks like in practice

The request rarely arrives as "comply with NIS2". It comes in one of three forms: a security questionnaire from a procurement department, a new clause in your contract covering incident notification and audit rights, or a direct request for evidence such as a certificate or test report.

That last form is becoming more important. In supply chain audits, a recurring pattern is that supplier lists are full of the note "OK" without anyone knowing when that was last verified. Clients who take NIS2 seriously no longer accept that. For suppliers they consider critical, they ask for evidence rather than a declaration.

What you need to arrange now

The starting point is a set of demonstrable basic measures. These four carry the most weight because they cover the most risk and because clients ask about them most often: multi-factor authentication on systems with client access, timely updates to software and firmware, automated backups with periodic recovery tests, and access rights based on the principle of least privilege.

With those backups there is a pitfall that keeps coming up in audits. Many organizations have a backup solution running but have never tested whether a recovery actually works. A backup you have never restored is often worthless in a crisis. A supplier who periodically tests their recovery stands out immediately.

In addition, a client expects a working incident process. If your service is part of an incident at a NIS2-obligated client, they need to be able to act quickly to meet their own reporting deadlines. No elaborate playbook required, but a clear process: who does what, how do you inform your client, and how do you record the incident.

How you demonstrate it: NIS2 Supply Chain, Cyber Fundamentals, or ISO 27001

NIS2 is not itself a certification standard and does not require you to hold a specific certificate. The client wants demonstrability, and there are three common routes for that. Which one fits depends on your role in the chain and the market in which your clients operate.

NIS2 Supply Chain (SC). The Dutch quality mark, since January 2026 the new name of the original NIS2 Quality Mark. Specifically developed for suppliers in the chain, with three levels: SC10 (Basic) for SMEs with limited risk, SC20 (Substantial) for suppliers with access to sensitive data or systems such as ICT and OT service providers, and SC30 (High) for critical chain partners and NIS2-obligated parties. The major advantage: one quality mark replaces repeatedly filling in questionnaires from different clients. You simply refer to your level and companies are quicker to work with you.

CyberFundamentals (CyFun). The Belgian equivalent, relevant if you supply to Belgian NIS2-obligated clients. It has a starting level Small and three assurance levels: Basic, Important, and Essential. Which one you need is determined by your client based on the risk you represent.

ISO 27001. Often underestimated in this context, but the strongest option if you already have it or are considering it. ISO 27001 substantively covers a large part of what NIS2 requires from suppliers: risk management, access management, incident handling, business continuity, and demonstrable controls. For a NIS2-obligated client, an ISO 27001 certificate is a directly recognizable signal that you take your information security seriously, and it is widely accepted as evidence in the chain. Anyone with ISO 27001 already covers most SC and CyFun requirements and rarely needs a separate quality mark. If you have deep access to critical client systems, or if multiple large clients expect a mature management system, ISO 27001 is worth considering over a quality mark.

The common thread: a completed questionnaire, a substantiated self-declaration, an SC or CyFun quality mark, or an ISO 27001 certificate can all suffice. What counts is demonstrability, calibrated to the risk you pose to the client.

What can wait

Not everything needs to happen immediately, and misjudging this causes suppliers to get unnecessarily stuck. A fully developed management system that meets all NIS2 duty-of-care measures is reserved for organizations that are themselves under supervision. If you only supply standard software without deep access to critical client processes, SC10 or CyberFundamentals Basic already covers a large part of the expectations. Also postpone over-documentation and rushed tooling choices: start with the measures themselves, document concisely, and only choose tooling once you know which level and framework you are aiming for.

Two misconceptions that slow suppliers down

"We need to comply with the most demanding level." Incorrect. NIS2 prescribes a proportionate approach. A cleaning company that visits a data center has different obligations than an IT service provider with management access to critical networks. The quality marks account for this with their levels. This misconception causes suppliers to set the bar too high and therefore wait too long.

"Technology is enough." Incorrect. NIS2 explicitly also addresses the human and organizational side. Employees need to recognize phishing and know what to do when they suspect an incident. A technically well-secured company without trained staff or an incident process does not meet what clients expect.

An honest starting point

The first step is to determine whether and how you are affected. Do you supply to organizations in critical sectors, and which of your systems or services touch their critical processes? The Digital Trust Center of the Ministry of Economic Affairs has a self-assessment tool that lets you gauge your position within ten minutes. Then map out which basic measures you already have in place and deliberately choose a level and framework, rather than reacting to whichever questionnaire happens to arrive first.

How Tidal Control supports suppliers

Tidal Control offers prebuilt controls and policy templates for NIS2 Supply Chain, CyberFundamentals, and ISO 27001, so you can choose the framework that fits your clients and your role. You immediately see which requirements you already cover, and because the frameworks largely overlap you only need to set up a measure once. Supplier management supports the chain side: you keep track of which of your own suppliers has access to what. Evidence is collected automatically via integrations with Microsoft, AWS, and others, and more than 300 automated tests give you continuous insight into whether your measures are working. Start with SC10 and grow into ISO 27001 later, and you build on what is already there. Want to monitor ISO 27001 and NIS2 side by side? Tidal clearly shows the gaps between ISO 27001 and NIS2.

Want to know where your organization stands?

Before you answer a questionnaire or choose a level, it helps to know where you stand. Which basic measures do you already have, and where are the gaps?

Take the free Quickscan and get a first picture of your position and the logical next steps in five minutes. No sales call, no obligations.

Take the free Quickscan →

Frequently asked questions about NIS2 for suppliers

Do I need to comply with NIS2 if I am not subject to the law myself?

Not directly, but you will receive the requirements indirectly through your clients. NIS2-obligated organizations must manage their supplier risk and pass that on contractually. If you supply to an organization in a critical sector and process their data or have access to their systems, you will still encounter NIS2 requirements through a questionnaire, a contract clause, or a request for evidence.

Does my ISO 27001 certificate count as evidence for NIS2?

Yes, and more strongly than many suppliers realize. ISO 27001 substantively covers a large part of what NIS2 requires from suppliers and is widely recognized as evidence in the chain. Anyone with ISO 27001 already covers most SC and CyFun requirements and rarely needs a separate quality mark on top of that.

What is the difference between NIS2 Supply Chain and CyberFundamentals?

NIS2 Supply Chain (SC10, SC20, SC30) is the Dutch quality mark for suppliers in the chain. CyberFundamentals (CyFun) is the Belgian framework from the CCB, with a starting level Small and the assurance levels Basic, Important, and Essential. Which one is relevant for you depends on the market in which your clients operate: Dutch clients typically ask for NIS2 Supply Chain, Belgian clients for CyberFundamentals.