NIS2 Supply Chain Security Policy — Template

This Supply Chain Security Policy ('Policy') sets out how [companyName] manages cybersecurity risks in its supply chain in accordance with Article 21(2)(d) of Directive (EU) 2022/2555 (the 'NIS2 Directive'), having regard to the Union-level coordinated security risk assessments referred to in Article 22. It applies to all vendors, suppliers, service providers and software, hardware and cloud-service procurement that support or interact with the network and information systems of [companyName]. [companyName] is classified as an entity in the [sectorClassification] sector under the NIS2 Directive. This Policy is owned by [cisoName] in coordination with the Procurement Lead [procurementLead], and is effective as of 2026-04-26; it shall be reviewed on or before [reviewDate].

Supply-chain cybersecurity risks are integrated into the organisation-wide cybersecurity risk assessment described in [companyName]'s NIS2 Cybersecurity Risk Assessment. Categories of supply-chain risk explicitly considered are: (a) compromise of a critical software supplier (e.g., trusted-software updates, code-signing, build pipelines); (b) compromise of a managed-services provider with privileged access; (c) compromise of a cloud or hosting provider; (d) concentration risk on a single supplier or geography; (e) end-of-life or end-of-support of components without timely replacement; (f) sub-tier suppliers (the 'Nth-party' problem) outside [companyName]'s direct contractual visibility. Findings from Union-level coordinated risk assessments under Article 22 of the NIS2 Directive are reflected in the assessment of named critical suppliers or technologies.

Vendors are tiered by their potential impact on [companyName]'s essential or important services: Tier 1 — Critical: direct support of essential services, privileged access to production systems, or processing of high-volume sensitive data; subject to enhanced due diligence, contractual security clauses, periodic on-site or independent assurance, and annual reassessment. Tier 2 — Important: significant operational impact or access to confidential data without privileged access to production; subject to standard due diligence, contractual security clauses and biennial reassessment. Tier 3 — Standard: limited impact, no access to confidential data, easily replaceable; subject to baseline due diligence and risk-based reassessment. The vendor inventory and tiering are maintained by the Procurement Lead and reviewed at least annually.

All Tier 1 and Tier 2 vendors are assessed before contract execution and at the cadence defined in Section 3. The assessment process comprises: (a) initial screening (sanctions, geopolitical, financial-stability checks); (b) a security questionnaire aligned with the measures of Article 21(2) of the NIS2 Directive, ISO/IEC 27001 / 27002 controls, and applicable sector-specific requirements; (c) review of supporting evidence (certifications, audit reports, penetration-test summaries, insurance coverage); (d) where appropriate, an on-site or video-based control walkthrough or independent assurance report (SOC 2 Type II, ISAE 3402); (e) risk rating and approve / approve-with-conditions / reject decision recorded by the CISO. Material findings are tracked through to closure as a precondition of go-live.

Contracts with Tier 1 and Tier 2 vendors include, as a minimum: (a) a binding obligation to maintain technical and organisational measures appropriate to the risk, consistent with the measures listed in Article 21(2) of the NIS2 Directive; (b) audit and information rights enabling [companyName] to verify compliance, including the right to receive independent assurance reports; (c) sub-processor / sub-contractor controls including approval rights and flow-down of equivalent obligations; (d) notification of cybersecurity incidents affecting [companyName]'s data, services, or interfaces within [vendorNotificationWindow] of the vendor's awareness; (e) cooperation obligations supporting [companyName]'s compliance with Article 23 of the NIS2 Directive; (f) data-protection clauses meeting Article 28 GDPR where personal data is processed; (g) exit and data-return obligations on termination. Where the vendor refuses material security clauses, the contract is escalated to the CISO and Legal Counsel for risk acceptance or rejection.

Technical interfaces with vendors are designed and maintained to minimise blast radius: principle of least privilege on identity and access management, time-limited and just-in-time privileged access where supported, multi-factor authentication for all vendor access to [companyName] systems, network segmentation isolating vendor connectivity from production sensitive zones, logging and monitoring of all vendor access with retention aligned to incident-investigation needs, integrity verification of software and updates supplied by vendors (signed packages, checksum verification, controlled update windows), and continuous vulnerability monitoring of vendor-supplied components within [companyName]'s environment.

The CISO and the Procurement Lead jointly monitor the supply-chain control environment. Monthly: review of vendor incidents, vulnerabilities and threat intelligence relevant to active vendors. Quarterly: review of the vendor inventory, tiering and outstanding assessment actions. Annually: full reassessment of Tier 1 vendors and review of this Policy. Material changes (new Tier 1 onboarding, vendor consolidation, geopolitical events, vendor security incidents) trigger interim reviews. Reviews and decisions are recorded; non-compliant or high-residual-risk vendors are placed on remediation plans, and where remediation fails, contractual termination is initiated.

Where a vendor reports or [companyName] detects a cybersecurity incident with potential supply-chain origin, the incident is treated under [companyName]'s Incident Response Plan from the moment of awareness. The Incident Commander coordinates with the vendor's incident response team, the CISO assesses whether the incident meets the significant-incident threshold of Article 23(3) of the NIS2 Directive, and Legal Counsel confirms contractual reporting obligations. Where the threshold is met, [companyName] notifies the supervisory authority [supervisoryAuthority] within twenty-four (24) hours and follows the full Article 23 reporting timeline regardless of the upstream vendor's own reporting obligations. Lessons learned from supply-chain incidents are reflected in vendor reassessments, contract renewals and Policy updates.