norppa.io
All guides

Guide · 9 min read

NIS2 Art. 21(2) — supplier security checklist

A practical checklist for procurement and security teams. Use it for both new supplier onboarding and annual reviews — covering what to ask, what evidence to collect, and how to respond when a supplier falls short.

NIS2 Art. 21(2)(d) obligates you to assess your suppliers' cybersecurity posture as part of your own supply chain risk management. The requirement covers both new suppliers and existing relationships — an annual review is the minimum.

This checklist covers the six Art. 21(2) sub-clauses most relevant to supply chain security. Each section includes three questions, a brief explanation of why it matters, and a suggested evidence document.

Note: This checklist is advisory — your competent authority or auditor may require additional measures based on your sector or organisation size. For contractual requirements, consult a lawyer.

Art. 21(2)(a)Risk management

NIS2's 'appropriate measures' standard calls for suppliers to manage cybersecurity risks systematically — on an ongoing basis, not just annually. Ask for evidence of the process, not just a yes/no answer.

  • Supplier has a documented cybersecurity risk management process (e.g. ISMS or ISO 27001 certification)
  • Risk management is reviewed regularly by senior management or the board — most recent review date on record
  • Critical information systems and data processing responsibilities are inventoried and classified

Suggested evidence documents:

  • · Risk management policy or ISMS documentation
  • · ISO 27001 certificate or equivalent audit report

Art. 21(2)(b)Incident handling

NIS2 Art. 23 requires significant incidents to be reported to the supervisory authority within 24 hours. In practice this is only achievable if your supplier notifies you promptly — which is why the notification obligation should be written into the contract.

  • Supplier has a documented incident response process with a tested IR plan
  • Supplier contractually commits to notifying you within 24 hours of detecting a significant incident
  • A named incident contact (CSIRT liaison) is designated and reachable around the clock

Suggested evidence documents:

  • · Incident response plan summary
  • · Written 24-hour notification commitment in the contract

Art. 21(2)(d)Supply chain

NIS2 extends to your suppliers' suppliers — so-called fourth-party risk. You must know who accesses your data or systems, even indirectly through sub-contractors.

  • Supplier knows their own critical sub-contractors that have access to data or systems
  • Supplier has a process for assessing their own sub-contractors' security at least annually
  • Security requirements are written into the supplier's own contracts — not just a general reference

Suggested evidence documents:

  • · Sub-contractor register or summary of critical 4th parties
  • · Description of 4th-party assessment process

Art. 21(2)(e)Procurement and development

Known vulnerabilities and end-of-life software are among the most common attack vectors. The supplier must demonstrate active vulnerability management.

  • No end-of-life or end-of-support software versions are running in the production environment
  • Critical vulnerabilities (CVSS ≥ 9.0) are patched within 30 days of public disclosure
  • CISA KEV-listed vulnerabilities are remediated within 48 hours of being added to the list

Suggested evidence documents:

  • · Vulnerability management process description
  • · Most recent patch report or vulnerability status snapshot

Art. 21(2)(h)Cryptography

Expired TLS certificates, missing HTTPS redirects and misconfigured email security are technical gaps that norppa.io checks automatically every day.

  • All public-facing services use a valid, non-expired TLS certificate — no self-signed or expired certs
  • HTTPS redirect is enforced on all web properties and API endpoints
  • Email security is properly configured: SPF (hardfail), DKIM (signed) and DMARC (at least quarantine policy)

Suggested evidence documents:

  • · TLS certificate management process description
  • · DMARC report or DNS configuration printout

Art. 21(2)(i)Access control

Stolen credentials are the most common starting point for cyberattacks. The supplier must demonstrate both prevention of credential misuse and rapid detection.

  • MFA is enforced on all critical systems and admin accounts — no exceptions allowed
  • Credential leak monitoring is in place (dark web sources, HIBP or equivalent service)
  • Compromised credentials are rotated immediately upon detection and the incident is documented

Suggested evidence documents:

  • · MFA enforcement configuration screenshot or policy
  • · Credential leak monitoring provider or process description

What to do when a supplier fails the checklist?

A single gap does not automatically mean ending the supplier relationship. What matters is responding systematically and documenting the steps taken.

1–2 gaps: document and accept

Record the gaps in your supplier register, ask the supplier to provide a remediation plan within 90 days, and follow up at the next annual review.

3–5 gaps or a gap in Art. 21(2)(b): enhanced monitoring

Elevate the supplier to a higher risk tier. Request a written remediation plan with deadlines. Consider restricting access to the most critical systems until gaps are resolved.

6+ gaps or a critical technical vulnerability: escalate

Escalate to the CISO or senior management. Evaluate use of contractual remedies. If the supplier has access to production data or systems, consider suspending access until the situation is resolved.

Which items can be automated?

Six items on this checklist are technical in nature — they change over time without the supplier necessarily informing you. Manual annual assessment is unlikely to meet NIS2's 'appropriate measures' standard for ongoing monitoring.

norppa.io checks these items automatically every day for all your suppliers:

  • Art. 21(2)(h): TLS certificate validity and HTTPS redirects, SPF/DKIM/DMARC configuration, DNSSEC
  • Art. 21(2)(i): Credential leaks from dark web sources and HIBP breach databases
  • Art. 21(2)(e): CISA KEV listing monitoring, vulnerability findings based on CVE/EPSS scoring
  • Art. 21(2)(b): Ransomware victim listings — immediate alert if a supplier appears on a victim list

Process-level items (Art. 21(2)(a), (b), (d)) are covered by the norppa.io SAQ self-assessment questionnaire, which you can send to suppliers directly from the portal.

Official sources

Automate technical checks with norppa.io

norppa.io automatically checks the technical items on this checklist daily — for all your suppliers simultaneously. Findings are automatically mapped to NIS2 Art. 21(2) sub-clauses.

View sample reportComplete SAQ

Related guides

NIS2 and the supply chain requirement — what it means in practice

NIS2 requires significant and important entities to assess their supply chain cyber risks. Supplier tiering, 4th-party risk, Art. 23 notification, and what auditors look for.

Supplier cyber risk assessment: what automated NIS2 monitoring checks

All check categories explained: ransomware, dark web leaks, TLS/DNSSEC, cookie security, CVE/EPSS, sanctions, MX blacklists and SAQ. Finding lifecycle and NIS2 article mapping.

Who is in scope for NIS2? Essential vs important entities, sectors and size thresholds

Determine whether NIS2 applies to you: the two tiers, the Annex I/II sectors, the size thresholds, size-independent exceptions, and how the supply chain pulls you in even if you're not designated.

NIS2 supplier questionnaire (SAQ): what to ask, how to score it, and a free template

What to ask suppliers under Art. 21(2)(d), how to score answers and respond to gaps, why self-attestation needs verification, and a free copy-paste questionnaire template.

NIS2 vs DORA: how they differ, where they overlap, and which one applies to you

How the two EU regimes differ and overlap, why DORA is lex specialis for financial entities, which applies to you, and what both mean for third-party and supply-chain risk.