Supply Chain Security under NIS2

The NIS2 Directive imposes a wide range of mandatory security measures on both essential and important entities (Article 21). When it comes to supply chain security, Article 21(3) explicitly states that vendor requirements must factor in supplier-specific vulnerabilities and the overall quality of their cybersecurity practices, including secure development procedures.

The clearest picture of what this actually looks like in practice can be found in the Implementing Regulation (EU) 2024/2690. While it is formally binding only for digital service providers, it serves as the most concrete reference point for interpreting NIS2 requirements across the board. Section 5 of the annex leaves no room for doubt: organizations must establish concrete selection criteria for suppliers. These benchmarks must cover cybersecurity practices, the ability to meet security specifications, and the overall quality and resilience of ICT products and services.

These criteria must be factored in right from the start of the procurement process. At the very least, you must conduct a tangible, individual cybersecurity assessment for every single vendor.

The assessment must be documented

The directive doesn't explicitly mandate a specific documentation format, but it does state that supervisory authorities can conduct audits and request any information necessary to demonstrate compliance. A vendor assessment that lives purely in an analyst's head — or buried deep within an untraceable email thread — simply won't cut it. Regulators expect you to explain exactly which criteria you used and how each specific vendor measured up against them.

Proper assessments take time and resources

Most companies usually do some form of vetting before signing a contract, at least for their most critical vendors. This typically involves:

• Requesting a Consensus Assessment Initiative Questionnaire (CAIQ).
• Skimming a SOC 2 report.
• Checking for an ISO 27001 certification.

While that effort is genuine, it's often inconsistent and lacks a clear paper trail. It's highly doubtful that this ad-hoc approach satisfies the structured, criteria-driven rigor required by NIS2.

Thoroughly reviewing the security documentation of a single vendor takes time, and honestly, it's pretty tedious. Doing this consistently across your entire vendor portfolio, measured against identical benchmarks, and maintaining an auditable trail is a massive operational burden. That is why so many vendor assessments end up as random spot-checks rather than a systematic, everyday practice.

How Vette solves this

Vette turns vendor security documentation into a defensible assessment mapped directly to your organization's own requirements, entirely automated and with a built-in audit trail.

• You define the criteria. You can build your requirements from scratch or use ready-made templates. This can cover everything from basic security hygiene to the exact contractual terms the regulation explicitly demands: incident notification, audit rights, vulnerability management, subcontractor requirements, and post-termination obligations.
• Vette handles the collection. The platform automatically gathers publicly available documentation, CAIQ responses, terms of service, privacy policies, and data processing agreements (DPAs). Confidential materials, like SOC 2 reports, can be uploaded manually and flow straight into the same unified analysis.
• The analysis is automated. Instead of manual cross-referencing, Vette evaluates the documentation against each requirement, clearly highlighting where a vendor complies, falls short, or stays completely silent.

The result? A fast, consistent, and comprehensive assessment backed by an audit trail that can actually stand up to external scrutiny.

When regulations change or a vendor is up for contract renewal, you can rerun the analysis instantly against updated documentation. This turns your initial pre-assessment into a natural baseline for the continuous monitoring that NIS2 expects over time.