Art. 21(2)(d)Last updated: May 2026

NIS2 Supply Chain Classifier

Enter your suppliers and the tool classifies each as Tier 1 (Critical), Tier 2 (Important), or Tier 3 (Standard). You immediately see which questionnaires, contract clauses, and audit rights are required per tier.

Enter your suppliers and service providers. The tool classifies each as Tier 1 (Critical), Tier 2 (Important), or Tier 3 (Standard) and shows the required actions for each.

Supplier 1

Tier 2 — Important

Supplier name

Supplier type

Data access

Failure can disrupt your services

Has ISO 27001 / SOC 2 certification

📊 Quick Test

Find out if your company is in scope

Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?

Check NIS2 Scope →

NIS2 Article 21(2)(d): What is Required?

Article 21(2)(d) of the NIS2 Directive makes supply chain security mandatory for all covered entities. Entities must assess the cybersecurity risks posed by their direct suppliers and service providers.

The assessment must take into account the quality of the supplier's security products and practices, including their own security policies and secure development practices.

Tier Classification Logic

Tier 1: Supplier can disrupt your operations, OR has access to personal or sensitive data. Includes all cloud infrastructure, SaaS platforms processing personal data, and any managed service provider with admin access to your systems.

Tier 2: SaaS or managed service without personal data access, or suppliers providing business-relevant services that are not operationally critical.

Tier 3: Suppliers with no significant data access and no ability to disrupt your operations. Includes standard hardware vendors, general consulting, and non-integrated software.