Framework — NIS2
Supply chain security is now law
The NIS2 Directive requires essential and important entities to assess their direct suppliers and service providers. Sudory makes that assessment continuous — not annual.
Key articles
What NIS2 requires
Article 21 establishes the cybersecurity risk-management measures that entities must implement. Supply chain security — Article 21(2)(d) — is where vendor due diligence lives.
Article 21(1)
Cybersecurity risk-management measures
Essential and important entities must take appropriate technical, operational, and organisational measures to manage risks to the security of network and information systems.
Article 21(2)(d)
Supply chain security
Entities must address security-related aspects of relationships with direct suppliers and service providers — including vulnerability assessments and overall quality of products and cybersecurity practices.
Article 21(2)(a)
Policies on risk analysis
Entities must establish policies on risk analysis and information system security. Sudory's risk register and policy-as-code engine enforce these policies continuously.
Article 23
Incident reporting obligations
Significant incidents must be reported within 24 hours (early warning), 72 hours (notification), and 1 month (final report). Sudory's compliance ledger provides the forensic timeline.
Article 21(2)(d)
Supply chain security in practice
NIS2 requires entities to address vulnerabilities specific to each direct supplier and service provider. Here's how Sudory operationalises that requirement.
Assess direct suppliers
Evaluate the cybersecurity practices of every direct supplier. Sudory scans vendor infrastructure from the outside — DNS, TLS, headers, email authentication — as a first-pass assessment.
Assess service providers
ICT service providers require deeper evaluation. Sudory's vendor directory provides certifications (SOC 2, DPF), subprocessor chains, and data processing regions for 1,500+ providers.
Monitor product quality
NIS2 requires assessing the overall quality of products. Sudory's continuous scanning detects configuration drift, expired certificates, and degraded security posture.
Vulnerability-specific assessment
Each supplier introduces different risks. Sudory maps findings to specific vendors — so you know which supplier introduces which vulnerability.
Terminology
NIS2's vocabulary
NIS2 introduces entity classifications and supply chain concepts. These terms determine who's in scope and what they must do.
Essential entities
Large organisations in critical sectors — energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, and space.
Important entities
Medium-sized organisations in critical sectors, plus entities in postal, waste, chemicals, food, manufacturing, digital providers, and research.
Direct suppliers
NIS2's term for first-tier vendors. Entities must assess the cybersecurity practices of their direct suppliers — not just their own infrastructure.
Service providers
Third-party service providers supporting network and information systems. SaaS vendors, cloud providers, managed service providers — all in scope.
Supply chain security
Article 21(2)(d) requires entities to address vulnerabilities specific to each direct supplier and service provider, and the overall quality of their cybersecurity practices.
Proportionality principle
Measures must be proportionate to the risk, the size of the entity, the likelihood of incidents, and the severity of potential impact. Not one-size-fits-all.
How Sudory helps
NIS2 compliance, operationalised
Sudory's scanning engine, vendor directory, and policy framework map directly to NIS2's Article 21 requirements. Continuous evidence, not annual audits.
Continuous risk assessment
Article 21(2)(a) requires risk analysis policies. Sudory's risk register links risks to policies and controls. Residual risk updates automatically as your posture changes.
Supply chain visibility
Article 21(2)(d) requires supply chain security. Sudory's vendor directory and scanning engine assess your direct suppliers and service providers — from DNS to subprocessor chains.
Incident readiness
Article 23 requires fast incident reporting. Sudory's compliance ledger is append-only and timestamped — reconstruct what was true before, during, and after any incident.
Policy enforcement
NIS2 requires "appropriate measures". Sudory's policy-as-code engine defines what "appropriate" means for your organisation — balance policies, freshness checks, flow controls.
Cross-framework mapping
Already ISO 27001 certified? Sudory maps your existing Annex A controls to NIS2 Article 21 requirements. One scan produces evidence for both frameworks.
Evidence trail
Every scan result enters the compliance ledger as timestamped evidence. When the national authority asks for proof, export the ledger — not a scrambled spreadsheet.
For MSPs
NIS2 readiness as a service
Your clients are essential and important entities that need help meeting NIS2 requirements. Deliver supply chain assessment and continuous compliance as a managed service.
NIS2 readiness across clients
Your clients are essential or important entities. Scan their domains, assess their supply chains, and produce NIS2-ready evidence — as a managed service.
Supply chain assessment at scale
Article 21(2)(d) applies to every client. Sudory's vendor directory lets you assess shared suppliers across your portfolio — revealing common risk exposure.
Proportionate measures
NIS2's proportionality principle means smaller clients need lighter controls. Sudory's policy engine lets you set appropriate thresholds per client — not one-size-fits-all.
Assess your supply chain today
Scan any domain to assess its security posture. Browse 1,500+ vendor profiles with subprocessor chains and certifications. The supply chain visibility NIS2 demands — already built.