All resources
Requirements·4 May 2026·6 min read

NIS2 supply-chain security: what Article 21 expects

Your security is only as strong as your suppliers'. NIS2 makes that explicit. Here's what supply-chain security actually requires.

Why supply chain is in NIS2

Some of the most damaging incidents in recent years entered through a trusted supplier or a piece of widely-used software. NIS2 responds by making supply-chain security one of the ten Article 21 measures; you're expected to manage the risk your suppliers and service providers introduce, not just your own perimeter.

What you're expected to do

  • Assess the security posture of direct suppliers and service providers.
  • Account for the quality and resilience of the products and services they provide.
  • Factor in the results of EU-coordinated security risk assessments of critical supply chains.
  • Reflect supplier risk in contracts and ongoing monitoring, not just at onboarding.

The hard part: knowing what connects to what

You can't assess supplier risk you can't see. Most organisations underestimate how many third-party services, integrations and dependencies touch their critical systems, and that map changes constantly.

How Alexus helps

Alexus maintains a live operational graph of your systems and their dependencies, including third-party integrations, so supply-chain exposure is mapped rather than assumed. When a supplier-related incident hits, the blast radius is already visible. This article is general guidance, not legal advice.

Make NIS2 evidence a query, not a project

Alexus turns the IT operations you already run into continuous Article 21 readiness, ready-to-file Article 23 reports and a hash-chained audit trail.