NIS2 Third-Party Risk Management (TPRM): Manage Supply Chain Risk and Satisfy Article 21(2)(d)

NIS2 makes supply chain security an explicit obligation for essential and important entities. You must not only demonstrably manage your own cybersecurity — you must also manage the risks of critical suppliers, ICT service providers, and dependencies across your chain.

NIS2
requires organisations to actively manage risks across their supply chain
24/7
continuous monitoring detects changes in supplier risk faster than annual reviews
€10M
maximum NIS2 penalty for essential entities — or 2% of global annual turnover

Penalty reference based on NIS2 Article 34: essential entities up to at least €10,000,000 or 2% of global annual turnover; important entities up to at least €7,000,000 or 1.4% of global annual turnover. See Directive (EU) 2022/2555 and the Dutch Cyberbeveiligingswet/NIS2 guidance from the NCSC.

Note: NIS2 requires governance and oversight by management bodies. Management boards have explicit oversight and accountability obligations. The exact legal consequences, including potential personal management liability, depend on national implementation and specific circumstances. Always have legal claims reviewed before publishing.

What NIS2 Requires for Third-Party Risk

NIS2 Article 21(2)(d) requires organisations to address cybersecurity risks in their supply chain — including security-related aspects of relationships with direct suppliers and service providers. In practice, this means: inventorise, embed contractually, monitor, document, and remediate.

1

Supplier Risk Assessments

Evaluate the cybersecurity posture of critical suppliers and service providers.

  • Identify critical suppliers, ICT providers, and key service dependencies
  • Assess supplier cybersecurity policies, controls, and governance practices
  • Review certifications, audit reports, incident history, and compliance evidence
  • Classify suppliers based on criticality, access privileges, and business impact

→ NIS2 Article 21(2)(d)

2

Contractual Security Requirements

Embed cybersecurity obligations into supplier and service-provider agreements.

  • Include security requirements and incident-response obligations in contracts
  • Require timely notification of security incidents affecting your organisation
  • Define audit rights, assurance mechanisms, and compliance verification processes
  • Address subcontractor and fourth-party risks through contractual controls

→ NIS2 Article 21(2)(d)

3

Continuous Monitoring

Maintain ongoing visibility into changing cyber risk across your supplier base.

  • Monitor the external attack surface of critical suppliers
  • Track changes in security posture, vulnerabilities, and risk indicators
  • Identify hidden dependencies and unmanaged third-party relationships
  • Maintain a current supply-chain risk register with remediation tracking

→ NIS2 Article 21(2)(d)

4

Incident Coordination

Manage supplier-related incidents and support NIS2 reporting requirements.

  • Assess the impact of supplier incidents on systems, services, and data
  • Determine whether incidents could trigger NIS2 reporting obligations
  • Coordinate incident communication and response activities with suppliers
  • Maintain evidence, remediation records, and incident documentation

→ NIS2 Article 21(2)(b), 21(2)(d) and Article 23

Why Manual TPRM Cannot Scale Under NIS2

Most organisations manage dozens to hundreds of supplier relationships. Spreadsheets, annual questionnaires, and scattered email evidence do not provide a reliable, current, and auditable picture of supplier risk.

📋

Spreadsheets Break at Scale

Managing supplier risk manually leads to gaps, duplicates, and stale data. NIS2 requires demonstrable governance — not a spreadsheet from last quarter.

🔍

Hidden Dependencies

Sub-processors, cloud dependencies, and shadow vendors introduce risk that often only becomes visible after an incident has already occurred.

⏱️

Annual Assessments Are Not Enough

A supplier that scored acceptably in January may have new vulnerabilities, exposed systems, or leaked credentials by March.

📄

Audit Evidence Is Scattered

Regulators and auditors expect documented evidence. Scattered emails, shared folders, and loose screenshots make compliance difficult to demonstrate.

🔗

Fourth-Party Risk Is Invisible

Your suppliers have suppliers too. Without visibility into sub-processors and dependencies, your risk picture stops too early in the chain.

⚖️

Management Accountability

NIS2 Article 20 places governance obligations on management bodies. Without demonstrable oversight, supplier risk becomes a board-level exposure.

Business Impact: From Compliance Burden to Operational Advantage

Effective third-party risk management does more than satisfy NIS2. It accelerates audits, improves board reporting, and makes supplier risk manageable and visible.

🚀

Faster Audits

Centralise evidence, assessments, and remediation so audit preparation becomes less ad hoc and more efficient.

👁️

Continuous Visibility

See changes in supplier risk as they emerge — not when you get to next year's annual review.

📈

Board-Ready Reporting

Translate technical findings into priorities, trends, and decision-ready information for management.

🛡️

Lower Exposure

Prioritise suppliers with the greatest impact and reduce risk before it becomes an incident.

Magic Stone Solution

AI-Powered Supply Chain Risk Management — Powered by Rescana

Magic Stone replaces manual TPRM spreadsheets with continuous, AI-driven supplier risk monitoring powered by Rescana. Discover your supplier ecosystem, monitor external exposure, prioritise remediation, and build a demonstrable compliance dossier for NIS2 Article 21(2)(d) and DORA.

See the Service →

How Magic Stone Solves TPRM for NIS2

Magic Stone deploys Rescana as part of a practical TPRM programme — from supplier inventory and risk classification to monitoring, remediation, and management reporting.

🤖

Automated Supplier Discovery

Map your full supplier ecosystem — including sub-processors and unknown dependencies not captured in existing spreadsheets.

📡

Continuous Attack Surface Monitoring

Monitor external exposure, misconfigurations, vulnerabilities, and signals indicating elevated supplier risk.

📊

Real-Time Risk Scoring

Prioritise suppliers based on current security posture, criticality, and business impact — not last year's questionnaire.

📁

Audit-Ready Evidence

Centralise assessments, risk scores, monitoring logs, actions, and decisions in one demonstrable compliance dossier.

NIS2 & DORA Mapping

Map supplier risk findings directly to NIS2 and DORA obligations so compliance efforts remain targeted and traceable.

🏆

Recognised Innovation

Rescana was selected by Magic Stone for its AI-driven approach to supplier risk management, chain visibility, continuous monitoring, and support for European regulatory compliance requirements.

Why Rescana Instead of Traditional TPRM?

Many TPRM processes are built around questionnaires. That remains useful — but NIS2 demands better evidence, more current insight, and faster follow-up.

CapabilityRescana / Magic Stone ApproachTraditional TPRM
Supplier discovery Automated discovery and enrichmentLimited Often manual inventory
Continuous monitoring Ongoing external risk signalsLimited Often annual assessment
NIS2 mapping Findings mapped to obligationsLimited Often manual interpretation
Audit evidence Central dossier with exportsLimited Emails, folders, spreadsheets
Fourth-party visibility Focus on chain dependencies Often first-tier only
Management reporting Risk translated into prioritiesLimited Often technical or fragmented

Examples of Audit-Ready Evidence

A NIS2 programme must be demonstrable. Magic Stone helps structure evidence so you are not scrambling when an auditor, regulator, or customer asks for substantiation.

Supplier Inventory

A current overview of critical suppliers, ICT service providers, subcontractors, and dependencies.

Risk Register

Categorised risks with owner, impact, likelihood, status, and planned actions.

Supplier Scorecards

Per-supplier overview of risk score, findings, trends, and relevant evidence documents.

Remediation Tracking

Open actions, deadlines, ownership, and evidence of follow-up and completion.

Incident Dossier

Documentation of supplier incidents, impact analysis, communication, and decision records.

Board Reporting

Management summaries with trends, top risks, status, and decision-ready points.

📋 NIS2 Compliance Checklist & Readiness Workbook 2026

Download the full workbook — all ten NIS2 sections with Yes / Partial / No scoring, organisation details, and a scoring guide. Print it, fill it in, share it with your board.

Download Workbook (PDF)
NIS2 Article 21(2)(d) — the core obligation

"...security of the supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers..."

This means supplier risk must be part of your cybersecurity risk-management measures. Magic Stone's Supply Chain Risk Management service is built to make this demonstrable, scalable, and manageable.

Frequently Asked Questions about NIS2 and Third-Party Risk

What does NIS2 require for third-party risk management?

NIS2 Article 21(2)(d) requires organisations to address supply chain security as part of their cybersecurity risk-management measures — including security-related aspects of relationships with direct suppliers and service providers.

Do we need to monitor all suppliers?

Not every supplier requires the same level of monitoring. A risk-based approach starts with criticality: access to systems or data, impact on essential services, dependency, geographic risk, and compliance requirements.

Does NIS2 require continuous monitoring?

NIS2 does not prescribe one specific tool or monitoring frequency, but organisations must take appropriate and proportionate measures. For critical suppliers, an annual questionnaire is often insufficient to demonstrably manage changing cyber risk.

Are spreadsheets sufficient for NIS2 compliance?

Spreadsheets can serve as a starting point, but often fall short at scale, currency, evidence management, workflows, and reporting. For a mature TPRM programme, centralised, current, and exportable evidence is important.

What is the difference between NIS2 and DORA for supplier risk?

NIS2 applies broadly to essential and important entities across multiple sectors. DORA focuses specifically on digital operational resilience in the financial sector and contains detailed requirements for ICT third-party risk. Many organisations need to look at both frameworks together.

How long does implementation take?

This depends on the number of suppliers, data quality, and existing processes. A pragmatic start typically consists of scope definition, supplier inventory, risk classification, monitoring priorities, and a first management report.

Can Magic Stone also help with policy and contractual requirements?

Yes. Beyond tooling, Magic Stone can assist with risk classification, contractual security clauses, supplier due diligence, evidence structuring, and NIS2/DORA reporting.

Ready to Automate Your NIS2 Supply Chain Compliance?

Book a call with Magic Stone. We'll show you how to structure supplier risk, monitor it continuously, and turn it into demonstrable compliance evidence for NIS2, DORA, and management reporting.

See the Supply Chain Risk Management Service Book a NIS2 Assessment
hero p { max-width:1120px; font-size:19px; margin:0 auto 28px; color:#e5e7eb; } .ms-hero .ms-btn-wrap { max-width:1120px; margin:0 auto; } .ms-content { width:100%; max-width:1120px; margin:0 auto; padding:0 20px 55px; } .ms-btn { display:inline-block; background:#57A200; color:#fff!important; padding:14px 26px; border-radius:8px; text-decoration:none; font-weight:700; margin-top:10px; } .ms-btn:hover { background:#468500; color:#fff!important; } .ms-btn-secondary { display:inline-block; background:transparent; color:#57A200!important; border:2px solid #57A200; padding:12px 24px; border-radius:8px; text-decoration:none; font-weight:700; margin-top:10px; margin-left:10px; } .ms-btn-secondary:hover { background:#57A200; color:#fff!important; } .ms-section { margin-bottom:48px; } .ms-section h2 { font-size:30px; margin-bottom:8px; color:#111827; } .ms-section-intro { font-size:16px; color:#6b7280; margin-bottom:22px; } .ms-grid-2 { display:grid; grid-template-columns:repeat(2,1fr); gap:20px; margin-top:25px; } .ms-grid-3 { display:grid; grid-template-columns:repeat(3,1fr); gap:20px; margin-top:25px; } .ms-grid-4 { display:grid; grid-template-columns:repeat(4,1fr); gap:18px; margin-top:25px; } .ms-checklist-card { background:#fff; border:1px solid #e5e7eb; border-top:4px solid #57A200; border-radius:14px; padding:22px 24px; box-shadow:0 4px 16px rgba(0,0,0,.04); } .ms-checklist-card .ms-card-num { display:inline-flex; align-items:center; justify-content:center; width:26px; height:26px; background:#0f172a; color:#57A200; border-radius:6px; font-size:12px; font-weight:800; margin-bottom:10px; } .ms-checklist-card h3 { margin:0 0 5px; font-size:17px; color:#111827; } .ms-checklist-card .ms-card-intro { font-size:13.5px; color:#6b7280; margin-bottom:12px; line-height:1.5; } .ms-checklist { list-style:none; padding:0; margin:0; } .ms-checklist li { display:flex; gap:9px; align-items:flex-start; padding:6px 0; border-bottom:1px solid #f3f4f6; font-size:14px; color:#374151; line-height:1.5; } .ms-checklist li:last-child { border-bottom:none; } .ms-checklist li::before { content:"\2610"; font-size:16px; color:#57A200; flex-shrink:0; margin-top:1px; } .ms-pain-card { background:#fff; border:1px solid #e5e7eb; border-left:4px solid #e8192c; border-radius:14px; padding:22px 24px; box-shadow:0 4px 16px rgba(0,0,0,.04); } .ms-pain-card h3 { margin:0 0 8px; font-size:17px; color:#111827; } .ms-pain-card p { font-size:14px; color:#6b7280; margin:0; line-height:1.6; } .ms-pain-icon { font-size:26px; margin-bottom:10px; } .ms-sol-card { background:#f3f8ef; border:1px solid #d1e8b8; border-radius:14px; padding:22px 24px; } .ms-sol-card h3 { margin:0 0 8px; font-size:17px; color:#111827; } .ms-sol-card p { font-size:14px; color:#374151; margin:0; line-height:1.6; } .ms-sol-icon { font-size:26px; margin-bottom:10px; } .ms-outcome-card { background:#fff; border:1px solid #e5e7eb; border-radius:14px; padding:22px 24px; box-shadow:0 4px 16px rgba(0,0,0,.04); } .ms-outcome-card h3 { margin:0 0 8px; font-size:17px; color:#111827; } .ms-outcome-card p { font-size:14px; color:#6b7280; margin:0; line-height:1.6; } .ms-outcome-icon { font-size:26px; margin-bottom:10px; } .ms-proof-card { background:#fff; border:1px solid #e5e7eb; border-radius:14px; padding:20px 22px; box-shadow:0 4px 16px rgba(0,0,0,.04); } .ms-proof-card h3 { margin:0 0 8px; font-size:16px; color:#111827; } .ms-proof-card p { font-size:14px; color:#6b7280; margin:0; line-height:1.6; } .ms-strip { background:#f3f8ef; border-left:5px solid #57A200; padding:28px; border-radius:14px; margin:40px 0; } .ms-warning-strip { background:#fff7ed; border-left:5px solid #f97316; padding:24px 28px; border-radius:14px; margin:0 0 36px; } .ms-warning-strip strong { color:#9a3412; } .ms-stat-row { display:grid; grid-template-columns:repeat(3,1fr); gap:20px; margin:28px 0 10px; } .ms-stat-box { background:#fff; border:1px solid #e5e7eb; border-radius:14px; padding:24px; text-align:center; box-shadow:0 4px 16px rgba(0,0,0,.04); } .ms-stat-num { font-size:38px; font-weight:800; color:#57A200; line-height:1; margin-bottom:6px; } .ms-stat-label { font-size:14px; color:#6b7280; line-height:1.4; } .ms-source-note { font-size:12px; color:#9ca3af; margin:10px 0 34px; line-height:1.5; } .ms-source-note a { color:#6b7280; text-decoration:underline; } .ms-service-cta { background:linear-gradient(135deg,#173154 0%,#1e3a6e 100%); border-radius:18px; padding:40px 36px; margin:40px 0; display:grid; grid-template-columns:1fr auto; gap:32px; align-items:center; } .ms-service-cta h3 { color:#fff; font-size:24px; margin:0 0 10px; } .ms-service-cta p { color:#94a3b8; font-size:16px; margin:0; line-height:1.65; } .ms-service-cta-badge { display:inline-block; background:rgba(87,162,0,0.15); color:#57A200; border:1px solid rgba(87,162,0,0.3); border-radius:6px; font-size:12px; font-weight:700; padding:3px 10px; margin-bottom:10px; letter-spacing:.04em; text-transform:uppercase; } .ms-btn-white { display:inline-block; background:#fff; color:#173154!important; padding:14px 26px; border-radius:8px; text-decoration:none; font-weight:700; white-space:nowrap; transition:background .2s; } .ms-btn-white:hover { background:#f0f4ff; } .ms-table-wrap { overflow-x:auto; margin-top:24px; } .ms-compare-table { width:100%; border-collapse:collapse; background:#fff; border:1px solid #e5e7eb; border-radius:14px; overflow:hidden; box-shadow:0 4px 16px rgba(0,0,0,.04); } .ms-compare-table th { background:#0f172a; color:#fff; padding:14px 16px; text-align:left; font-size:14px; } .ms-compare-table td { padding:14px 16px; border-bottom:1px solid #eef2f7; font-size:14px; color:#374151; } .ms-compare-table tr:last-child td { border-bottom:none; } .ms-yes { color:#57A200; font-weight:800; } .ms-partial { color:#f97316; font-weight:800; } .ms-no { color:#e8192c; font-weight:800; } .ms-faq { border-top:1px solid #e5e7eb; margin-top:22px; } .ms-faq-item { border-bottom:1px solid #e5e7eb; padding:18px 0; } .ms-faq-item h3 { font-size:17px; margin:0 0 8px; color:#111827; } .ms-faq-item p { margin:0; color:#6b7280; font-size:14.5px; line-height:1.65; } .ms-cta { background:#111827; color:#fff; border-radius:18px; padding:45px 35px; text-align:center; margin-top:50px; } .ms-cta h2 { color:#fff; font-size:32px; margin-bottom:15px; } .ms-cta p { color:#e5e7eb; max-width:780px; margin:0 auto 22px; font-size:18px; } .ms-links a { color:#57A200; font-weight:700; text-decoration:none; } .ms-links a:hover { text-decoration:underline; } .ms-list { padding-left:22px; } .ms-list li { margin-bottom:10px; } .ms-art21-note { font-size:13px; color:#9ca3af; margin-top:6px; font-style:italic; } @media(max-width:900px) { .ms-grid-2, .ms-grid-3, .ms-grid-4, .ms-stat-row { grid-template-columns:1fr; } .ms-service-cta { grid-template-columns:1fr; } .ms-hero { padding:50px 24px; } .ms-hero h1 { font-size:32px; } .ms-btn-secondary { margin-left:0; display:block; margin-top:10px; text-align:center; } .ms-btn { display:block; text-align:center; } }

NIS2 Third-Party Risk Management (TPRM): Manage Supply Chain Risk and Satisfy Article 21(2)(d)

NIS2 makes supply chain security an explicit obligation for essential and important entities. You must not only demonstrably manage your own cybersecurity — you must also manage the risks of critical suppliers, ICT service providers, and dependencies across your chain.

NIS2
requires organisations to actively manage risks across their supply chain
24/7
continuous monitoring detects changes in supplier risk faster than annual reviews
€10M
maximum NIS2 penalty for essential entities — or 2% of global annual turnover

Penalty reference based on NIS2 Article 34: essential entities up to at least €10,000,000 or 2% of global annual turnover; important entities up to at least €7,000,000 or 1.4% of global annual turnover. See Directive (EU) 2022/2555 and the Dutch Cyberbeveiligingswet/NIS2 guidance from the NCSC.

Note: NIS2 requires governance and oversight by management bodies. Management boards have explicit oversight and accountability obligations. The exact legal consequences, including potential personal management liability, depend on national implementation and specific circumstances. Always have legal claims reviewed before publishing.

What NIS2 Requires for Third-Party Risk

NIS2 Article 21(2)(d) requires organisations to address cybersecurity risks in their supply chain — including security-related aspects of relationships with direct suppliers and service providers. In practice, this means: inventorise, embed contractually, monitor, document, and remediate.

1

Supplier Risk Assessments

Evaluate the cybersecurity posture of critical suppliers and service providers.

  • Identify critical suppliers, ICT providers, and key service dependencies
  • Assess supplier cybersecurity policies, controls, and governance practices
  • Review certifications, audit reports, incident history, and compliance evidence
  • Classify suppliers based on criticality, access privileges, and business impact

→ NIS2 Article 21(2)(d)

2

Contractual Security Requirements

Embed cybersecurity obligations into supplier and service-provider agreements.

  • Include security requirements and incident-response obligations in contracts
  • Require timely notification of security incidents affecting your organisation
  • Define audit rights, assurance mechanisms, and compliance verification processes
  • Address subcontractor and fourth-party risks through contractual controls

→ NIS2 Article 21(2)(d)

3

Continuous Monitoring

Maintain ongoing visibility into changing cyber risk across your supplier base.

  • Monitor the external attack surface of critical suppliers
  • Track changes in security posture, vulnerabilities, and risk indicators
  • Identify hidden dependencies and unmanaged third-party relationships
  • Maintain a current supply-chain risk register with remediation tracking

→ NIS2 Article 21(2)(d)

4

Incident Coordination

Manage supplier-related incidents and support NIS2 reporting requirements.

  • Assess the impact of supplier incidents on systems, services, and data
  • Determine whether incidents could trigger NIS2 reporting obligations
  • Coordinate incident communication and response activities with suppliers
  • Maintain evidence, remediation records, and incident documentation

→ NIS2 Article 21(2)(b), 21(2)(d) and Article 23

Why Manual TPRM Cannot Scale Under NIS2

Most organisations manage dozens to hundreds of supplier relationships. Spreadsheets, annual questionnaires, and scattered email evidence do not provide a reliable, current, and auditable picture of supplier risk.

📋

Spreadsheets Break at Scale

Managing supplier risk manually leads to gaps, duplicates, and stale data. NIS2 requires demonstrable governance — not a spreadsheet from last quarter.

🔍

Hidden Dependencies

Sub-processors, cloud dependencies, and shadow vendors introduce risk that often only becomes visible after an incident has already occurred.

⏱️

Annual Assessments Are Not Enough

A supplier that scored acceptably in January may have new vulnerabilities, exposed systems, or leaked credentials by March.

📄

Audit Evidence Is Scattered

Regulators and auditors expect documented evidence. Scattered emails, shared folders, and loose screenshots make compliance difficult to demonstrate.

🔗

Fourth-Party Risk Is Invisible

Your suppliers have suppliers too. Without visibility into sub-processors and dependencies, your risk picture stops too early in the chain.

⚖️

Management Accountability

NIS2 Article 20 places governance obligations on management bodies. Without demonstrable oversight, supplier risk becomes a board-level exposure.

Business Impact: From Compliance Burden to Operational Advantage

Effective third-party risk management does more than satisfy NIS2. It accelerates audits, improves board reporting, and makes supplier risk manageable and visible.

🚀

Faster Audits

Centralise evidence, assessments, and remediation so audit preparation becomes less ad hoc and more efficient.

👁️

Continuous Visibility

See changes in supplier risk as they emerge — not when you get to next year's annual review.

📈

Board-Ready Reporting

Translate technical findings into priorities, trends, and decision-ready information for management.

🛡️

Lower Exposure

Prioritise suppliers with the greatest impact and reduce risk before it becomes an incident.

Magic Stone Solution

AI-Powered Supply Chain Risk Management — Powered by Rescana

Magic Stone replaces manual TPRM spreadsheets with continuous, AI-driven supplier risk monitoring powered by Rescana. Discover your supplier ecosystem, monitor external exposure, prioritise remediation, and build a demonstrable compliance dossier for NIS2 Article 21(2)(d) and DORA.

See the Service →

How Magic Stone Solves TPRM for NIS2

Magic Stone deploys Rescana as part of a practical TPRM programme — from supplier inventory and risk classification to monitoring, remediation, and management reporting.

🤖

Automated Supplier Discovery

Map your full supplier ecosystem — including sub-processors and unknown dependencies not captured in existing spreadsheets.

📡

Continuous Attack Surface Monitoring

Monitor external exposure, misconfigurations, vulnerabilities, and signals indicating elevated supplier risk.

📊

Real-Time Risk Scoring

Prioritise suppliers based on current security posture, criticality, and business impact — not last year's questionnaire.

📁

Audit-Ready Evidence

Centralise assessments, risk scores, monitoring logs, actions, and decisions in one demonstrable compliance dossier.

NIS2 & DORA Mapping

Map supplier risk findings directly to NIS2 and DORA obligations so compliance efforts remain targeted and traceable.

🏆

Recognised Innovation

Rescana was selected by Magic Stone for its AI-driven approach to supplier risk management, chain visibility, continuous monitoring, and support for European regulatory compliance requirements.

Why Rescana Instead of Traditional TPRM?

Many TPRM processes are built around questionnaires. That remains useful — but NIS2 demands better evidence, more current insight, and faster follow-up.

CapabilityRescana / Magic Stone ApproachTraditional TPRM
Supplier discovery Automated discovery and enrichmentLimited Often manual inventory
Continuous monitoring Ongoing external risk signalsLimited Often annual assessment
NIS2 mapping Findings mapped to obligationsLimited Often manual interpretation
Audit evidence Central dossier with exportsLimited Emails, folders, spreadsheets
Fourth-party visibility Focus on chain dependencies Often first-tier only
Management reporting Risk translated into prioritiesLimited Often technical or fragmented

Examples of Audit-Ready Evidence

A NIS2 programme must be demonstrable. Magic Stone helps structure evidence so you are not scrambling when an auditor, regulator, or customer asks for substantiation.

Supplier Inventory

A current overview of critical suppliers, ICT service providers, subcontractors, and dependencies.

Risk Register

Categorised risks with owner, impact, likelihood, status, and planned actions.

Supplier Scorecards

Per-supplier overview of risk score, findings, trends, and relevant evidence documents.

Remediation Tracking

Open actions, deadlines, ownership, and evidence of follow-up and completion.

Incident Dossier

Documentation of supplier incidents, impact analysis, communication, and decision records.

Board Reporting

Management summaries with trends, top risks, status, and decision-ready points.

NIS2 Article 21(2)(d) — the core obligation

"...security of the supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers..."

This means supplier risk must be part of your cybersecurity risk-management measures. Magic Stone's Supply Chain Risk Management service is built to make this demonstrable, scalable, and manageable.

Frequently Asked Questions about NIS2 and Third-Party Risk

What does NIS2 require for third-party risk management?

NIS2 Article 21(2)(d) requires organisations to address supply chain security as part of their cybersecurity risk-management measures — including security-related aspects of relationships with direct suppliers and service providers.

Do we need to monitor all suppliers?

Not every supplier requires the same level of monitoring. A risk-based approach starts with criticality: access to systems or data, impact on essential services, dependency, geographic risk, and compliance requirements.

Does NIS2 require continuous monitoring?

NIS2 does not prescribe one specific tool or monitoring frequency, but organisations must take appropriate and proportionate measures. For critical suppliers, an annual questionnaire is often insufficient to demonstrably manage changing cyber risk.

Are spreadsheets sufficient for NIS2 compliance?

Spreadsheets can serve as a starting point, but often fall short at scale, currency, evidence management, workflows, and reporting. For a mature TPRM programme, centralised, current, and exportable evidence is important.

What is the difference between NIS2 and DORA for supplier risk?

NIS2 applies broadly to essential and important entities across multiple sectors. DORA focuses specifically on digital operational resilience in the financial sector and contains detailed requirements for ICT third-party risk. Many organisations need to look at both frameworks together.

How long does implementation take?

This depends on the number of suppliers, data quality, and existing processes. A pragmatic start typically consists of scope definition, supplier inventory, risk classification, monitoring priorities, and a first management report.

Can Magic Stone also help with policy and contractual requirements?

Yes. Beyond tooling, Magic Stone can assist with risk classification, contractual security clauses, supplier due diligence, evidence structuring, and NIS2/DORA reporting.

Ready to Automate Your NIS2 Supply Chain Compliance?

Book a call with Magic Stone. We'll show you how to structure supplier risk, monitor it continuously, and turn it into demonstrable compliance evidence for NIS2, DORA, and management reporting.

See the Supply Chain Risk Management Service Book a NIS2 Assessment

Looking for Sales Assistance or have a General Inquiry?

Got a sales question or a general inquiry? Send us a message and we’ll respond as soon as possible.

Please enable JavaScript in your browser to complete this form.
Checkboxes

By submitting this form you agree to our Privacy Policy and consent to Magic Stone Cyber Security storing and processing your information to respond to your enquiry.

Follow us

This will close in 0 seconds

Scroll to Top