NIS2 Third-Party Risk Management (TPRM): Manage Supply Chain Risk and Satisfy Article 21(2)(d)
NIS2 makes supply chain security an explicit obligation for essential and important entities. You must not only demonstrably manage your own cybersecurity — you must also manage the risks of critical suppliers, ICT service providers, and dependencies across your chain.
Penalty reference based on NIS2 Article 34: essential entities up to at least €10,000,000 or 2% of global annual turnover; important entities up to at least €7,000,000 or 1.4% of global annual turnover. See Directive (EU) 2022/2555 and the Dutch Cyberbeveiligingswet/NIS2 guidance from the NCSC.
What NIS2 Requires for Third-Party Risk
NIS2 Article 21(2)(d) requires organisations to address cybersecurity risks in their supply chain — including security-related aspects of relationships with direct suppliers and service providers. In practice, this means: inventorise, embed contractually, monitor, document, and remediate.
Supplier Risk Assessments
Evaluate the cybersecurity posture of critical suppliers and service providers.
- Identify critical suppliers, ICT providers, and key service dependencies
- Assess supplier cybersecurity policies, controls, and governance practices
- Review certifications, audit reports, incident history, and compliance evidence
- Classify suppliers based on criticality, access privileges, and business impact
→ NIS2 Article 21(2)(d)
Contractual Security Requirements
Embed cybersecurity obligations into supplier and service-provider agreements.
- Include security requirements and incident-response obligations in contracts
- Require timely notification of security incidents affecting your organisation
- Define audit rights, assurance mechanisms, and compliance verification processes
- Address subcontractor and fourth-party risks through contractual controls
→ NIS2 Article 21(2)(d)
Continuous Monitoring
Maintain ongoing visibility into changing cyber risk across your supplier base.
- Monitor the external attack surface of critical suppliers
- Track changes in security posture, vulnerabilities, and risk indicators
- Identify hidden dependencies and unmanaged third-party relationships
- Maintain a current supply-chain risk register with remediation tracking
→ NIS2 Article 21(2)(d)
Incident Coordination
Manage supplier-related incidents and support NIS2 reporting requirements.
- Assess the impact of supplier incidents on systems, services, and data
- Determine whether incidents could trigger NIS2 reporting obligations
- Coordinate incident communication and response activities with suppliers
- Maintain evidence, remediation records, and incident documentation
→ NIS2 Article 21(2)(b), 21(2)(d) and Article 23
Why Manual TPRM Cannot Scale Under NIS2
Most organisations manage dozens to hundreds of supplier relationships. Spreadsheets, annual questionnaires, and scattered email evidence do not provide a reliable, current, and auditable picture of supplier risk.
Spreadsheets Break at Scale
Managing supplier risk manually leads to gaps, duplicates, and stale data. NIS2 requires demonstrable governance — not a spreadsheet from last quarter.
Hidden Dependencies
Sub-processors, cloud dependencies, and shadow vendors introduce risk that often only becomes visible after an incident has already occurred.
Annual Assessments Are Not Enough
A supplier that scored acceptably in January may have new vulnerabilities, exposed systems, or leaked credentials by March.
Audit Evidence Is Scattered
Regulators and auditors expect documented evidence. Scattered emails, shared folders, and loose screenshots make compliance difficult to demonstrate.
Fourth-Party Risk Is Invisible
Your suppliers have suppliers too. Without visibility into sub-processors and dependencies, your risk picture stops too early in the chain.
Management Accountability
NIS2 Article 20 places governance obligations on management bodies. Without demonstrable oversight, supplier risk becomes a board-level exposure.
Business Impact: From Compliance Burden to Operational Advantage
Effective third-party risk management does more than satisfy NIS2. It accelerates audits, improves board reporting, and makes supplier risk manageable and visible.
Faster Audits
Centralise evidence, assessments, and remediation so audit preparation becomes less ad hoc and more efficient.
Continuous Visibility
See changes in supplier risk as they emerge — not when you get to next year's annual review.
Board-Ready Reporting
Translate technical findings into priorities, trends, and decision-ready information for management.
Lower Exposure
Prioritise suppliers with the greatest impact and reduce risk before it becomes an incident.
AI-Powered Supply Chain Risk Management — Powered by Rescana
Magic Stone replaces manual TPRM spreadsheets with continuous, AI-driven supplier risk monitoring powered by Rescana. Discover your supplier ecosystem, monitor external exposure, prioritise remediation, and build a demonstrable compliance dossier for NIS2 Article 21(2)(d) and DORA.
How Magic Stone Solves TPRM for NIS2
Magic Stone deploys Rescana as part of a practical TPRM programme — from supplier inventory and risk classification to monitoring, remediation, and management reporting.
Automated Supplier Discovery
Map your full supplier ecosystem — including sub-processors and unknown dependencies not captured in existing spreadsheets.
Continuous Attack Surface Monitoring
Monitor external exposure, misconfigurations, vulnerabilities, and signals indicating elevated supplier risk.
Real-Time Risk Scoring
Prioritise suppliers based on current security posture, criticality, and business impact — not last year's questionnaire.
Audit-Ready Evidence
Centralise assessments, risk scores, monitoring logs, actions, and decisions in one demonstrable compliance dossier.
NIS2 & DORA Mapping
Map supplier risk findings directly to NIS2 and DORA obligations so compliance efforts remain targeted and traceable.
Recognised Innovation
Rescana was selected by Magic Stone for its AI-driven approach to supplier risk management, chain visibility, continuous monitoring, and support for European regulatory compliance requirements.
Why Rescana Instead of Traditional TPRM?
Many TPRM processes are built around questionnaires. That remains useful — but NIS2 demands better evidence, more current insight, and faster follow-up.
| Capability | Rescana / Magic Stone Approach | Traditional TPRM |
|---|---|---|
| Supplier discovery | ✓ Automated discovery and enrichment | Limited Often manual inventory |
| Continuous monitoring | ✓ Ongoing external risk signals | Limited Often annual assessment |
| NIS2 mapping | ✓ Findings mapped to obligations | Limited Often manual interpretation |
| Audit evidence | ✓ Central dossier with exports | Limited Emails, folders, spreadsheets |
| Fourth-party visibility | ✓ Focus on chain dependencies | ✗ Often first-tier only |
| Management reporting | ✓ Risk translated into priorities | Limited Often technical or fragmented |
Examples of Audit-Ready Evidence
A NIS2 programme must be demonstrable. Magic Stone helps structure evidence so you are not scrambling when an auditor, regulator, or customer asks for substantiation.
Supplier Inventory
A current overview of critical suppliers, ICT service providers, subcontractors, and dependencies.
Risk Register
Categorised risks with owner, impact, likelihood, status, and planned actions.
Supplier Scorecards
Per-supplier overview of risk score, findings, trends, and relevant evidence documents.
Remediation Tracking
Open actions, deadlines, ownership, and evidence of follow-up and completion.
Incident Dossier
Documentation of supplier incidents, impact analysis, communication, and decision records.
Board Reporting
Management summaries with trends, top risks, status, and decision-ready points.
📋 NIS2 Compliance Checklist & Readiness Workbook 2026
Download the full workbook — all ten NIS2 sections with Yes / Partial / No scoring, organisation details, and a scoring guide. Print it, fill it in, share it with your board.
"...security of the supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers..."
This means supplier risk must be part of your cybersecurity risk-management measures. Magic Stone's Supply Chain Risk Management service is built to make this demonstrable, scalable, and manageable.
Frequently Asked Questions about NIS2 and Third-Party Risk
What does NIS2 require for third-party risk management?
NIS2 Article 21(2)(d) requires organisations to address supply chain security as part of their cybersecurity risk-management measures — including security-related aspects of relationships with direct suppliers and service providers.
Do we need to monitor all suppliers?
Not every supplier requires the same level of monitoring. A risk-based approach starts with criticality: access to systems or data, impact on essential services, dependency, geographic risk, and compliance requirements.
Does NIS2 require continuous monitoring?
NIS2 does not prescribe one specific tool or monitoring frequency, but organisations must take appropriate and proportionate measures. For critical suppliers, an annual questionnaire is often insufficient to demonstrably manage changing cyber risk.
Are spreadsheets sufficient for NIS2 compliance?
Spreadsheets can serve as a starting point, but often fall short at scale, currency, evidence management, workflows, and reporting. For a mature TPRM programme, centralised, current, and exportable evidence is important.
What is the difference between NIS2 and DORA for supplier risk?
NIS2 applies broadly to essential and important entities across multiple sectors. DORA focuses specifically on digital operational resilience in the financial sector and contains detailed requirements for ICT third-party risk. Many organisations need to look at both frameworks together.
How long does implementation take?
This depends on the number of suppliers, data quality, and existing processes. A pragmatic start typically consists of scope definition, supplier inventory, risk classification, monitoring priorities, and a first management report.
Can Magic Stone also help with policy and contractual requirements?
Yes. Beyond tooling, Magic Stone can assist with risk classification, contractual security clauses, supplier due diligence, evidence structuring, and NIS2/DORA reporting.
Related
Ready to Automate Your NIS2 Supply Chain Compliance?
Book a call with Magic Stone. We'll show you how to structure supplier risk, monitor it continuously, and turn it into demonstrable compliance evidence for NIS2, DORA, and management reporting.
See the Supply Chain Risk Management Service Book a NIS2 AssessmentNIS2 Third-Party Risk Management (TPRM): Manage Supply Chain Risk and Satisfy Article 21(2)(d)
NIS2 makes supply chain security an explicit obligation for essential and important entities. You must not only demonstrably manage your own cybersecurity — you must also manage the risks of critical suppliers, ICT service providers, and dependencies across your chain.
Penalty reference based on NIS2 Article 34: essential entities up to at least €10,000,000 or 2% of global annual turnover; important entities up to at least €7,000,000 or 1.4% of global annual turnover. See Directive (EU) 2022/2555 and the Dutch Cyberbeveiligingswet/NIS2 guidance from the NCSC.
What NIS2 Requires for Third-Party Risk
NIS2 Article 21(2)(d) requires organisations to address cybersecurity risks in their supply chain — including security-related aspects of relationships with direct suppliers and service providers. In practice, this means: inventorise, embed contractually, monitor, document, and remediate.
Supplier Risk Assessments
Evaluate the cybersecurity posture of critical suppliers and service providers.
- Identify critical suppliers, ICT providers, and key service dependencies
- Assess supplier cybersecurity policies, controls, and governance practices
- Review certifications, audit reports, incident history, and compliance evidence
- Classify suppliers based on criticality, access privileges, and business impact
→ NIS2 Article 21(2)(d)
Contractual Security Requirements
Embed cybersecurity obligations into supplier and service-provider agreements.
- Include security requirements and incident-response obligations in contracts
- Require timely notification of security incidents affecting your organisation
- Define audit rights, assurance mechanisms, and compliance verification processes
- Address subcontractor and fourth-party risks through contractual controls
→ NIS2 Article 21(2)(d)
Continuous Monitoring
Maintain ongoing visibility into changing cyber risk across your supplier base.
- Monitor the external attack surface of critical suppliers
- Track changes in security posture, vulnerabilities, and risk indicators
- Identify hidden dependencies and unmanaged third-party relationships
- Maintain a current supply-chain risk register with remediation tracking
→ NIS2 Article 21(2)(d)
Incident Coordination
Manage supplier-related incidents and support NIS2 reporting requirements.
- Assess the impact of supplier incidents on systems, services, and data
- Determine whether incidents could trigger NIS2 reporting obligations
- Coordinate incident communication and response activities with suppliers
- Maintain evidence, remediation records, and incident documentation
→ NIS2 Article 21(2)(b), 21(2)(d) and Article 23
Why Manual TPRM Cannot Scale Under NIS2
Most organisations manage dozens to hundreds of supplier relationships. Spreadsheets, annual questionnaires, and scattered email evidence do not provide a reliable, current, and auditable picture of supplier risk.
Spreadsheets Break at Scale
Managing supplier risk manually leads to gaps, duplicates, and stale data. NIS2 requires demonstrable governance — not a spreadsheet from last quarter.
Hidden Dependencies
Sub-processors, cloud dependencies, and shadow vendors introduce risk that often only becomes visible after an incident has already occurred.
Annual Assessments Are Not Enough
A supplier that scored acceptably in January may have new vulnerabilities, exposed systems, or leaked credentials by March.
Audit Evidence Is Scattered
Regulators and auditors expect documented evidence. Scattered emails, shared folders, and loose screenshots make compliance difficult to demonstrate.
Fourth-Party Risk Is Invisible
Your suppliers have suppliers too. Without visibility into sub-processors and dependencies, your risk picture stops too early in the chain.
Management Accountability
NIS2 Article 20 places governance obligations on management bodies. Without demonstrable oversight, supplier risk becomes a board-level exposure.
Business Impact: From Compliance Burden to Operational Advantage
Effective third-party risk management does more than satisfy NIS2. It accelerates audits, improves board reporting, and makes supplier risk manageable and visible.
Faster Audits
Centralise evidence, assessments, and remediation so audit preparation becomes less ad hoc and more efficient.
Continuous Visibility
See changes in supplier risk as they emerge — not when you get to next year's annual review.
Board-Ready Reporting
Translate technical findings into priorities, trends, and decision-ready information for management.
Lower Exposure
Prioritise suppliers with the greatest impact and reduce risk before it becomes an incident.
AI-Powered Supply Chain Risk Management — Powered by Rescana
Magic Stone replaces manual TPRM spreadsheets with continuous, AI-driven supplier risk monitoring powered by Rescana. Discover your supplier ecosystem, monitor external exposure, prioritise remediation, and build a demonstrable compliance dossier for NIS2 Article 21(2)(d) and DORA.
How Magic Stone Solves TPRM for NIS2
Magic Stone deploys Rescana as part of a practical TPRM programme — from supplier inventory and risk classification to monitoring, remediation, and management reporting.
Automated Supplier Discovery
Map your full supplier ecosystem — including sub-processors and unknown dependencies not captured in existing spreadsheets.
Continuous Attack Surface Monitoring
Monitor external exposure, misconfigurations, vulnerabilities, and signals indicating elevated supplier risk.
Real-Time Risk Scoring
Prioritise suppliers based on current security posture, criticality, and business impact — not last year's questionnaire.
Audit-Ready Evidence
Centralise assessments, risk scores, monitoring logs, actions, and decisions in one demonstrable compliance dossier.
NIS2 & DORA Mapping
Map supplier risk findings directly to NIS2 and DORA obligations so compliance efforts remain targeted and traceable.
Recognised Innovation
Rescana was selected by Magic Stone for its AI-driven approach to supplier risk management, chain visibility, continuous monitoring, and support for European regulatory compliance requirements.
Why Rescana Instead of Traditional TPRM?
Many TPRM processes are built around questionnaires. That remains useful — but NIS2 demands better evidence, more current insight, and faster follow-up.
| Capability | Rescana / Magic Stone Approach | Traditional TPRM |
|---|---|---|
| Supplier discovery | ✓ Automated discovery and enrichment | Limited Often manual inventory |
| Continuous monitoring | ✓ Ongoing external risk signals | Limited Often annual assessment |
| NIS2 mapping | ✓ Findings mapped to obligations | Limited Often manual interpretation |
| Audit evidence | ✓ Central dossier with exports | Limited Emails, folders, spreadsheets |
| Fourth-party visibility | ✓ Focus on chain dependencies | ✗ Often first-tier only |
| Management reporting | ✓ Risk translated into priorities | Limited Often technical or fragmented |
Examples of Audit-Ready Evidence
A NIS2 programme must be demonstrable. Magic Stone helps structure evidence so you are not scrambling when an auditor, regulator, or customer asks for substantiation.
Supplier Inventory
A current overview of critical suppliers, ICT service providers, subcontractors, and dependencies.
Risk Register
Categorised risks with owner, impact, likelihood, status, and planned actions.
Supplier Scorecards
Per-supplier overview of risk score, findings, trends, and relevant evidence documents.
Remediation Tracking
Open actions, deadlines, ownership, and evidence of follow-up and completion.
Incident Dossier
Documentation of supplier incidents, impact analysis, communication, and decision records.
Board Reporting
Management summaries with trends, top risks, status, and decision-ready points.
"...security of the supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers..."
This means supplier risk must be part of your cybersecurity risk-management measures. Magic Stone's Supply Chain Risk Management service is built to make this demonstrable, scalable, and manageable.
Frequently Asked Questions about NIS2 and Third-Party Risk
What does NIS2 require for third-party risk management?
NIS2 Article 21(2)(d) requires organisations to address supply chain security as part of their cybersecurity risk-management measures — including security-related aspects of relationships with direct suppliers and service providers.
Do we need to monitor all suppliers?
Not every supplier requires the same level of monitoring. A risk-based approach starts with criticality: access to systems or data, impact on essential services, dependency, geographic risk, and compliance requirements.
Does NIS2 require continuous monitoring?
NIS2 does not prescribe one specific tool or monitoring frequency, but organisations must take appropriate and proportionate measures. For critical suppliers, an annual questionnaire is often insufficient to demonstrably manage changing cyber risk.
Are spreadsheets sufficient for NIS2 compliance?
Spreadsheets can serve as a starting point, but often fall short at scale, currency, evidence management, workflows, and reporting. For a mature TPRM programme, centralised, current, and exportable evidence is important.
What is the difference between NIS2 and DORA for supplier risk?
NIS2 applies broadly to essential and important entities across multiple sectors. DORA focuses specifically on digital operational resilience in the financial sector and contains detailed requirements for ICT third-party risk. Many organisations need to look at both frameworks together.
How long does implementation take?
This depends on the number of suppliers, data quality, and existing processes. A pragmatic start typically consists of scope definition, supplier inventory, risk classification, monitoring priorities, and a first management report.
Can Magic Stone also help with policy and contractual requirements?
Yes. Beyond tooling, Magic Stone can assist with risk classification, contractual security clauses, supplier due diligence, evidence structuring, and NIS2/DORA reporting.
Related
Ready to Automate Your NIS2 Supply Chain Compliance?
Book a call with Magic Stone. We'll show you how to structure supplier risk, monitor it continuously, and turn it into demonstrable compliance evidence for NIS2, DORA, and management reporting.
See the Supply Chain Risk Management Service Book a NIS2 Assessment