Overview
NIS2 Article 21(2)(d) requires essential and important entities to address supply chain security — not as a checkbox, but as an ongoing risk management discipline. A single compromised supplier can expose your organization to data breaches, service disruption, and regulatory penalties regardless of how strong your internal controls are.
This skill turns supplier inventory data and contract summaries into a structured supply chain risk assessment. It scores each supplier across five dimensions (data sensitivity, system access, sole-source dependency, geographic risk, and service criticality), validates contracts against eight NIS2-required clauses, and identifies concentration risks that could create single points of failure. The result is a prioritized supplier risk register and a contractual gap report with specific remediation recommendations.
What It Covers
- Supplier risk scoring — weighted composite score across data access, system access, dependency, geographic, and service criticality dimensions, producing a four-tier ranking (Critical / High / Medium / Low)
- Contractual clause validation — checks supplier agreements against eight NIS2 Art. 21(2)(d) elements: security requirements, incident notification, audit rights, sub-processor controls, business continuity, data handling, termination provisions, and vulnerability disclosure
- Concentration risk analysis — identifies single-source dependencies, geographic clustering of critical suppliers, provider consolidation, and cloud infrastructure concentration
- Supplier risk register — structured output document with risk scores, tier assignments, and recommended actions per supplier
- Contractual review report — clause-by-clause assessment per supplier with gap identification and amendment recommendations
Example Conversation
You: We need to assess our supply chain security for NIS2 compliance. We’re a fintech company with about 15 suppliers across cloud, payments, HR, and consulting services. I have our supplier list ready.
Agent: I’ll walk you through a full NIS2 Art. 21(2)(d) supply chain assessment — supplier risk scoring, contractual review, and concentration analysis. Let’s start with your supplier inventory. Can you share it as a table or list? I need: supplier name, service type, data access level, system access level, whether they’re a sole source, and their country.
You: Here’s our supplier list:
Supplier Service Data Access System Access Sole Source Country CloudScale Pro Cloud hosting (IaaS) critical_data admin yes Germany PayBridge Payment processing critical_data write yes Netherlands SecureID Systems Identity/SSO provider personal_data admin yes Ireland NetConnect GmbH Network/ISP metadata read no Germany DataVault Analytics Analytics platform personal_data read no USA SwiftHR HR/Payroll SaaS personal_data write no France AuditTrail Inc SIEM/logging metadata read yes USA LegalDocs EU Contract management metadata write no Belgium TranslateFlow Translation services none none no Spain DevOps Pipeline Co CI/CD tooling critical_data admin no Germany BackupSafe Backup/DR storage critical_data write no Netherlands ConsultCorp Strategy consulting none none no UK MailRelay Pro Email delivery personal_data none no Finland CloudScale Pro CDN CDN/edge services metadata read no Germany TaxCalc EU Tax compliance SaaS personal_data read no Austria Agent: Good — 15 suppliers across a range of service types. Let me score them against the NIS2 risk dimensions. Running
supplier_risk_scorer…Results — Risk Rankings:
Rank Supplier Service Composite Tier 1 CloudScale Pro Cloud hosting (IaaS) 4.5 Critical 2 SecureID Systems Identity/SSO 4.3 Critical 3 PayBridge Payment processing 4.2 Critical 4 DevOps Pipeline Co CI/CD tooling 3.7 High 5 AuditTrail Inc SIEM/logging 3.3 High 6 BackupSafe Backup/DR storage 3.2 High 7 SwiftHR HR/Payroll SaaS 3.0 High 8 DataVault Analytics Analytics 2.8 Medium 9 NetConnect GmbH Network/ISP 2.5 Medium 10 MailRelay Pro Email delivery 2.3 Medium 11 TaxCalc EU Tax compliance 2.2 Medium 12 LegalDocs EU Contract mgmt 2.1 Medium 13 CloudScale Pro CDN CDN/edge 2.0 Medium 14 ConsultCorp Consulting 1.4 Low 15 TranslateFlow Translation 1.3 Low You have 3 Critical and 4 High risk suppliers. CloudScale Pro leads due to critical data access, admin-level system access, and sole-source dependency. Let me now check one of your key contracts. Can you share the contractual terms summary for CloudScale Pro?
You: Here’s the summary of our CloudScale Pro contract: “Provider shall maintain SOC 2 Type II certification. Provider will implement reasonable security measures. Data is encrypted at rest. Customer may request compliance documentation annually. Sub-processors may be engaged with 30-day notice. Provider offers 99.9% uptime SLA.”
Agent: Running
contractual_clause_validatoron the CloudScale Pro contract…Results — Clause-by-Clause Assessment:
ID Clause Status C1 Cybersecurity requirements & standards PRESENT C2 Incident notification obligations ABSENT C3 Right to audit / assess INSUFFICIENT C4 Sub-processor controls PRESENT C5 Business continuity & DR provisions INSUFFICIENT C6 Data handling & access controls PRESENT C7 Termination & transition provisions ABSENT C8 Vulnerability disclosure & patching ABSENT GAPS FOUND — 3 clauses absent, 2 insufficient. For your highest-risk supplier, this needs immediate attention:
- Incident notification (C2): No obligation for CloudScale Pro to notify you of security incidents. You need a 24-72 hour notification window with defined contacts and required information.
- Audit rights (C3): You can request documentation, but there is no explicit right to audit or conduct penetration testing. Add an audit clause with notice period and scope.
- Termination provisions (C7): No data return or deletion timeline defined. Add data return/deletion windows and a transition assistance period.
Now let me check for concentration risks across your full supplier base. Running
supply_chain_concentration_checker…Results — Concentration Findings:
- [CRITICAL] Single-Source: “CloudScale Pro” is sole provider for cloud hosting (criticality 5/5). Loss of this supplier would halt operations.
- [CRITICAL] Single-Source: “PayBridge” is sole provider for payment processing (criticality 4/5). No fallback payment channel.
- [CRITICAL] Single-Source: “SecureID Systems” is sole provider for identity/SSO (criticality 5/5). Authentication would fail entirely.
- [HIGH] Geographic: 60% of critical suppliers (3/5) are concentrated in the EU-West region. A regional regulatory change or infrastructure event could affect multiple critical services simultaneously.
- [MEDIUM] Provider: 2 services from “CloudScale*” suppliers (CloudScale Pro, CloudScale Pro CDN) — evaluate group dependency.
CRITICAL — You have three single-point-of-failure dependencies on your most critical service categories. I recommend we prioritize identifying alternative providers for cloud hosting, payment processing, and identity management, then build the full risk register with mitigation plans.
Sample Output Excerpt
Below is a representative excerpt from a generated supplier risk register showing the risk scoring summary and recommended actions.
Supplier Risk Register (excerpt)
| Rank | Supplier | Service Type | Composite Score | Tier | Key Risk Factors | Recommended Actions |
|---|---|---|---|---|---|---|
| 1 | CloudScale Pro | Cloud hosting (IaaS) | 4.5 | Critical | Admin access, critical data, sole source | Identify backup IaaS provider; require ISO 27001 certification; quarterly security reviews; negotiate audit rights |
| 2 | SecureID Systems | Identity/SSO | 4.3 | Critical | Admin access, personal data, sole source | Evaluate secondary IdP for failover; require SOC 2 Type II; incident notification SLA within 24h |
| 3 | PayBridge | Payment processing | 4.2 | Critical | Critical data, write access, sole source | Integrate backup payment processor; verify PCI DSS compliance; define data return procedures |
| 4 | DevOps Pipeline Co | CI/CD tooling | 3.7 | High | Admin access, critical data, high service criticality | Annual security assessment; review pipeline secrets handling; contractual incident clause |
| 5 | AuditTrail Inc | SIEM/logging | 3.3 | High | Sole source, non-EU (USA), security service | Evaluate EU-based alternative; verify data residency; add audit rights to contract |
| 6 | BackupSafe | Backup/DR storage | 3.2 | High | Critical data, write access | Validate encryption practices; test restore procedures; verify geographic redundancy |
| 7 | SwiftHR | HR/Payroll SaaS | 3.0 | High | Personal data, write access | Standard contractual clauses review; annual security questionnaire |
Concentration Risk Summary
| Risk Type | Severity | Finding | Diversification Recommendation |
|---|---|---|---|
| Single-Source | Critical | CloudScale Pro is sole IaaS provider | Identify secondary cloud provider; implement multi-cloud readiness for critical workloads |
| Single-Source | Critical | PayBridge is sole payment processor | Integrate a backup payment gateway; negotiate portable payment tokenization |
| Single-Source | Critical | SecureID Systems is sole IdP | Evaluate SAML/OIDC failover to secondary identity provider |
| Geographic | High | 60% of critical suppliers in EU-West | Diversify across EU regions; assess regulatory fragmentation risk |
| Provider Group | Medium | 2 services from CloudScale* family | Confirm shared infrastructure risk; evaluate independent CDN alternative |
Extension Tools
supplier_risk_scorer
Parses a supplier inventory and scores each supplier on a 1-5 scale across five weighted dimensions. Returns a risk-ranked table with composite scores and tier assignments.
| Dimension | Weight | Score Range | What It Measures |
|---|---|---|---|
| Data sensitivity | 25% | 1-5 | Level of data access: none (1), metadata (2), personal data (4), critical data (5) |
| System access | 20% | 1-5 | Depth of system access: none (1), read (2), write (4), admin (5) |
| Dependency | 20% | 2 or 5 | Sole-source supplier (5) vs. replaceable (2) |
| Geographic risk | 15% | 1-4 | EU/adequacy-decision countries (1), unknown (3), other (4) |
| Service criticality | 20% | 2-5 | Cloud/security/identity (5), network/payment (4), HR/ERP (3), other (2) |
Composite scores map to tiers: Critical (4.0+), High (3.0-3.9), Medium (2.0-2.9), Low (below 2.0). Each tier has recommended due diligence actions ranging from quarterly reviews for Critical suppliers to annual self-assessment for Low.
contractual_clause_validator
Checks supplier contract descriptions against eight NIS2 Art. 21(2)(d) required contractual elements. Returns a clause-by-clause assessment with three possible statuses and specific recommendations for gaps.
| ID | Clause | What It Checks |
|---|---|---|
| C1 | Cybersecurity requirements & standards | References to ISO 27001, SOC 2, NIST, or equivalent security controls |
| C2 | Incident notification obligations | Notification timeframes (24-72h), contacts, required information |
| C3 | Right to audit / assess | Audit rights, penetration testing, compliance audit provisions |
| C4 | Sub-processor / sub-contractor controls | Prior approval requirements, flow-down of security obligations |
| C5 | Business continuity & DR provisions | RTO/RPO targets, testing frequency, availability commitments |
| C6 | Data handling & access controls | Encryption, least-privilege access, data classification, logging |
| C7 | Termination & transition provisions | Data return/deletion timelines, transition assistance periods |
| C8 | Vulnerability disclosure & patching | Patching SLAs by severity, coordinated disclosure process |
Each clause is rated Present (adequate specificity), Insufficient (referenced but lacking detail), or Absent (not addressed). Absent and insufficient clauses include specific amendment recommendations.
supply_chain_concentration_checker
Analyzes the supplier inventory for four categories of concentration risk and produces diversification recommendations.
| Category | What It Detects | Severity |
|---|---|---|
| Single-source dependency | Service categories with only one supplier, weighted by service criticality | Critical (criticality 4-5) or Medium |
| Geographic concentration | More than 50% of critical suppliers in a single country or jurisdiction | High |
| Provider consolidation | Three or more services from suppliers sharing a name prefix (e.g., “CloudScale*”) | Medium |
| Infrastructure concentration | Two or more suppliers on the same cloud platform (AWS, Azure, GCP, etc.) | Medium |
Findings include severity ratings and numbered diversification recommendations. The overall result is classified as Critical (single-point-of-failure found), High (geographic/service concentration), or Acceptable (no significant risks).
Getting Started
Activate the NIS2 Supply Chain Security skill from the skill library.
Have this information ready before starting:
- Supplier inventory — a list of your suppliers with: name, service type, level of data access (none, metadata, personal data, critical data), level of system access (none, read, write, admin), whether they are your sole source for that service, and their country. A spreadsheet or markdown table works best.
- Contract summaries — for your most critical suppliers, prepare a summary of the key contractual terms: security requirements, incident clauses, audit rights, SLAs, termination provisions. Full contract text is not required — a summary of relevant clauses is sufficient.
- Known concerns — any existing worries about specific suppliers, recent incidents, or upcoming contract renewals that should be prioritized.
The agent guides you through a four-step workflow: first it scores all suppliers to identify your highest-risk relationships, then validates contracts for your critical and high-risk suppliers against NIS2 requirements, runs concentration analysis to find single points of failure, and finally produces the supplier risk register and contractual review report with specific mitigation actions.