# NIS2 Supply Chain Security

> Assess and manage supply chain cybersecurity risks per NIS2 Art. 21(2)(d). Scores supplier criticality and cybersecurity maturity, validates contractual security clauses, and identifies concentration risks in the ICT supply chain. Produces a supplier risk register and contractual review report.



Tags: NIS2, Supply Chain, Supplier Risk, Cybersecurity, GRC, Third Party Risk


## Example Prompts

- Create a NIS2-compliant supplier risk register
- Assess our supply chain cybersecurity risks under NIS2
- Review supplier contracts for NIS2 Art. 21(2)(d) compliance
- Identify concentration risks in our ICT supply chain

URL: https://rakenne.app/skills/nis2-supply-chain-security/index.md

Try this skill: https://rakenne.app/a/?skill=nis2-supply-chain-security



## Overview

NIS2 Article 21(2)(d) requires essential and important entities to address supply chain security — not as a checkbox, but as an ongoing risk management discipline. A single compromised supplier can expose your organization to data breaches, service disruption, and regulatory penalties regardless of how strong your internal controls are.

This skill turns supplier inventory data and contract summaries into a structured supply chain risk assessment. It scores each supplier across five dimensions (data sensitivity, system access, sole-source dependency, geographic risk, and service criticality), validates contracts against eight NIS2-required clauses, and identifies concentration risks that could create single points of failure. The result is a prioritized supplier risk register and a contractual gap report with specific remediation recommendations.

### What It Covers

- **Supplier risk scoring** — weighted composite score across data access, system access, dependency, geographic, and service criticality dimensions, producing a four-tier ranking (Critical / High / Medium / Low)
- **Contractual clause validation** — checks supplier agreements against eight NIS2 Art. 21(2)(d) elements: security requirements, incident notification, audit rights, sub-processor controls, business continuity, data handling, termination provisions, and vulnerability disclosure
- **Concentration risk analysis** — identifies single-source dependencies, geographic clustering of critical suppliers, provider consolidation, and cloud infrastructure concentration
- **Supplier risk register** — structured output document with risk scores, tier assignments, and recommended actions per supplier
- **Contractual review report** — clause-by-clause assessment per supplier with gap identification and amendment recommendations

## Example Conversation

> **You:** We need to assess our supply chain security for NIS2 compliance. We're a fintech company with about 15 suppliers across cloud, payments, HR, and consulting services. I have our supplier list ready.
>
> **Agent:** I'll walk you through a full NIS2 Art. 21(2)(d) supply chain assessment — supplier risk scoring, contractual review, and concentration analysis. Let's start with your supplier inventory. Can you share it as a table or list? I need: supplier name, service type, data access level, system access level, whether they're a sole source, and their country.
>
> **You:** Here's our supplier list:
>
> | Supplier | Service | Data Access | System Access | Sole Source | Country |
> |----------|---------|-------------|---------------|-------------|---------|
> | CloudScale Pro | Cloud hosting (IaaS) | critical_data | admin | yes | Germany |
> | PayBridge | Payment processing | critical_data | write | yes | Netherlands |
> | SecureID Systems | Identity/SSO provider | personal_data | admin | yes | Ireland |
> | NetConnect GmbH | Network/ISP | metadata | read | no | Germany |
> | DataVault Analytics | Analytics platform | personal_data | read | no | USA |
> | SwiftHR | HR/Payroll SaaS | personal_data | write | no | France |
> | AuditTrail Inc | SIEM/logging | metadata | read | yes | USA |
> | LegalDocs EU | Contract management | metadata | write | no | Belgium |
> | TranslateFlow | Translation services | none | none | no | Spain |
> | DevOps Pipeline Co | CI/CD tooling | critical_data | admin | no | Germany |
> | BackupSafe | Backup/DR storage | critical_data | write | no | Netherlands |
> | ConsultCorp | Strategy consulting | none | none | no | UK |
> | MailRelay Pro | Email delivery | personal_data | none | no | Finland |
> | CloudScale Pro CDN | CDN/edge services | metadata | read | no | Germany |
> | TaxCalc EU | Tax compliance SaaS | personal_data | read | no | Austria |
>
> **Agent:** Good — 15 suppliers across a range of service types. Let me score them against the NIS2 risk dimensions. Running `supplier_risk_scorer`...
>
> **Results — Risk Rankings:**
>
> | Rank | Supplier | Service | Composite | Tier |
> |------|----------|---------|:---------:|------|
> | 1 | CloudScale Pro | Cloud hosting (IaaS) | 4.5 | **Critical** |
> | 2 | SecureID Systems | Identity/SSO | 4.3 | **Critical** |
> | 3 | PayBridge | Payment processing | 4.2 | **Critical** |
> | 4 | DevOps Pipeline Co | CI/CD tooling | 3.7 | **High** |
> | 5 | AuditTrail Inc | SIEM/logging | 3.3 | **High** |
> | 6 | BackupSafe | Backup/DR storage | 3.2 | **High** |
> | 7 | SwiftHR | HR/Payroll SaaS | 3.0 | **High** |
> | 8 | DataVault Analytics | Analytics | 2.8 | **Medium** |
> | 9 | NetConnect GmbH | Network/ISP | 2.5 | **Medium** |
> | 10 | MailRelay Pro | Email delivery | 2.3 | **Medium** |
> | 11 | TaxCalc EU | Tax compliance | 2.2 | **Medium** |
> | 12 | LegalDocs EU | Contract mgmt | 2.1 | **Medium** |
> | 13 | CloudScale Pro CDN | CDN/edge | 2.0 | **Medium** |
> | 14 | ConsultCorp | Consulting | 1.4 | **Low** |
> | 15 | TranslateFlow | Translation | 1.3 | **Low** |
>
> You have 3 Critical and 4 High risk suppliers. CloudScale Pro leads due to critical data access, admin-level system access, and sole-source dependency. Let me now check one of your key contracts. Can you share the contractual terms summary for CloudScale Pro?
>
> **You:** Here's the summary of our CloudScale Pro contract: "Provider shall maintain SOC 2 Type II certification. Provider will implement reasonable security measures. Data is encrypted at rest. Customer may request compliance documentation annually. Sub-processors may be engaged with 30-day notice. Provider offers 99.9% uptime SLA."
>
> **Agent:** Running `contractual_clause_validator` on the CloudScale Pro contract...
>
> **Results — Clause-by-Clause Assessment:**
>
> | ID | Clause | Status |
> |----|--------|--------|
> | C1 | Cybersecurity requirements & standards | **PRESENT** |
> | C2 | Incident notification obligations | **ABSENT** |
> | C3 | Right to audit / assess | **INSUFFICIENT** |
> | C4 | Sub-processor controls | **PRESENT** |
> | C5 | Business continuity & DR provisions | **INSUFFICIENT** |
> | C6 | Data handling & access controls | **PRESENT** |
> | C7 | Termination & transition provisions | **ABSENT** |
> | C8 | Vulnerability disclosure & patching | **ABSENT** |
>
> **GAPS FOUND** — 3 clauses absent, 2 insufficient. For your highest-risk supplier, this needs immediate attention:
> - **Incident notification** (C2): No obligation for CloudScale Pro to notify you of security incidents. You need a 24-72 hour notification window with defined contacts and required information.
> - **Audit rights** (C3): You can request documentation, but there is no explicit right to audit or conduct penetration testing. Add an audit clause with notice period and scope.
> - **Termination provisions** (C7): No data return or deletion timeline defined. Add data return/deletion windows and a transition assistance period.
>
> Now let me check for concentration risks across your full supplier base. Running `supply_chain_concentration_checker`...
>
> **Results — Concentration Findings:**
>
> - **[CRITICAL] Single-Source:** "CloudScale Pro" is sole provider for cloud hosting (criticality 5/5). Loss of this supplier would halt operations.
> - **[CRITICAL] Single-Source:** "PayBridge" is sole provider for payment processing (criticality 4/5). No fallback payment channel.
> - **[CRITICAL] Single-Source:** "SecureID Systems" is sole provider for identity/SSO (criticality 5/5). Authentication would fail entirely.
> - **[HIGH] Geographic:** 60% of critical suppliers (3/5) are concentrated in the EU-West region. A regional regulatory change or infrastructure event could affect multiple critical services simultaneously.
> - **[MEDIUM] Provider:** 2 services from "CloudScale*" suppliers (CloudScale Pro, CloudScale Pro CDN) — evaluate group dependency.
>
> **CRITICAL** — You have three single-point-of-failure dependencies on your most critical service categories. I recommend we prioritize identifying alternative providers for cloud hosting, payment processing, and identity management, then build the full risk register with mitigation plans.

## Sample Output Excerpt

Below is a representative excerpt from a generated supplier risk register showing the risk scoring summary and recommended actions.

---

### Supplier Risk Register (excerpt)

| Rank | Supplier | Service Type | Composite Score | Tier | Key Risk Factors | Recommended Actions |
|------|----------|-------------|:---------------:|------|-----------------|---------------------|
| 1 | CloudScale Pro | Cloud hosting (IaaS) | 4.5 | Critical | Admin access, critical data, sole source | Identify backup IaaS provider; require ISO 27001 certification; quarterly security reviews; negotiate audit rights |
| 2 | SecureID Systems | Identity/SSO | 4.3 | Critical | Admin access, personal data, sole source | Evaluate secondary IdP for failover; require SOC 2 Type II; incident notification SLA within 24h |
| 3 | PayBridge | Payment processing | 4.2 | Critical | Critical data, write access, sole source | Integrate backup payment processor; verify PCI DSS compliance; define data return procedures |
| 4 | DevOps Pipeline Co | CI/CD tooling | 3.7 | High | Admin access, critical data, high service criticality | Annual security assessment; review pipeline secrets handling; contractual incident clause |
| 5 | AuditTrail Inc | SIEM/logging | 3.3 | High | Sole source, non-EU (USA), security service | Evaluate EU-based alternative; verify data residency; add audit rights to contract |
| 6 | BackupSafe | Backup/DR storage | 3.2 | High | Critical data, write access | Validate encryption practices; test restore procedures; verify geographic redundancy |
| 7 | SwiftHR | HR/Payroll SaaS | 3.0 | High | Personal data, write access | Standard contractual clauses review; annual security questionnaire |

### Concentration Risk Summary

| Risk Type | Severity | Finding | Diversification Recommendation |
|-----------|----------|---------|-------------------------------|
| Single-Source | Critical | CloudScale Pro is sole IaaS provider | Identify secondary cloud provider; implement multi-cloud readiness for critical workloads |
| Single-Source | Critical | PayBridge is sole payment processor | Integrate a backup payment gateway; negotiate portable payment tokenization |
| Single-Source | Critical | SecureID Systems is sole IdP | Evaluate SAML/OIDC failover to secondary identity provider |
| Geographic | High | 60% of critical suppliers in EU-West | Diversify across EU regions; assess regulatory fragmentation risk |
| Provider Group | Medium | 2 services from CloudScale* family | Confirm shared infrastructure risk; evaluate independent CDN alternative |

<!-- /excerpt -->

## Extension Tools

### `supplier_risk_scorer`

Parses a supplier inventory and scores each supplier on a 1-5 scale across five weighted dimensions. Returns a risk-ranked table with composite scores and tier assignments.

| Dimension | Weight | Score Range | What It Measures |
|-----------|:------:|:-----------:|-----------------|
| Data sensitivity | 25% | 1-5 | Level of data access: none (1), metadata (2), personal data (4), critical data (5) |
| System access | 20% | 1-5 | Depth of system access: none (1), read (2), write (4), admin (5) |
| Dependency | 20% | 2 or 5 | Sole-source supplier (5) vs. replaceable (2) |
| Geographic risk | 15% | 1-4 | EU/adequacy-decision countries (1), unknown (3), other (4) |
| Service criticality | 20% | 2-5 | Cloud/security/identity (5), network/payment (4), HR/ERP (3), other (2) |

Composite scores map to tiers: Critical (4.0+), High (3.0-3.9), Medium (2.0-2.9), Low (below 2.0). Each tier has recommended due diligence actions ranging from quarterly reviews for Critical suppliers to annual self-assessment for Low.

### `contractual_clause_validator`

Checks supplier contract descriptions against eight NIS2 Art. 21(2)(d) required contractual elements. Returns a clause-by-clause assessment with three possible statuses and specific recommendations for gaps.

| ID | Clause | What It Checks |
|----|--------|----------------|
| C1 | Cybersecurity requirements & standards | References to ISO 27001, SOC 2, NIST, or equivalent security controls |
| C2 | Incident notification obligations | Notification timeframes (24-72h), contacts, required information |
| C3 | Right to audit / assess | Audit rights, penetration testing, compliance audit provisions |
| C4 | Sub-processor / sub-contractor controls | Prior approval requirements, flow-down of security obligations |
| C5 | Business continuity & DR provisions | RTO/RPO targets, testing frequency, availability commitments |
| C6 | Data handling & access controls | Encryption, least-privilege access, data classification, logging |
| C7 | Termination & transition provisions | Data return/deletion timelines, transition assistance periods |
| C8 | Vulnerability disclosure & patching | Patching SLAs by severity, coordinated disclosure process |

Each clause is rated **Present** (adequate specificity), **Insufficient** (referenced but lacking detail), or **Absent** (not addressed). Absent and insufficient clauses include specific amendment recommendations.

### `supply_chain_concentration_checker`

Analyzes the supplier inventory for four categories of concentration risk and produces diversification recommendations.

| Category | What It Detects | Severity |
|----------|----------------|----------|
| Single-source dependency | Service categories with only one supplier, weighted by service criticality | Critical (criticality 4-5) or Medium |
| Geographic concentration | More than 50% of critical suppliers in a single country or jurisdiction | High |
| Provider consolidation | Three or more services from suppliers sharing a name prefix (e.g., "CloudScale*") | Medium |
| Infrastructure concentration | Two or more suppliers on the same cloud platform (AWS, Azure, GCP, etc.) | Medium |

Findings include severity ratings and numbered diversification recommendations. The overall result is classified as Critical (single-point-of-failure found), High (geographic/service concentration), or Acceptable (no significant risks).

## Getting Started

Activate the *NIS2 Supply Chain Security* skill from the skill library.

Have this information ready before starting:

- **Supplier inventory** — a list of your suppliers with: name, service type, level of data access (none, metadata, personal data, critical data), level of system access (none, read, write, admin), whether they are your sole source for that service, and their country. A spreadsheet or markdown table works best.
- **Contract summaries** — for your most critical suppliers, prepare a summary of the key contractual terms: security requirements, incident clauses, audit rights, SLAs, termination provisions. Full contract text is not required — a summary of relevant clauses is sufficient.
- **Known concerns** — any existing worries about specific suppliers, recent incidents, or upcoming contract renewals that should be prioritized.

The agent guides you through a four-step workflow: first it scores all suppliers to identify your highest-risk relationships, then validates contracts for your critical and high-risk suppliers against NIS2 requirements, runs concentration analysis to find single points of failure, and finally produces the supplier risk register and contractual review report with specific mitigation actions.



---

Back to [Skill Library](https://rakenne.app/skills/index.md)