AI Regulatory Intelligence — by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NL·EN·DE
Explainer

My client is in scope of NIS2 and asks me for measures — is that required?

Adopted 2026-06-16 · ≈ 2 min read · Dirk Baaijen

NIS2 requires in-scope organisations to manage supply-chain risk. As a supplier you usually do not fall under the law yourself, but your client may pass requirements on by contract; refusing can mean losing the contract.

Short answer: Your client, being in scope of NIS2, is legally required to manage the security of its supply chain and may set requirements on you to do so. As an ordinary supplier you usually do not fall directly under NIS2 yourself, but the requirements reach you through the contract. Complying is therefore not a legal obligation for you, but it is often a condition for keeping the client.

What NIS2 asks of your client

NIS2 — Directive (EU) 2022/2555 — requires essential and important entities to take appropriate and proportionate measures to manage the risks to their network and information systems. Article 21 expressly lists supply-chain security, including security-related aspects of the relationships between the entity and its direct suppliers or service providers. The directive therefore asks the in-scope organisation to look at its own supply-chain risks and account for them — including in its procurement and contracting decisions.

That is the legal basis behind the request you receive: your client is passing its own obligation down the chain. The directive places that duty on the entity itself, not directly on every supplier.

Are you in scope of NIS2 yourself?

NIS2 applies to organisations in the sectors listed in the annexes to the directive (such as energy, transport, digital infrastructure, food and certain manufacturing) that exceed the threshold for medium-sized enterprises. If you, as a supplier, fall within those sectors and above that size, you may be directly in scope — with obligations of your own. The directive is transposed into national law by each Member State; the precise scope and exemptions follow from that national implementation and its supervision.

If you are not in scope, your obligation arises not from the law but from the contract. Your client's requirement is then a commercial, contractual one — not a direct legal duty on you.

What this means in practice

Three sober conclusions. First, the request is legitimate and will recur, because your client is itself held accountable for it. Second, assess whether you fall under NIS2 yourself — this changes whether "required" is legal or contractual. Third, even without a legal duty of your own, cooperating is often wise, because refusing can lead the client to choose a supplier who can demonstrate the requested measures. Which measures are reasonable and proportionate depends on your role in the chain and the nature of the service; the directive calls for proportionality, not identical requirements for everyone.

Read more: Transport & Logistics. Take the scan.

Sources

  1. https://eur-lex.europa.eu/eli/dir/2022/2555/oj
    Directive (EU) 2022/2555 (NIS2); see Art. 21 on risk-management measures, including supply-chain security.
  2. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
    European Commission, overview of the NIS2 Directive and its scope.

Share on LinkedIn

Read next

W

NIS2: the guide to cybersecurity and management duties

NIS2 makes cybersecurity a board-level responsibility for essential and important entities — including transport and logistics. This guide brings together who is in scope, which measures and reporting duties apply, management liability, and supply-chain obligations.

U

Cybersecurity in seaports: NIS2 and the Cyber Resilience Act

Seaports fall under NIS2 (Directive (EU) 2022/2555): risk-management measures, management accountability and incident reporting. The Cyber Resilience Act (Regulation (EU) 2024/2847) sets security requirements for digital products in port chains.

U

NIS2: which measures must I take as a minimum?

NIS2 requires appropriate risk-management measures — from risk analysis, backups and supply-chain security to access control, training and encryption — plus board accountability. A practical checklist for transport and logistics.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.