With NIS2, the security of the ICT supply chain ceases to be merely a technical issue and becomes a matter of governance, management accountability, and the organization’s overall resilience. The regulation requires risk management measures that explicitly include the supply chain and relationships with direct and indirect suppliers.

This aspect is directly linked to the GDPR: Article 28 requires the data controller to select only data processors that offer sufficient guarantees, while Article 32 requires technical and organizational measures appropriate to the risk. It follows that the management of ICT suppliers cannot be limited to standard contracts or merely formal due diligence, but requires a concrete assessment of the supplier’s criticality, operational dependencies, data processed, security measures adopted, use of subcontractors, incident response times, and audit rights.

Supply chain risk must be managed ex ante through the selection, classification, verification, and continuous monitoring of critical suppliers. Operationally, this involves structured due diligence, security questionnaires, the collection of documentary evidence, periodic audits, verification of subcontractors, and specific clauses regarding notifications, vulnerabilities, response times, and cooperation in the event of an incident. Added to this is the contractualization of risk: for ICT suppliers that impact relevant services or processing operations, generic clauses are insufficient; clear provisions are required regarding technical and organizational measures, incident reporting, recovery support, vulnerability management, traceability of subcontractors, and data return or deletion.

From a NIS2 perspective, these clauses govern supply chain risk; from a GDPR perspective, they provide concrete implementation of Articles 28 and 32, since the security of the supply chain depends on defined, verifiable, and effectively enforceable obligations.