Which suppliers must I audit?

Risk-based: all whose failure or compromise would disrupt critical business processes. Minimum: IT hosting, cloud software, IT maintenance.

Is supplier self-disclosure sufficient?

For critical suppliers no. Required: right-to-audit in DPA, annual effectiveness review, ISO 27001 certificate request.

What about cloud providers (AWS, Azure, GCP)?

Hyperscalers have SOC 2 + ISO 27001. Required: third-country assessment, EU data boundary activation, customer lockbox function, contract DPA with § 30 clauses.

Which contract clauses are mandatory?

Min. 6: 1) Security standards, 2) Incident notification 24h, 3) Right to audit, 4) Sub-supplier list, 5) Continuity plan, 6) Termination data return.

How often supplier review?

Annually. For critical suppliers: additionally after security incidents + at contract renewals.

Fine for supply chain violations?

§ 60 BSIG: up to €10M / 2% global revenue for essential entities. § 38 BSIG executive liability for gross negligence.

Securing the NIS2 Supply Chain: Section 30(2) No. 4 BSIG in Practice

Published: 26 April 2026 · Last updated: 02 May 2026· Category: NIS2

Practitioner note: This article is practice-oriented compliance documentation, not legal advice. We are compliance specialists, not a law firm. For legally binding advice, please consult a licensed attorney.

TL;DR

Section 30(2) No. 4 BSIG: obligation for supply chain security in force since 06 December 2025
8-step audit: Inventory → Criticality → Self-assessment → Audit → Contract → Monitoring → Incident plan → Re-evaluation
6 mandatory contract clauses in every DPA
Critical suppliers: annually, and immediately upon incident
Fine risk: EUR 10 million / 2% of global turnover + Section 38 managing director liability

1. Why supply chain is a NIS2 focus area

NIS2 responds to reality: in 2024, 42% of all serious cyber incidents originated from supply chain attacks (ENISA Threat Landscape 2025). Examples:

SolarWinds (2020): 18,000 customers compromised via software update
3CX (2023): voice software update carrying a trojan
MOVEit (2023): file transfer tool, 60+ million records stolen
XZ Utils (2024): Linux backdoor in upstream library

Consequence: NIS2 makes supply chain security an explicit obligation.

2. Section 30(2) No. 4 BSIG (NIS2UmsuCG)

"Measures for the security of the supply chain including security-related aspects of the relationships between the individual entities and their direct providers or service providers" — Section 30(2) No. 4 BSIG

Specified by BSI Guideline 03/2026 + ENISA Supply Chain Guidelines 2024.

3. 8-step supplier audit

Step	Activity	Output
1. Inventory	Capture all external service providers	Supplier list
2. Criticality assessment	Score risk of outage/compromise	Top-20 critical list
3. Self-assessment	Send security questionnaire (40 questions)	Response sheet
4. Audit	For top 20: on-site audit or ISO 27001 certificate	Audit report
5. Contract clauses	Embed 6 mandatory clauses in the DPA	Updated DPA
6. Monitoring	Quarterly incident reports from the supplier	Reports stored in DMS
7. Incident plan	Escalation workflow for supplier incident	Emergency plan
8. Re-evaluation	Annual reassessment	Updated score

Supplier questionnaire + DPA model clauses + audit checklist in the NIS2 Kit.

4. 6 mandatory contract clauses

Security standards: ISO 27001 or NIST CSF or equivalent — in writing
Incident notification: within 24 hours of becoming aware
Right to audit: annual right-to-audit, where applicable through an independent third party
Sub-suppliers: list provided in advance + approval of new sub-suppliers
Continuity plan: BCM/DR documentation available, RTO/RPO defined
Termination: data return + secure deletion documented

5. Prioritising critical suppliers

Criticality matrix (simplified):

Supplier	Business impact of outage	Data sensitivity	Score
IT hosting (AWS/Azure)	critical (all systems)	high (all data)	9/10
ERP SaaS (SAP, MS Dyn.)	critical	high (financial)	9/10
Email service (M365)	critical	medium-high	8/10
HR SaaS (Workday)	high	high (especially sensitive)	8/10
Marketing CRM (HubSpot)	medium	medium	5/10
Print shop (advertising material)	low	low	2/10

6. Practical examples 2025

Mid-sized company, 250 employees: 47 suppliers identified, of which 8 critical. Audit effort: 12 person-days one-off + 3 person-days/year.
Large SME, 800 employees: 120 suppliers, 18 critical. ISO 27001 certificate as standard requirement. 25 person-days one-off.
Energy provider: in addition to BSI-KritisV, KritisV Section 8a applies — stricter audit obligations.

Sources

As of: 02 May 2026

BSIG 2025 (consolidated version) — Section 30(2) No. 4 (supply chain security) (as of: 02 May 2026)
NIS2 Implementation Act — Federal Law Gazette 2025 I No. 301 (as of: 02 May 2026)
Directive (EU) 2022/2555 (NIS2) — Art. 21(2)(d) (supply chain) (as of: 02 May 2026)
BSI — NIS-2 FAQ regulated entities

Sources

BSIG 2025 (Section 30(2)(4) supply chain) (As of: 2026-05-02)
Directive (EU) 2022/2555 — NIS2 (As of: 2026-05-02)
BSI — NIS-2 FAQ (as of: ongoing)

Securing the NIS2 Supply Chain: Section 30(2) No. 4 BSIG in Practice

TL;DR

1. Why supply chain is a NIS2 focus area

2. Section 30(2) No. 4 BSIG (NIS2UmsuCG)

3. 8-step supplier audit

4. 6 mandatory contract clauses

5. Prioritising critical suppliers

6. Practical examples 2025

Sources

Sources

Related Reading