Cybersecurity guide

NIS2 supply-chain risk assessment runbook

Deliver regulator-ready supplier inventories, mitigation proof, and coordination workflows so Member States can finalise the 17 October 2025 coordinated assessment without emergency escalations.Cybersecurity Briefing — October 17, 2025

This guide fuses Article 22’s coordinated supply-chain assessment scope with Article 32 supervisory powers, ensuring every dataset and evidence pack withstands binding instructions, audit requests, and cross-border information sharing.

Engage Zeph Tech for NIS2 coordination Read the NIS2 supply-chain briefing

Outline: core deliverables before Member State calls arrive

Member States coordinating the Article 22 supply-chain risk assessment expect operators to surface four packages immediately. Aligning these outputs with Article 32 oversight powers avoids rework when authorities exercise inspection, data access, or binding instruction rights.

  1. Dependency catalogue. Maintain a continuously reconciled inventory of critical ICT services, subcontractors, hosting regions, and contract references that exposes concentration and jurisdictional risk.Cybersecurity Briefing — October 17, 2025
  2. Mitigation evidence library. Package penetration tests, SOC analytics, remediation trackers, and incident retrospectives mapped to high-risk suppliers so supervisors can validate Article 21 controls and order follow-up actions under Article 32(4).Cybersecurity Briefing — October 17, 2025Directive (EU) 2022/2555 Article 32(4)(b)-(f)
  3. Cross-border submission blueprint. Document the data sharing plan for every Member State portal, including confidentiality controls, encryption methods, and accountable legal contacts, to satisfy coordination group expectations.Cybersecurity Briefing — October 17, 2025
  4. Supervisory engagement log. Track Article 32 interactions—inspection notices, information requests, audit outcomes, and binding instructions—so deadlines and remediation proof stay synchronized across jurisdictions.Directive (EU) 2022/2555 Article 32(2)-(5)

Timeline: stage deliverables before the 17 October 2025 deadline

Directive (EU) 2022/2555 sets 17 October 2025 for delivering the coordinated Article 22 supply-chain risk assessment, and Article 32 supervision powers mean internal milestones must front-load data readiness, evidence rehearsal, and oversight simulations.Cybersecurity Briefing — October 17, 2025Directive (EU) 2022/2555 Articles 22 & 32

Treat the statutory deadline as a regulator-facing launch date—executive steering committees should review progress at least monthly until submissions and supervisory rehearsals complete.

Directive anchors to structure your programme

  • Article 22: Coordinated risk assessments. The Cooperation Group, Commission, and ENISA can require sector-wide supply-chain assessments for identified critical ICT services, systems, and products, creating shared templates and mitigation expectations across Member States.Directive (EU) 2022/2555 Article 22(1)-(2)
  • Article 21(3): Supplier control alignment. Essential and important entities must factor supplier-specific vulnerabilities and the results of Article 22 risk assessments into their security controls, making reconciled dependency catalogues a statutory requirement.Directive (EU) 2022/2555 Article 21(2)(d), Article 21(3)
  • Article 32: Supervisory powers and timelines. Competent authorities can perform on-site inspections, targeted audits, data requests, binding instructions, monitoring officer appointments, and cross-authority coordination, escalating to fines or temporary suspensions if remediation stalls.Directive (EU) 2022/2555 Article 32(2)-(10)

Use these articles to scope workstreams, allocate owners, and define evidence checkpoints that anticipate both national submissions and cross-border supervisory escalations.

Data preparation: engineer trustworthy dependency catalogues

Article 22 assessments hinge on evidence that essential and important entities understand their supplier footprint. Build a single source of truth that regulators can interrogate without delay.

  • Normalise supplier master data. Consolidate procurement, CMDB, and contract repositories into a data model that captures service criticality, data processed, hosting geography, subcontracting chains, and regulatory dependencies. Flag suppliers tied to critical ICT products identified by the Cooperation Group.Cybersecurity Briefing — October 17, 2025Directive (EU) 2022/2555 Article 22(2)
  • Quantify concentration and substitution risk. Layer impact scores covering geographic clustering, shared subcontractors, and replacement lead times so Article 22 assessments can evidence systemic exposure and risk-treatment sequencing.Cybersecurity Briefing — October 17, 2025Directive (EU) 2022/2555 Article 22(2)
  • Enrich with operational telemetry. Join service health metrics, change windows, incident records, and SLA adherence to each supplier entry so concentration risks translate into measurable exposure scores and remediation triggers.
  • Track Article 22(3) implementing measures. Monitor Cooperation Group communiqués and Commission drafts so any mandated security requirements—encryption controls, secure development practices, disclosure cadences—are pre-mapped to affected suppliers.Directive (EU) 2022/2555 Article 22(3)
  • Version control exports. Generate regulator-ready extracts (CSV, JSON) with checksum validation, metadata schemas, and redaction notes. Store them in an access-controlled workspace to satisfy Article 32(2)(e)-(g) data request obligations and prove you applied Article 21(3) supplier due diligence.Directive (EU) 2022/2555 Article 21(3)Directive (EU) 2022/2555 Article 32(2)(e)-(g)

Zeph Tech maintains catalogues that reconcile procurement, risk, and observability sources nightly so Member State queries receive authoritative, timestamped responses.

Evidence packaging: prove mitigation is operating

Supervisors will test whether Article 21 controls and supplier remediations are active, not aspirational. Curate evidence chains that withstand Article 32 inspections and audit follow-ups.

  • Map artefacts to supplier risk tiers. For every high-risk vendor, bundle penetration-test summaries, SOC detection coverage, vulnerability treatment plans, and incident timelines showing root-cause closure.Cybersecurity Briefing — October 17, 2025
  • Include governance proof. Attach board briefings, risk acceptance approvals, and procurement committee minutes demonstrating executive oversight of supply-chain exposure and mitigation funding.
  • Evidence incident-to-remediation chains. Provide chronological views that tie detection, containment, eradication, and recovery metrics to supplier responsibilities so Article 21 incident response requirements stand up to Article 32 inspections.Directive (EU) 2022/2555 Article 21(2)(e)Directive (EU) 2022/2555 Article 32(2)(a)-(d)
  • Automate audit trails. Use workflow tooling to log who compiled, reviewed, and released each evidence pack. Record inspection notices, targeted audit scopes, binding instructions, and remediation status to evidence compliance with Article 32(2)(a)-(d) supervisory measures and Article 32(4)-(5) enforcement steps.Directive (EU) 2022/2555 Article 32(2)(a)-(d)Directive (EU) 2022/2555 Article 32(4)-(5)
  • Secure supplier attestations. Collect signed statements from critical vendors outlining how their controls meet Article 21(3) supply-chain obligations and reference contract clauses enabling authorities to verify the information.Directive (EU) 2022/2555 Article 21(3)Directive (EU) 2022/2555 Article 32(2)(e)

Our analysts align every artefact with the relevant Article 21 control, ensuring supervisors can immediately trace mitigations to statutory requirements.

Supervisory engagement: operationalise Article 32 touchpoints

Article 32 empowers competent authorities to request information, run audits, issue binding instructions, and impose fines. Anticipate each touchpoint so cross-border oversight does not derail the assessment timetable.

  • Build a request response cell. Stand up a multidisciplinary team (legal, procurement, security engineering, privacy) with predefined playbooks for on-site inspections, targeted security audits, and the full spectrum of Article 32(2) information requests, including cooperation with designated monitoring officers.Directive (EU) 2022/2555 Article 32(2), Article 32(4)(g)
  • Pre-commit response service levels. Map Article 32(3) timelines to internal escalation paths so information requests, audit artefacts, and remediation updates ship within the deadlines authorities specify.Directive (EU) 2022/2555 Article 32(3)
  • Log every directive. Maintain a central register of warnings, binding instructions, remediation deadlines, publication orders, and any temporary suspensions so responsible owners and completion evidence stay aligned with Article 32(4)-(5) and Article 32(7)-(8) accountability requirements.Directive (EU) 2022/2555 Article 32(4)-(8)
  • Escalate systemic findings. Feed recurrent vulnerabilities or supplier disputes into board and audit committee updates so leadership can approve structural remediation before authorities escalate to fines or management prohibitions under Article 32(4)(i) and Article 32(5)-(6) in conjunction with Article 34.Directive (EU) 2022/2555 Article 32(4)-(6), Article 34
  • Coordinate cross-border messaging. Align submissions and remedial commitments with the lead and assisting Member States so Article 32(8) cooperation does not surface inconsistent narratives across supervisory forums.Directive (EU) 2022/2555 Article 32(8)

Zeph Tech coordinates supervisory portals, request trackers, and executive briefings so no jurisdictional demand is missed while submissions progress.

Supplier collaboration: align cross-border submissions

Entities spanning multiple Member States must synchronise supplier narratives and confidentiality safeguards to avoid contradictory filings.

  • Synchronise disclosure packets. Share submission templates with strategic suppliers covering dependency context, security posture, and mitigation commitments so their Member State responses align with your data rooms.Cybersecurity Briefing — October 17, 2025
  • Implement secure review spaces. Provision encrypted data rooms with granular access controls, watermarking, and audit logs to protect trade secrets while giving authorities Article 32-compliant visibility.
  • Rehearse confidentiality and redaction protocols. Test how sensitive supplier intelligence is anonymised or aggregated when disclosure thresholds vary across Member States, ensuring legal teams can justify redactions instantly.
  • Embed Article 21(3) obligations into contracts. Update supplier agreements with notification, remediation, and audit support clauses so third parties understand their role in coordinated assessments and Article 32 follow-ups.Directive (EU) 2022/2555 Article 21(3)
  • Define escalation circuits for joint findings. Identify counterpart contacts at each critical supplier and agree how Article 32 inspection results or Cooperation Group advisories will trigger shared remediation plans.Cybersecurity Briefing — October 17, 2025Directive (EU) 2022/2555 Article 32(2)-(5)

We orchestrate supplier workshops and secure collaboration channels so evidence stays consistent across national portals while contractual obligations remain intact.

Briefings feeding this playbook