Supplier monitoring under NIS2 has become a central part of how organisations manage cybersecurity. As business-critical functions, systems and data are increasingly handled by external parties, the need to identify, classify and follow up on supplier and third-party risks in a structured way also grows. Here's how to get started.
Why supplier monitoring matters under NIS2
Attackers tend to take the easiest route in - and that route often runs through a supplier. As organisations become more dependent on external parties for operations, systems, access and specialist expertise, third-party risks become increasingly business-critical. NIS2 marks a clear shift: trusting that suppliers do the right thing is no longer enough. Your organisation must be able to demonstrate that risks are mapped, managed and monitored over time.
Start by classifying suppliers based on risk and criticality
The first step is understanding which suppliers are actually most critical to your business. Not all suppliers should be treated the same way. A supplier with access to sensitive information, administrative privileges or core business systems represents a very different risk than one with limited impact. That's why you need to classify suppliers based on factors such as:
- business criticality
- which systems they affect
- what data they handle
- what access they have
- the impact an incident would have
- whether subcontractors are involved in the delivery
Only once that classification is in place can you decide which requirements are reasonable, proportionate and necessary.
Build a supplier register for better supplier monitoring
An up-to-date supplier register is an essential practical foundation for this work. It sounds simple, but this is exactly where many organisations fall short. A useful register should not only show which suppliers you have - it should also collect the information needed to follow up on them over time.
A good supplier register should at minimum give you an overview of:
- contact persons
- contracts
- affected systems
- risk classification
- data types
- any subcontractors
- history of follow-ups and audits
The point isn't to create administration for its own sake. The point is to give your organisation a foundation for prioritising, planning and following up on the right suppliers in the right way.
Set measurable security requirements in supplier contracts
Contract work can't be a copy-paste exercise. Requirements need to reflect the actual risk in the specific delivery. The more critical the service, the sharper the security requirements need to be.
In practice, this can mean specifying:
- which security measures the supplier must take
- what cybersecurity competence is required
- how incidents must be reported and within what timeframes
- how changes in the system environment must be communicated
- how audits and follow-ups will be carried out
- what applies when the contract ends
- how risks further down the supply chain will be managed
The key is that the requirements must be possible to follow up on. If contracts are vague or hard to measure, follow-up becomes equally hard to carry out in practice.
Make supplier monitoring an ongoing process
A common mistake is to do the risk assessment at procurement - and then leave it there. But supplier risks change over time. New services are added, access changes, incidents occur, and the supplier's own supply chain may shift.
That's why supplier monitoring needs to be continuous. A sustainable approach is built on classifying the supplier, setting requirements, assessing risk, following up, handling incidents and reviewing on a regular basis. That way, the work becomes part of your ongoing risk management programme — not a one-off effort.
Three common pitfalls in third-party risk management
There are several reasons why this work often falls short. Three of the most common are:
1. Relying too heavily on self-assessments
Self-assessments can be a starting point, but they aren't verified. For critical suppliers, you need to go further than that.
2. Unclear internal roles
When it's unclear who owns the issue across the business, procurement, IT and legal, follow-up tends to be weak. Supplier security needs clear cross-functional ownership.
3. Too little focus on subcontractors
Looking at the direct supplier isn't enough. Risks can also exist further down the chain, and that needs to be factored into the assessment.
How to get started with supplier monitoring under NIS2
If you're at the start of this journey, it's wise not to try to solve everything at once. A good first step is to:
- create a basic supplier register
- classify suppliers based on criticality
- identify which contracts need to be reviewed first
- start with the suppliers that most affect the core of the business
That makes the work manageable and risk-based from the start.
Summary: how to strengthen supplier monitoring under NIS2
NIS2 means supplier monitoring can no longer be seen as a side activity to procurement or contract management. It's part of your organisation's overall cybersecurity work. To get started, you need to create an overview, classify suppliers, set measurable and proportionate requirements, and follow up on them on an ongoing basis.
The most important thing isn't that everything is perfect from day one. The most important thing is that the work becomes systematic.
Want to know more about how the Stratsys GRC platform can help your organization with NIS2? Get in touch with us.
