Information Security

NIS2 for IT service providers: supply chain responsibility and supplier management explained

NIS2 for IT service providers: supply chain responsibility and supplier management explained
The NIS2 Directive affects more than just traditional critical sectors. For IT service providers such as Managed Services Providers (a company that provides IT or other services to customers, also known as MSPs), cloud providers, software developers, data centers, and hosting companies, NIS2 will even become one of the most important cybersecurity laws in the coming years. Why? IT service providers are increasingly forming the digital backbone of other organizations. If one IT supplier is hit by a cyberattack, it can affect hundreds or even thousands of customers. That is why NIS2 places extra emphasis on chain responsibility and supplier management. In this blog, you can read about when you, as an IT service provider, fall under NIS2 and what chain responsibility and supplier management mean in practice.
This article was last updated on
September 1, 2026

Why IT service providers are so important under NIS2

IT service providers are considered "essential or important entities" in NIS2, depending on their role, risk, and size. They receive extra attention because:

 

  • They have direct access to customer systems and data.
  • An incident at the IT supplier can cause major chain damage.
  • Cyber attackers are increasingly targeting supply chain attacks.

 

Examples such as Kaseya, SolarWinds, and MOVEit show how a single hack can affect thousands of organizations. NIS2 is designed to reduce these types of chain risks and therefore places extra emphasis on supplier management and chain responsibility compared to ISO 27001.

 

What is often underestimated in this regard is that NIS2 explicitly brings information security into the boardroom. Directors and executives can be held personally liable if security and compliance are not in order. Shifting responsibility to "the IT department" is no longer a legal option. In fact, NIS2 requires directors to demonstrate knowledge of cyber risks and to undergo appropriate training.

 

What does chain responsibility mean to you?

In short: you are not only responsible for your own security, but also for that of your direct suppliers and the services you provide to customers. For IT service providers, this means three things:

 

1. Know the risks of your IT services

Every service you provide can involve risks. Consider services such as:

 

  • Remote management of systems → risk of misuse of administrator accounts
  • Hosting or cloud storage → risk of data leaks or downtime
  • Monitoring services → risk that attacks will not be detected
  • Identity and access management → risk of unauthorized access
  • Backup & restore services → risk that backups do not work or are encrypted

 

If a service fails or is misused, it affects not just one organization, but an entire chain.

 

2. Demonstrate that your services are secure

Trust alone is not enough. You must be able to clearly demonstrate the measures you have taken. Documentation is important here: procedures, policies, technical descriptions, patch management, MFA, network segmentation, encryption, monitoring, and incident detection. Audits, penetration tests, and periodic checks are also part of this demonstrable evidence.

 

3. Prepare yourself for critical customer questions

What is currently a security questionnaire will soon become a legal obligation. Questions such as: "What security measures do you take?", "Is MFA mandatory everywhere?" or "What certifications do you have?" will become standard. An ISO 27001 or NIS2 Supply Chain certificate (formerly NIS2 Quality Mark) can provide proof of this.

 

Supplier management roadmap: what should you do?

NIS2 requires IT service providers to assess, monitor, and record their suppliers and subcontractors. This involves at least the following five steps:

 

1. Inventory of suppliers

Make a list of all suppliers, what services they provide, what access they have, what data they process, and how critical they are to your services.

 

2. Risk analysis per supplier

Not every supplier poses the same risk. Determine the security level, the impact of a hack or malfunction, the single point of failure, and the processing of personal data or critical data for each supplier. For example: An MSP that relies on a single Remote Monitoring and Management (RMM) tool (software that allows IT teams to remotely monitor, manage, and maintain computers, servers, networks, and other devices without having to be physically present) must assess how the chain will be affected if that tool is misused (as in the case of Kaseya).

 

3. Lay down security requirements contractually

Consider MFA, patching, reporting requirements, data retention, encryption, logging, and exit agreements. Support the measures with ISO 27001, SOC2, or other standards.

 

4. Periodic audits and assessment

Demonstrate that suppliers continue to comply. Annual self-assessments, audit reports, or verification interviews serve this purpose.

 

5. Documentation, documentation, documentation

Keep track of everything: supplier lists, risk analyses, contracts, evaluations, measures, and audit reports. Without evidence, there is no compliance within NIS2, because you must be able to demonstrate everything.

 

NIS2 practical examples

 

Chain responsibility: An MSP manages systems for 120 customers. If the RMM tool is misused and ransomware is installed, the MSP must be able to demonstrate how access was secured, whether MFA was mandatory, how logging and segmentation were set up, and that there was no negligence.

 

Supplier management: An IT service provider uses an external data center. Under NIS2, it must assess whether the data center is ISO 27001 certified, require incidents to be reported within 24 hours, document what data is stored there, and check annually whether everything still complies.

 

Why this is important for thousands of companies

In the Netherlands, an estimated 10,000 organizations fall under NIS2. They must assess their entire supply chain. This means that tens of thousands of suppliers—including many IT service providers—will be checked for cybersecurity. Without demonstrable security or chain control, you run the risk of disappearing from the chain.

 

Achievable certifications: ISO 27001 & NIS2 Supply Chain

ISO 27001 is recognized proof of good cybersecurity, but can be burdensome and costly for smaller IT companies. That is why there is also the NIS2 Supply Chain certificate (NIS2 SC): a more practical and affordable alternative, specially developed for NIS2 compliance without full ISO scope.

 

For customers, it is particularly important that you can demonstrate that you comply with the NIS2 requirements. ISO 27001 or NIS2QM can prove this. NIS2QM is often a realistic first step for smaller organizations.

 

In summary: NIS2 has an impact on IT service providers

For IT service providers, NIS2 represents a structural change. You become a critical link in the digital chain and must be able to demonstrate this. Chain responsibility and strict supplier management are key.

 

Start today by gaining insight into your risks, getting your documentation in order, and demonstrating your measures. This will allow you to remain a reliable link for your customers and prevent problems in the chain. Want to know more? Schedule a free, no-obligation consultation with us below!

Kilian Houthuijzen
Commercial manager & partner
085 773 6005
To news overview

Related articles

News
NIS2 Quality Mark is now called NIS2 Supply Chain
read more
News
Fendix launches NIS2 Supply Chain implementations
read more
KAM Certificeringen is now Fendix

We are a partner of

SGS
BSI
TUV
DEKRA
KIWA
Brand Compliance
LRQA
DNV
Digitrust