When a Sligo manufacturing company discovered that its production scheduling software had been compromised through a third-party IT maintenance contractor, it took the firm four days to identify the source and another two weeks to verify that no production data had been exfiltrated. The contractor had no incident response procedure, no security monitoring, and no obligation — under their contract at least — to disclose the breach at all. NIS2 is designed to close exactly that gap. Under the directive, the manufacturing firm's obligation to assess and manage its suppliers' cybersecurity is now a legal requirement, not a commercial preference.
The Two Sides of Supply Chain Liability
NIS2 creates obligations that run in both directions. If your business is a covered entity under the directive — an essential or important entity — you are required to assess the cybersecurity practices of your critical suppliers and service providers. If you are a supplier to such an entity, you will increasingly face contractual demands to demonstrate that your own security posture meets a minimum standard.
The NCSC Ireland has confirmed that supply chain security is one of the ten mandatory measures under NIS2, and one of the areas where Irish businesses most frequently lack documented processes.[^1] The directive does not require you to audit every vendor, but it does require you to identify which suppliers are critical to your operations, understand how a compromise of their systems could affect you, and take proportionate steps to manage that risk.
For Irish SMEs that supply services to larger regulated organisations — cloud hosting, software development, managed IT support, facilities management with digital access — NIS2 compliance is now a commercial requirement as much as a regulatory one. Your customers who are themselves regulated will require you to demonstrate adequate security as a condition of contract renewal.
Does your business know which of your suppliers poses the greatest cybersecurity risk, and what contractual protections you have in place if one is compromised? Book a free 20-minute strategy call — we will help you map your supply chain risk and identify the steps that matter most.
What the Directive Requires
NIS2 does not prescribe a specific audit methodology or certification requirement for all suppliers. It requires covered entities to implement a risk-based approach that is proportionate to the criticality of each supplier relationship. In practice, this means taking three sequential steps.
First, map your critical suppliers. Not all vendors are equal. The software provider that runs your production scheduling system is more critical than the stationery supplier. NIS2 requires you to identify the suppliers whose failure or compromise would significantly disrupt your operations, compromise your data, or affect your customers. Document this mapping and review it at least annually.
Second, assess their security posture. For each critical supplier, you need to understand what cybersecurity controls they have in place. This does not always mean an on-site audit. For most Irish SMEs, it means sending a structured questionnaire that asks about their incident response capability, data protection practices, access controls, and whether they have experienced any security incidents in the past year. The Data Protection Commission in Ireland provides guidance on what questions are proportionate for different supplier risk levels.[^2]
Third, embed security obligations in contracts. Your supplier agreements must include minimum requirements for data protection, incident notification timelines, and the right to audit if a significant incident occurs. NIS2 requires that suppliers notify you of security incidents that affect your organisation within a timeframe that allows you to meet your own 24-hour notification obligation to the NCSC Ireland. If your current contracts do not include this provision, they need to be updated.
The Incident Reporting Chain
One of the most operationally challenging aspects of NIS2 supply chain security is the incident reporting timeline. If a supplier is compromised and that compromise affects your systems or data, you are required to notify the NCSC Ireland within 24 hours of becoming aware of the incident — regardless of whether the breach originated with you or your supplier.
This means your supplier contracts must require rapid disclosure. An Garda Síochána's National Cyber Crime Bureau has noted that delayed breach disclosure by third-party providers is one of the most common factors that turns a manageable incident into a serious one.[^3] A supplier that discovers a compromise but waits three days to tell you has potentially destroyed your ability to meet your own reporting obligations.
Build the notification requirement into your supplier agreements specifically: any security incident that could affect your data or systems must be disclosed to you within 12 hours of discovery. This gives you time to assess the situation and meet the NCSC Ireland timeline.
Practical Steps for Irish SMEs
If you are a covered entity under NIS2 and have not yet addressed supply chain security, the starting point is a supplier inventory. List every third party that has access to your systems, your data, or your operational processes. This includes not only software vendors and managed IT providers but also cleaning contractors with out-of-hours access to office systems, accountants with access to financial platforms, and any consultant who connects to your network remotely.
Once you have the list, tier your suppliers by criticality and assess the highest-risk relationships first. Ask each one about their incident response procedure, their approach to employee security training, and their data protection policies. Where gaps exist, raise them with the supplier. Where gaps cannot be addressed, consider whether the relationship is appropriate given the risk exposure it creates.
For Irish SMEs that supply services to regulated entities, the same logic applies in reverse. Invest now in the controls your customers will require you to demonstrate. This means documented security policies, an incident response plan, and evidence of staff training. These are modest investments that significantly strengthen your position in contract negotiations and protect you from liability if a customer's data is affected through your systems.
Supply chain security under NIS2 is not just about protecting your own business. It is about your legal obligation to protect the businesses that depend on you, and to ensure the businesses you depend on meet a minimum standard of care.
Getting Started
The NCSC Ireland publishes practical supply chain security guidance designed for organisations at every scale. Start by reviewing their published resources on third-party risk management. Then conduct a supplier mapping exercise using your accounts payable records and IT access logs — these two sources together will give you a near-complete picture of who has access to your systems and data.
From there, prioritise your top five critical suppliers, send them a baseline security questionnaire, and update your contract templates to include the incident notification requirements NIS2 demands. The whole process, done efficiently, should take no more than a few focused weeks.
Related Reading
- NIS2 for Irish SMEs: Your Obligations Explained
- NIS2 for Irish Transport and Logistics Companies
- Building a NIS2 Compliance Roadmap: A 12-Month Plan for Irish SMEs
[^1]: NCSC Ireland, NIS2 guidance for organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: Data Protection Commission, guidance on third-party data processing obligations: https://www.dataprotection.ie [^3]: An Garda Síochána, National Cyber Crime Bureau cybercrime resources: https://www.garda.ie/en/crime/cyber-crime/
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.