If your biggest client recently sent you a security questionnaire, you already know something has shifted. That questionnaire almost certainly exists because of NIS2, DORA, or both — your client is under regulatory pressure to manage their supplier risk, and you are now part of what they have to manage.
But supply chain cyber risk cuts both ways. You are both a supplier to regulated organisations and a buyer of IT products and services. Both directions come with obligations under EU law.
Why Supply Chain Is the Central Issue in NIS2 and DORA
Both NIS2 and DORA are responses to a lesson regulators learned from a series of high-profile incidents: breaches don't only happen through the front door of the target organisation. They happen through software vendors, managed service providers, cloud infrastructure providers, and specialist subcontractors who have deep access to client systems.
NIS2 and DORA both draw the same conclusion: organisations cannot be considered secure if they do not actively manage the security of their supply chains.
Two Audiences, Two Sets of Questions
If You Supply to Regulated Entities
If your clients include banks, financial services firms, healthcare providers, energy companies, transport operators, or public sector bodies, some of them are now directly in scope for NIS2 or DORA. They are required to assess and manage the cyber risk you represent as a supplier.
This means you will receive security questionnaires. You may be asked to provide evidence of security certifications. You may be asked to agree to contractual security clauses, accept right-to-audit provisions, or demonstrate that you have your own supplier risk management process.
If You Buy from IT Suppliers
If your business relies on cloud services, managed IT support, SaaS platforms, or specialist software vendors, you have dependencies that represent risk. NIS2 and DORA both require in-scope organisations to understand and manage that risk. If your business is itself in scope for NIS2, you cannot outsource your security obligations to your IT provider — you remain accountable.
What NIS2 Article 21 Actually Says
NIS2's core security requirements are set out in Article 21. Among the mandatory measures for in-scope entities is "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."
In practical terms, this means:
- Identifying which suppliers and service providers have access to your systems, data, or infrastructure
- Assessing the security practices of those suppliers, especially the most critical ones
- Including security requirements in contracts with suppliers
- Monitoring supplier security on an ongoing basis, not just at onboarding
The core obligation is already in force: if you are an Important or Essential Entity under NIS2, you must have a supplier risk management process.
What DORA Adds for Financial Services
DORA applies specifically to financial services firms operating in the EU — banks, insurance companies, investment firms, payment institutions, and others. If any of your clients are in financial services, DORA is almost certainly driving their requirements of you as a supplier.
DORA requires financial entities to: maintain a register of all ICT third-party service providers; classify those providers by criticality; conduct due diligence before onboarding and on an ongoing basis; include mandatory contractual provisions covering security, audit rights, business continuity, and exit rights; and notify regulators when they enter into arrangements with "critical ICT third-party providers."
Practical Steps for Irish SMEs
Tier Your Suppliers by Criticality
Not all suppliers are equal. Start by listing every supplier that has access to your IT systems, data, or physical premises, then classify them:
- Critical: system access, data processing, cloud infrastructure, managed services
- Important: supporting services with some access or dependency
- Low: minimal access, easily replaceable
Apply proportionate due diligence at each tier.
Run Security Questionnaires for Critical Suppliers
For your critical suppliers, a security questionnaire establishes a baseline. The questionnaire should cover: access controls, patch management, incident response capability, data handling practices, business continuity, and whether the supplier has their own supplier risk management process.
Build Security Requirements into Contracts
At minimum, contracts with critical IT suppliers should include:
- A requirement to maintain reasonable security practices
- A notification obligation if the supplier suffers a security incident that may affect you
- The right to request evidence of security controls
- Data processing obligations aligned with GDPR where the supplier handles personal data
- Exit and data return/deletion provisions
Most Irish SMEs have contracts with IT suppliers that contain none of these provisions. Adding them on renewal is reasonable and expected.
Respond to Your Clients' Requirements Proportionately
If a client's questionnaire requests evidence of controls you have in place, document and provide it. If it requests controls you don't yet have, be honest about your roadmap. A credible improvement plan is acceptable. No security programme at all is not.
Where to Start
A structured risk assessment — covering your supplier dependencies and your clients' third-party risk requirements — takes one to two days and gives you a clear picture of what you actually need to do. Get in touch to discuss your supply chain risk position.
James McGee, CISA, CISSP, CISM, is the founder of Pragmatic Security. He advises Irish SMEs on NIS2 compliance and practical cybersecurity risk management.