Back to knowledge base

The NIS2 supply-chain duty of care: what does your large customer ask of you?

Published on May 12, 2026

Your own organisation may not fall under NIS2 itself, but you do supply software, hosting, advice or components to a hospital, a grid operator, a municipality or a large industrial party. If so, there is a good chance that you have recently received a questionnaire, a supplier assessment or an amended contract on your desk. That is no coincidence. That is the supply-chain duty of care under NIS2 moving through the chain — all the way to you.

What are NIS2 and the Cybersecurity Act?

NIS2 is the revised European directive for network and information security. The Netherlands transposes that directive into the Dutch Cybersecurity Act (Cyberbeveiligingswet). The law requires organisations in essential and important sectors — think energy, drinking water, healthcare, digital infrastructure, transport and government — to take appropriate technical and organisational measures, report incidents and hold their board accountable for cybersecurity. A lot of nonsense circulates around these obligations; what the law does and does not require — and when the Cybersecurity Act takes effect — is laid out in what the NIS2 supply-chain duty of care really requires.

The reach is broad. It is estimated that tens of thousands of organisations are affected directly and indirectly. Directly: the organisations that fall under the law themselves. Indirectly: the many SME suppliers and freelancers that supply those organisations. After all, a party subject to NIS2 may not ignore the risks in its supply chain.

Why the supply-chain duty of care affects you too

One of the less visible but far-reaching parts of NIS2 is the duty of care for the supply chain. NIS2 organisations must assess the security risks of their suppliers and service providers and set appropriate requirements for them. An attacker who cannot get in through the hospital's front door is, after all, only too happy to get in through a supplier with a hole.

In practice that translates into concrete questions for you:

• How do you keep your systems and domains current and patched?
• How do you know you do not have outdated software or open admin panels exposed to the internet?
• How do you demonstrate that you look at vulnerabilities structurally — and not just once a year?
• How do you manage TLS certificates, DNS and access to your environment?

What does such a question look like in a real Vendor Security Assessment? For example:

"Describe your process for patch management and vulnerability management. Indicate within how many days critical vulnerabilities in internet-facing systems are remediated, and attach evidence of the most recent vulnerability scan. Also confirm whether Multi-Factor Authentication is enforced on all systems from which [customer name] data can be accessed."

So it is rarely about a formal NIS2 certificate. It is about being able, as a supplier, to demonstrate that your digital basics are in order. That is called basic cyber hygiene, and it is well within reach for SMEs. How to answer this kind of question convincingly is covered step by step in how do you answer a NIS2 supplier questionnaire.

What a small supplier can do in practice

You do not have to set up a security department to be a credible supplier. Start by making visible what is exposed at the outside of your organisation. A good first step is understanding what an attacker sees of your domain: which ports are open, is outdated software running, are there forgotten subdomains?

Concrete, affordable measures you can take today:

• Map your attack surface. You can only protect what you know about.
• Monitor for vulnerabilities structurally, not occasionally. The internet changes daily; a snapshot ages quickly.
• Patch and remediate what you find, and record what you have done.
• Keep evidence. Reports with a date and a finding are exactly what a purchaser or CISO wants to see.

Demonstrate, don't assert

The difference between "we do security" and "here is our report from last month" is enormous. A large customer that takes its own supply-chain duty of care seriously wants defensible evidence in hand. Periodic, documented scans of your domain and infrastructure deliver exactly that.

Important to be honest about: a scan does not make you "NIS2-compliant". NIS2 asks for more than technology — think governance, risk management, incident reporting and board accountability. But scanning is a necessary building block and delivers defensible evidence for vulnerability management and the supply-chain duty of care. We explain that distinction further in scanning is not NIS2 compliance.

How Exposentry fits in

Exposentry gives you that evidence layer without you having to run a scanner yourself. We map your domain and infrastructure, monitor for vulnerabilities and deliver reports that you can submit directly to your client. No grand compliance promises — just sober, substantiated findings that show your basics are in order.

Want to know which approach suits your organisation? See the plans and pricing or start straight away with a first scan. A small investment that makes the conversation with a large customer a lot easier.

Written by Edward Hasekamp, founder of Exposentry and core maintainer of the open-source OpenKAT project. See the project on GitHub and the profile at github.com/hasecon. Exposentry provides NL-sovereign, forensically substantiated vulnerability monitoring based on OpenKAT. More articles in the Knowledge base.