To implement NIS2 access controls for supply chain security, map every direct supplier and service provider to the systems, accounts, privileges, authentication methods, and evidence records they use. Then enforce least privilege, MFA or continuous authentication where appropriate, privileged account controls, contract clauses, monitoring, and periodic access reviews.
NIS2 supply chain security is not a procurement exercise. It means translating every supplier relationship into enforceable controls over accounts, shared credentials, remote access paths, privileged actions, and logs.
According to Verizon's 2025 Data Breach Investigations Report, third-party involvement appeared in 30% of analyzed breaches. The 2026 DBIR shows the trend accelerating: third-party involvement now appears in 48% of confirmed breaches, a 60% year-over-year increase. At that trajectory, supplier access governance is no longer a first-tier risk you can defer.
The financial case is equally stark. IBM's Cost of a Data Breach Report 2025 puts the average cost of a supply chain compromise at $4.91 million — and these breaches take a combined 267 days to identify and contain. NIS2 Article 21 and the Implementing Regulation (EU) 2024/2690 make this an IAM mandate, not a vendor management question.
Your organization bears the regulatory responsibility for every access path you grant to an external party.
Key takeaways
- NIS2 supply chain security is an IAM mandate, not a vendor management question. Article 21(2)(d) makes your organization legally responsible for every access path granted to an external party — VPNs, APIs, SaaS admin consoles, CI/CD pipelines, and remote support tools included.
- Third-party breaches are accelerating. Verizon's 2026 DBIR puts third-party involvement at 48% of confirmed breaches — up from 30% the previous year.
- ENISA's 2025 guidance mandates Tier 1 MFA for all privileged vendor access. FIDO2 and WebAuthn are the only acceptable methods for supplier accounts with administrative or production-system access. SMS OTP is flagged for phase-out.
- Shared vendor accounts are a compliance gap. Named individual accounts, least-privilege RBAC, and just-in-time privileged access are the baseline — not optional hardening.
- Audit logs are the evidence, not the backup plan. Article 23's 24-hour early warning deadline cannot be met without immutable logs that show exactly what a vendor account did and when.
- Access revocation must be automatic and tied to contract lifecycle events. Manual deprovisioning tickets are too slow. When a supplier contract ends, access ends with it.
- The Supplier Access Control Record is the unit of accountability. One record per supplier relationship — access path, identity type, MFA tier, evidence — updated at every review cycle.
What NIS2 requires from supplier access controls
NIS2 Article 21 requires essential and important entities to take appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. Article 21(2) lists ten minimum measures. Five bear directly on supplier access governance.
| Article 21(2) point | Requirement | Supplier access implication |
|---|---|---|
| (a) | Policies on risk analysis and information system security | Supplier access risk must be assessed and documented as part of the entity's overall risk posture |
| (d) | Supply chain security, including security-related aspects concerning relationships with direct suppliers or service providers | Map every supplier to the systems and access paths they use; govern those relationships through policy and contract |
| (e) | Security in network and information systems acquisition, development and maintenance, including vulnerability handling | Supplier-managed systems, integrations, and code repositories fall within scope — including CI/CD pipelines and APIs |
| (i) | Human resources security, access control policies and asset management | Named accounts, role-based permissions, and asset-level access restrictions apply to supplier identities, not just internal staff |
| (j) | MFA or continuous authentication solutions, where appropriate | Remote, privileged, and production-system access by suppliers requires MFA or equivalent, proportionate to the risk |
The directive does not mandate a single tool or a universal MFA method. It requires measures that are appropriate and proportionate to the risk. For supplier access, that means identifying which external users, support accounts, APIs, and integrations can reach your critical assets — and then applying controls that match the sensitivity of what those paths expose.
Article 21(3) goes further: entities must account for vulnerabilities specific to each direct supplier and service provider, and the overall quality of their cybersecurity practices. That makes supplier identity and access governance a direct legal obligation, not a best-practice recommendation.
The Implementing Regulation (EU) 2024/2690 translates Article 21's high-level requirements into over 150 specific cybersecurity controls. For supplier relationships, it sets concrete expectations around access provisioning, privileged account management, and incident notification — moving the compliance question from "do you have a policy?" to "can you prove the controls are working?"
ENISA's 2025 technical implementation guidance treats supply chain security policy, access control policy, and privileged account policies as required topic-specific policies under the NIS2 framework.
The 5 essential access controls for NIS2 supply chain compliance
If a supplier has remote or privileged access, NIS2 supply chain security becomes an identity-control problem. The supplier relationship creates a direct path into your network and information systems.
Enforce strict role-based access control (RBAC)
Eliminate shared vendor accounts. Every supplier engineer who needs system access gets a named, individual account tied to their specific engagement. Generic "vendor" accounts make attribution impossible during an incident — and attribution is exactly what Article 23's 24-hour early warning requirement demands.
Apply least privilege at the role level: suppliers receive the minimum access required to perform their contracted duties, scoped to specific assets, not broad system segments. When the engagement changes, the permissions change with it.
Implement tier 1 MFA for privileged access
ENISA's 2025 technical guidance ranks MFA in three tiers. For any supplier granted administrative or privileged access, Tier 1 is the only acceptable option.
| ENISA MFA tier | Authentication method | NIS2 requirement context |
|---|---|---|
| Tier 1 (strongest) | FIDO2, WebAuthn, hardware security keys | Mandatory for all privileged and administrative vendor access. Phishing-resistant by design. |
| Tier 2 (medium) | TOTP authenticator apps, push notifications | Acceptable for standard vendor accounts without elevated privileges. |
| Tier 3 (weak) | SMS OTP, email OTP | Flagged for phase-out. Does not meet minimum thresholds for regulated environments. |
The practical implication: if your MSP support engineers authenticate via SMS to reach production systems, that is a compliance gap under the current ENISA guidance. Tier 1 methods are phishing-resistant because the cryptographic credential is bound to the specific domain — a phishing site cannot intercept it.
Deploy privileged access management (PAM) and credential vaulting
Just-in-time (JIT) access is the right model for third-party support teams. Elevated privileges are granted for a defined session, logged in full, and revoked automatically when the session ends. No standing access, no persistent privileged accounts that accumulate over years of vendor relationships.
For shared credentials that cannot be eliminated — emergency break-glass accounts, legacy system service accounts, shared API keys — use a credential vault with role-based permissions and a full audit trail. An enterprise password manager can centralize shared vendor credentials, restrict access by role, and retain the records an auditor will ask for.
Black Kite's 2026 Supply Chain Vulnerability Report found that attackers exploit vulnerabilities an average of seven days before public disclosure, analyzing over 48,000 CVEs published in 2025. Long-lived supplier credentials sitting in CI/CD pipelines or integration accounts are a standing invitation. Rotate API tokens on a defined schedule and revoke them immediately when a supplier relationship ends.
Maintain immutable audit logs
Article 23 sets strict incident reporting timelines: a 24-hour early warning, a 72-hour formal notification, and a comprehensive final report within one month. Meeting those deadlines without immutable audit logs is not realistic. The logs are the evidence — they show exactly what a vendor account did, when, and from where.
Logs must be tamper-resistant and retained long enough to support both internal investigations and supervisory requests. For supplier accounts specifically, capture authentication events, privilege escalations, session activity, configuration changes, and access to sensitive data. When an incident occurs, the question "what did this vendor account touch?" needs an answer in hours, not weeks.
Automate credential revocation
Tie supplier access directly to contract lifecycle events. When a vendor contract expires, is terminated, or when a named engineer leaves the supplier's team, access revocation must be immediate and automatic — not dependent on a manual ticket that someone remembers to raise.
Build a Supplier Access Control Record
A Supplier Access Control Record is the operational record that links a supplier relationship to specific access rights and the evidence that those rights are controlled. One record per supplier relationship. This is the unit of accountability.
The record answers the questions an auditor, a regulator, or your own incident response team will ask: who has access, to what, through which path, with what authentication, and who signed off?
| Field | What to record | Example |
|---|---|---|
| Supplier and owner | Supplier name and internal business owner | Cloud support provider — IT operations |
| Access path | VPN, ZTNA, SaaS admin, API, repository, remote support | Vendor VPN account |
| Identity type | Named user, shared account, service account, token | Named support engineer |
| Control | MFA tier, PAM approval, time limit, IP restriction, vault access | Tier 1 MFA plus privileged session approval |
| Evidence | Logs, access review, contract clause, ticket | Quarterly review record |
ENISA's 2025 guidance expects supply chain security policy to govern relationships with direct suppliers and service providers and to identify supplier roles: ICT supplier, managed service provider (MSP), managed security service provider (MSSP), and cloud provider.
Your records should reflect these distinctions. The risk profile of an MSP with privileged access to your infrastructure differs significantly from a SaaS vendor with read-only API access, and the controls should differ accordingly.
How to audit your current supplier access
Start with a full supplier mapping exercise. List every external connection: VPNs, APIs, SaaS admin consoles, remote support tools, CI/CD integrations, and repository access. For each connection, identify the identity type, authentication method, privilege level, and the internal owner accountable for that relationship.
Then work through this Pre-audit supplier access checklist (7 points):
- Every supplier account is named — no shared generic credentials in use for privileged access.
- MFA tier matches the access sensitivity: Tier 1 for privileged, Tier 2 minimum for standard.
- All supplier accounts are provisioned through directory controls with automated deprovisioning.
- Vendor contracts include named-account requirements, MFA obligations, 24-hour breach notification, audit rights, and subcontractor disclosure.
- PAM or session logging covers all privileged supplier sessions.
- API tokens and service account credentials have defined rotation schedules.
- Access review cadence is documented: quarterly for critical suppliers, annually for all others, immediately after any termination or incident.
Update vendor contracts to include explicit 24-hour breach notification clauses and audit rights if they do not already. ENISA's 2025 guidance states contracts or SLAs should cover cybersecurity requirements, incident notification duties, vulnerability handling, subcontracting requirements, and termination obligations.
The cost of non-compliance: fines and personal liability
Essential entities face maximum fines of up to €10 million or 2% of global annual turnover under NIS2, whichever is higher. Important entities face up to €7 million or 1.4% of turnover. These are administrative maximums — regulators apply proportionality — but they are the ceiling your board needs to understand.
Article 20 goes further. It establishes personal accountability for C-suite executives and management bodies. Executives can face temporary bans from holding management roles if their organization is found grossly negligent in its cybersecurity duties. The obligation to approve cybersecurity risk-management measures and oversee their implementation sits with management, not only with the IT team.
The connection to supplier access is direct. If a breach traces back to an uncontrolled vendor account — no MFA, no session logging, no deprovisioning after contract end — and management cannot produce evidence that controls were in place and reviewed, that is the scenario Article 20 was written for.
Put access requirements into supplier contracts and reviews
Access controls fail when supplier contracts do not define responsibilities. Translate ENISA's guidance into concrete contract clauses:
- Suppliers must use named accounts and enforce Tier 1 MFA for privileged or remote access.
- Credential sharing is prohibited.
- Suppliers must notify the customer of incidents without undue delay, and no later than 24 hours for significant incidents.
- Subcontractors requiring access must be disclosed and subject to equivalent controls.
- Suppliers must support log retention and audit requests.
- Information must be returned or deleted at contract termination.
Access reviews should follow a defined cadence: at minimum annually for all suppliers, quarterly for suppliers with privileged or production access, and immediately after an incident, contract change, role change, or termination.
Keep audit evidence for NIS2 compliance
Audit evidence is what separates a documented control from a claim. During an internal audit, a customer review, or a supervisory request, you need to produce records — not descriptions of what you intended to do.
Useful evidence includes: supplier register, access-control matrix, approved access requests, MFA enrollment reports, PAM approval logs, password vault permissions, API token rotation records, access review sign-offs, supplier contract clauses, incident notification records, vulnerability remediation tickets, and deprovisioning records.
Risk acceptance for supplier privileged access should have an accountable owner. That acceptance, and the controls in place, should be visible to management through periodic reporting — not buried in a spreadsheet that only the IT team can find.
10 steps to NIS2 supplier access compliance
Map supplier access, enforce controls, contract the obligations, monitor continuously, and keep evidence. The table below consolidates every implementation step into a single reference — use it as a working checklist, not a one-time exercise.
| Step | What to do | Key evidence |
|---|---|---|
| 1 | Map supplier access | List every external connection: VPNs, APIs, SaaS admin consoles, CI/CD integrations, remote support tools. Assign an internal owner to each. |
| 2 | Create a Supplier Access Control Record | One record per supplier: access path, identity type, authentication method, privilege level, review cadence. |
| 3 | Enforce named accounts and RBAC | Replace shared vendor accounts with named individual accounts. Scope permissions to the specific engagement, not broad system segments. |
| 4 | Apply MFA by tier | Tier 1 (FIDO2/WebAuthn) for all privileged and remote access. Tier 2 (TOTP) minimum for standard accounts. Phase out SMS OTP. |
| 5 | Deploy PAM and credential vaulting | JIT access for privileged sessions, full session logging, vault for unavoidable shared credentials with role-based access. |
| 6 | Rotate and scan secrets | Define rotation schedules for API tokens and service account credentials. Scan repositories for exposed secrets. |
| 7 | Update supplier contracts | Include named-account requirements, Tier 1 MFA obligations, 24-hour breach notification, audit rights, subcontractor disclosure, termination obligations. |
| 8 | Conduct access reviews | Quarterly for critical suppliers, annually for all others. Immediately after any incident, contract change, or termination. |
| 9 | Maintain immutable audit logs | Capture authentication events, privilege escalations, session activity, and configuration changes for all supplier accounts. |
| 10 | Automate deprovisioning | Tie access revocation to contract lifecycle events. No manual tickets — revocation must be immediate and automatic. |
The Supplier Access Control Record ties rows 1 through 10 together: one document per relationship, updated at every review cycle, visible to management.
If your team manages shared vendor passwords or privileged supplier credentials, password sharing software for businesses like Passwork can help organize access, permissions, and audit evidence in one controlled environment. That is one component in a broader access-control program, not a substitute for the governance work described above.
Frequently asked questions
Does NIS2 require MFA for all supplier access?
NIS2 Article 21(2)(j) refers to MFA or continuous authentication "where appropriate," so a risk-based approach applies. ENISA's 2025 guidance mandates Tier 1 phishing-resistant MFA (FIDO2, WebAuthn) for all privileged and administrative access. Tier 2 methods are acceptable for standard accounts without elevated privileges. SMS and email OTP are flagged for phase-out in regulated environments.
What is the Implementing Regulation (EU) 2024/2690?
The Implementing Regulation 2024/2690 translates NIS2 Article 21's broad requirements into over 150 specific cybersecurity controls. For supply chain security, it sets concrete expectations around supplier access provisioning, privileged account management, and incident notification. It applies directly to DNS providers, cloud services, managed service providers, and other designated entity types.
Does NIS2 apply to subcontractors and fourth parties?
Article 21(2)(d) focuses on relationships with direct suppliers and service providers. Contracts should require subcontractor disclosure and flow-down of cybersecurity requirements wherever supplier access or service continuity depends on a subcontractor. ENISA's 2025 guidance supports this through its recommendations on subcontracting requirements in supplier SLAs.
What evidence proves supplier access controls are working?
Useful evidence includes supplier access records, MFA enrollment and login logs, PAM session approvals, contract clauses specifying access requirements, access review sign-offs with dates, deprovisioning tickets, and incident notification records. The combination demonstrates that controls exist, are applied, and are reviewed on a defined schedule.
How often should supplier access be reviewed?
Review all supplier access at least annually. For suppliers with privileged or production-system access, quarterly reviews are more appropriate. Trigger an immediate out-of-cycle review after any incident, contract change, personnel change on the supplier side, or contract termination.
What is a Supplier Access Control Record?
A Supplier Access Control Record is a per-relationship document that maps a supplier to the specific accounts, access paths, identity types, authentication controls, and evidence records associated with that relationship. It is the operational unit for proving that supply chain risk has been converted into enforceable access governance under NIS2 Article 21.
Alex Muntyan
Alex Muntyan
Alex Muntyan
Table of contents
- Key takeaways
- What NIS2 requires from supplier access controls
- The 5 essential access controls for NIS2 supply chain compliance
- Build a Supplier Access Control Record
- How to audit your current supplier access
- The cost of non-compliance: fines and personal liability
- Put access requirements into supplier contracts and reviews
- Keep audit evidence for NIS2 compliance
- 10 steps to NIS2 supplier access compliance
- Frequently asked questions
Table of contents
- Key takeaways
- What NIS2 requires from supplier access controls
- The 5 essential access controls for NIS2 supply chain compliance
- Build a Supplier Access Control Record
- How to audit your current supplier access
- The cost of non-compliance: fines and personal liability
- Put access requirements into supplier contracts and reviews
- Keep audit evidence for NIS2 compliance
- 10 steps to NIS2 supplier access compliance
- Frequently asked questions
Self-hosted password manager for business
Passwork provides an advantage of effective teamwork with corporate passwords in a totally safe environment. Double encryption and zero-knowledge architecture ensure your passwords never leave your infrastructure.
Learn more