.png)
Product News
Improving Supplier Invites
NIS2, the EU's updated cyber security directive, marks a turning point for supplier risk management by turning continuous assurance into an operational necessity.
NIS2 changes what regulators expect from third-party risk management. Earlier rules asked organisations to have a process. NIS2 demands that they prove it is working, and that they monitor their suppliers’ security postures continuously.
That breaks the model most organisations still run. A large enterprise may manage anywhere from 500 to 5,000 suppliers, yet most still assess them on an annual cycle. The questionnaire is completed, the answers are filed, and the file stands as evidence until the next review. Between cycles any security changes at the suppliers and their record does not.
A supplier security assessment completed nine months ago does not demonstrate current oversight. Under NIS2, static supplier risk management becomes operationally unworkable at scale, and meeting the directive means moving from periodic assessment to continuous supplier assurance, where risk is visible and evidenced as it changes.
NIS2 covers 18 sectors across the EU, from energy and transport to banking, health, digital infrastructure and public administration. Within them, essential and important entities are accountable for the security of their direct suppliers, not only their own systems. The NIS2 compliance requirements expect security teams to show ongoing oversight, risk-based prioritisation, evidence behind each decision and fast reporting when a supplier is hit. An annual reassessment demonstrates none of that.
Under NIS2, a supplier's weakness is the organisation's liability. Software providers, cloud platforms and outsourced services count as part of its own risk surface, and senior management is personally accountable, as Risk Ledger's NIS2 breakdown sets out. The practical gap is visibility. Most leadership teams cannot map the external dependencies they now answer for.
NIS2 sets tight clocks. An entity must send an early warning within 24 hours of a significant incident and a fuller report within 72 hours. When a supplier is the source, the entity has to identify which of its suppliers are affected and prove it had been overseeing them, fast. That is close to impossible when the data sits across spreadsheets, email threads and disconnected tools.
NIS2 third-party risk management cannot run on a once-a-year snapshot. Traditional TPRM takes one anyway. The supplier completes an annual supplier security assessment, the organisation files it, and the risk picture freezes until the next review. Supplier environments do not freeze. A supplier assessed in January may onboard a new subcontractor in March, migrate infrastructure in May and suffer a security incident in August. By the time the annual reassessment comes round, the profile on file bears little resemblance to the supplier as it now operates.
Supply chain attacks are rising while supplier ecosystems grow more complex, yet most assessment models have changed little in a decade. The gap between how fast supplier risk moves and how often organisations look at it keeps widening.
Take an entity with 1,500 suppliers and an annual reassessment rule. Reviewing all of them once a year already means about 125 assessments every month, each pulling in several stakeholders and a round of chasing missing evidence. The quarterly cadence many supervisors now expect pushes that toward 500 a month, before any remediation work begins.
Manual questionnaires make it worse. Security teams spend weeks chasing responses, validating evidence and normalising answers across different formats. The data that comes back is hard to compare between suppliers and already partly out of date by the time the assessment closes. No team sustains that by hand at the quality NIS2 expects, and beyond a certain scale the organisation cannot see its own supplier risk however many analysts it adds.
A completed questionnaire feels like assurance. It records that an assessment happened on a date. Whether the supplier is secure now is a separate question it cannot answer. Static supplier risk management produces artefacts that age fast. IBM's 2025 Cost of a Data Breach report found breaches contained within 200 days cost around $3.87 million on average, against $5.01 million for those that ran longer, so the slower an organisation is to notice a supplier compromise, the more it pays.
NIS2 supervisors ask for evidence, not assurances. An entity has to show ongoing oversight, remediation that was followed through and decisions made on a risk basis. When assessments live in email, scores in spreadsheets and remediation in someone's inbox, there is no single trail of what was reviewed, what was found and what was done.
Boards now ask for current supplier exposure, because they are accountable for it. A board increasingly expects a CISO to answer, on the day, which critical suppliers carry the most risk, which of them depend on the same cloud provider, which have remediation overdue, and which would be affected if one major platform provider were compromised. Most traditional programmes cannot answer those questions without manually assembling data from several systems first, and by then the answer has moved on.
Documenting that an assessment took place is not the same as showing oversight over time. An auditor wants the history of when the supplier was reviewed, what changed and how the organisation responded. Spreadsheets capture a moment. Active oversight needs evidence that accumulates as the supplier is monitored, not a file pulled out of a cabinet before an audit.
Organisations rarely depend on one suppliers in isolation. A supplier runs on a cloud platform that depends on other providers and serves hundreds of other organisations at once, and NIS2 holds the entity responsible for risk travelling through those layers. ENISA's 2025 Threat Landscape records software supply chain attacks among the EU's top threat categories, with state-aligned groups hitting the shared providers critical sectors depend on.
NIS2 makes direct suppliers an explicit duty, and the EU-level risk assessments reach further into critical supply chains. Concentration is the sharp edge. If 40 of an organisation's suppliers run on the same cloud region, one compromise there takes out all 40 at once, the fourth-party problem of securing the suppliers that an organisation's own suppliers rely on. Verizon's 2025 DBIR puts third-party involvement in breaches at 30%, much of it below the first tier.
Supplier relationships do not hold still. Suppliers merge, subcontract work, switch platforms and consolidate onto shared infrastructure through the year. A model that checks each supplier once a year always describes an arrangement that has already moved on.
The answer to a continuous obligation is continuous supplier assurance. Rather than reassessing each supplier on a calendar, the organisation works from a supplier profile that updates as the supplier changes and watches it for shifts that matter. This is an operational capability NIS2 assumes, not a maturity aspiration. Continuous visibility, a central audit trail and faster incident response all follow from live data.
Live supplier data changes outcomes, not just audit results. A new vulnerability in a supplier surfaces when it emerges, not at the next review, so the organisation can prioritise the most exposed suppliers now and coordinate a response while the incident is live. That is resilience earned through visibility.
Continuous assurance has to cut the workload, or it will not hold. Asking analysts to chase 1,500 suppliers in real time would be worse than the annual cycle it replaced. The gain comes from shared profiles and automation. The supplier maintains its own profile, flags what changes in their controls, and analysts spend their time on the suppliers that need attention.
Active Supply Chain Security (ASCS) is the operating model that makes continuous supplier assurance practical under NIS2. Suppliers maintain a single profile, shared across the organisations that rely on them, so the same assessment is reused rather than reissued by every customer. Monitoring runs against that profile continuously, remediation is tracked to closure rather than noted and lost, and every change leaves a timestamped audit trail.
That maps onto what NIS2 asks for. ASCS, the model Risk Ledger is built around, gives security teams live supplier visibility, evidence that accumulates as suppliers are monitored, and reporting that reflects the supplier base as it is now rather than as it was last year. The questions a board or a supervisor asks can be answered from current data instead of a manual roll-up.
The shift is from passing audits to managing risk. Reactive compliance produces artefacts for the next inspection. Active risk management uses the same data to catch a supplier problem early and act on it. Under NIS2 the two converge, because the evidence regulators want is the evidence that makes an organisation more resilient.
Periodic assessment was built for a slower supply chain. It cannot scale to ecosystems of hundreds or thousands of suppliers that change every week, and it cannot produce the current evidence NIS2 expects. Under the directive, static supplier risk management is no longer workable as a primary model.
Continuous supplier assurance is becoming the operational baseline, where visibility, evidence and accountability decide whether an organisation can demonstrate oversight rather than assert it. An active, continuously assured approach to supplier compliance gives security leaders a model built for risk that moves in real time, which is the line between passing an audit and running a resilient supply chain.
Monthly research, case studies and practical guides you won't find anywhere else.
Join thousands of security managers turning their TPRM programmes into success stories.
.svg)
