First: correct article, correct terminology

In older texts, I often see two common errors. The first is referring to the wrong article. The supply chain is in Article 21.2 d, not 21.2 c. Article c concerns continuity.

The second is using NIS1 terminology. NIS2 refers to essential and important entities, not operators of essential services as a legal term. It may seem picky, but it matters when dealing with oversight (European Union, 2022).

What Article 21.2 d actually requires

Article 21.1 sets the framework. Measures must be appropriate and proportionate, reducing the impact of incidents. Article 21.2 lists areas to cover. Point d concerns security in the supply chain and relations with suppliers and service providers.

The key point is that NIS2 does not mandate purchasing a specific service or tool. It requires managing risk in the chain, considering vulnerabilities of each direct supplier and the overall quality of their cybersecurity, including secure development practices (European Union, 2022).

Why this became the 'hot topic'

The reason is straightforward: attacks often happen through chains. ENISA analysed supply-chain incidents from 2020 to mid-2021 and noted attackers targeted supplier code in 66% of cases to reach the end customer (ENISA, 2021).

In Sweden, MSB's report on digital supply chains showed that two-thirds of incidents reported by NIS providers from 2020 to June 2021 originated in a supply chain (MSB, 2021).

Swedish implementation: no longer theory

In Sweden, the Cybersecurity Act (2025:1506) and Cybersecurity Regulation (2025:1507) came into force on 15 January 2026. This makes the supply chain a matter for supervision, not just procurement (Swedish Parliament, 2025a; Swedish Parliament, 2025b; Government, 2026).

Common practical pitfalls

The most frequent mistake is performing a check at procurement and then letting the chain go unchecked. That's like measuring the temperature in a cold room at delivery and then turning off the thermometer.

The second most common error is confusing requirements with evidence. You write good requirements in contracts but have no routine to follow up. No telemetry, no log review, no audits, no emergency shutdown tests. That's not control, it's hoping for the best.

What 'control' means without bureaucracy

Some might say: 'this is endless'. It doesn't have to be. The key is choosing a few things that genuinely reduce risk and applying them consistently.

I think of supply chain control as three building blocks.

· Know the chain and criticality.

· Set measurable requirements.

· Follow up during operation, always.

Knowing the chain means understanding which suppliers are critical to which services, what access paths exist, and what happens if they disappear.

Measurable requirements means avoiding vague language and instead writing things that can be checked. Examples include multi-factor authentication for administrative access, patch timelines by criticality, logging, and incident reporting within agreed timescales.

Following up during operation means actually asking for proof. Not every day and not for everyone, but on a schedule matching criticality. This avoids both sovereignty theatre and compliance theatre.

One point I want to be clear on: small businesses

NIS2 doesn't cover everyone. Micro and small businesses are often exempt but may be included if particularly critical. Whether covered or not, you will often be indirectly affected as large customers will require chain control.

The important thing is not to confuse 'small' with 'no risk'. A small supplier can be a significant vulnerability if positioned right in the chain.

Conclusion

Article 21.2 d is, to me, one of the most business-relevant parts of NIS2. It forces a mature discussion on dependencies and responsibilities. It also does something useful: it shifts security from one-off checks to continuous control.

The cold chain is a good litmus test. If you only check at purchase, you don't really have control. You have a feeling. Feelings are nice, but poor incident plans.

References

ENISA. (2021). ENISA Threat Landscape for Supply Chain Attacks. European Union Agency for Cybersecurity.

European Union. (2022). Directive (EU) 2022/2555 (NIS2). Official Journal of the European Union, L 333.

MSB. (2021). Threats to digital supply chains – 50 recommendations for improved cybersecurity. Swedish Civil Contingencies Agency.

Government. (2026). Cybersecurity: the new Cybersecurity Act and Cybersecurity Regulation came into force 15 January 2026.

Swedish Parliament. (2025a). Cybersecurity Act (2025:1506). Swedish Code of Statutes.

Swedish Parliament. (2025b). Cybersecurity Regulation (2025:1507). Swedish Code of Statutes.