NIS-2 supply chain: duties for plant managers 2025

The NIS-2 Directive has moved supply chain security onto the board agenda. Plant managers who used to leave supplier security to procurement carry personal liability since 2024. The duty cannot be delegated. Whoever lets a maintenance contractor onto the site inherits that contractor's security gaps into their own compliance file.

This text is for plant managers of essential and important entities under NIS-2. It names figures, deadlines and concrete steps. You will not find marketing promises here.

NIS-2 supply chain: what Article 21 actually requires

Article 21(2)(d) of the NIS-2 Directive names supply chain security as a separate risk management measure. The duty ranks alongside patch management, access control and incident handling.

The scope is wider than often assumed. Direct suppliers, service providers with physical access to the plant site, and vendors of security-relevant components are covered. A cleaning service with a master key falls within scope. A logistics firm with daily gate access falls within scope. An IT maintenance contractor with remote access falls within scope.

The duty cannot be delegated. The operator is liable, even when the supplier fails. The BSI is the competent supervisory authority and reviews the evidence. Risk management must be documented, reviewed annually, and demonstrable to the BSI. Spot checks are not enough. A running register is required.

Physical access control at the plant perimeter is part of supply chain assurance. Anyone who reads NIS-2 as a pure IT topic misses half the duty. Gates, loading docks and maintenance airlocks are the underrated vectors.

Next step: read the NIS-2 compliance overview before setting up the supplier register.

Which suppliers fall under the NIS-2 duty

The question is not who holds a contract. The question is who has physical or digital access.

Maintenance firms with key or badge access to the plant site are covered. That applies to lift technicians as well as HVAC service. Logistics providers with regular gate access count as a risk interface, especially for night deliveries without guard escort.

Cleaning services on night shifts without escort are documentation-relevant contact points. They have access to offices, servers and production halls, often between 22:00 and 06:00. IT service providers with remote or on-site maintenance belong in the supply chain register, even when the contract sits with group IT.

Subcontractors of suppliers must be contractually equivalent. Otherwise a control gap opens. When the cleaning firm puts in personnel from a subcontractor at short notice, the duty stays with the plant manager. Contract clauses for passing security requirements down the chain are not optional here.

Next step: request the supplier list from procurement and filter by access type.

Supply chain risk assessment: seven operational steps

Step 1: build a complete list of all suppliers with physical or digital access. Such a list typically holds 80 to 200 entries per plant.

Step 2: classify by criticality. Three dimensions: production stop relevance, data access, scope of physical access. A 3x3 matrix is enough.

Step 3: insert contract clauses on security standards, audit rights and reporting obligations. For existing contracts via supplementary agreement, for new contracts directly in the annex.

Step 4: secure physical handover points (gates, loading docks, maintenance airlocks) technically. This is where contract and reality meet. Without complete documentation at the handover, the contract clause is worthless.

Step 5: integrate incident reports from the supply chain into your own reporting to the BSI. The 24-hour deadline under NIS-2 starts when the operator gains knowledge, not the supplier (NIS-2 Directive Art. 23).

Step 6: annual audit of at least the most critical 20 percent of suppliers. On-site visit, not a questionnaire.

Step 7: transfer results into the risk register and present them to the management board in writing. The submission is part of the discharge of liability.

Next step: KRITIS-Dachgesetz checklist 2026 for the overlap with the physical resilience duty.

Physical control: where supply chain and perimeter security converge

Over 60 percent of supplier-related security incidents occur at gates, ramps and maintenance access points. The IT supply chain is well documented, the physical supply chain often runs unsecured. That is the gap NIS-2 auditors open first.

Classic guard service for a 24/7 post costs 15,000 to 25,000 euros per month. BDSW industry data confirm high personnel turnover and wage pressure under the Manteltarifvertrag. Rounds between 22:00 and 06:00 are the most expensive shift and carry the weakest documentation.

Autonomous patrol with QR-2 documents every supplier movement with timestamp and thermal image. The monthly rental is 3,500 euros under the Robotics-as-a-Service model. QR-2 delivers complete audit trails, reproducible routes and immediate escalation on anomalies. Reception, conflict escalation with people, and lock-up duty stay with humans.

Complete audit trails are decisive in NIS-2 audits, not selective spot checks. A BSI auditor asks for documentation of the last twelve months. When the manual guard service has missed two of ten rounds, 20 percent of the evidence is missing.

Next step: compare the TCO of guard service against your own cost accounting.

Contract clauses that belong in every supplier agreement

Six clauses are non-negotiable. Without them the contract is not NIS-2 compliant.

First: duty to report security incidents to the operator within 24 hours. The deadline is tight because the operator itself has a 24-hour deadline to the BSI.

Second: audit right without prior notice on reasonable suspicion. Pre-announced audits are politically easier but rarely uncover real gaps.

Third: obligation to pass security requirements down to subcontractors. In writing, with evidence. Without this clause the operator is liable for every subcontractor it does not know.

Fourth: evidence of an own information security management system. ISO 27001 or equivalent. For small suppliers a self-declaration with checklist is acceptable, provided it is updated annually.

Fifth: return of all access means within 48 hours after contract end. Keys, badges, VPN credentials, tools. Most security gaps arise from access means not returned by former contractors.

Sixth: liability clause for damages from security breaches, regardless of degree of fault. Default liability under the German Civil Code (BGB) is not enough because it requires fault.

Next step: check existing contracts of the five most critical suppliers against this list.

Fines, board liability and personal responsibility

The fine ranges are substantial. Essential entities risk up to 10 million euros or 2 percent of group turnover, whichever is higher (NIS-2 Directive Art. 34). Important entities risk up to 7 million euros or 1.4 percent. Thresholds and sector classification follow from the KritisV.

The management board is personally liable for implementing risk management (NIS-2 Directive Art. 20). That is new compared with the ITSiG. The board cannot hide behind the CISO or plant manager.

A D&O policy often does not cover gross negligence in documented failures. If the supplier register is missing and an incident results, the insurer regularly declines. The policy protects against errors, not against omission.

Evidence of a working supply chain control discharges the management board in the audit case. Whoever runs the register, audits annually and documents incidents has a defensible file. Whoever does not, has no argument in case of doubt.

The KRITIS Umbrella Act draft (KRITIS-Dachgesetz) tightens the physical resilience duty in addition to NIS-2. Both regimes apply cumulatively.

Next step: board liability under NIS-2 for the management briefing.

NIS-2 supply chain assurance: the 14-week implementation plan

Week 1 to 3: inventory all suppliers with risk classification. Data sources: creditor list from procurement, IT contract partners and guard service subcontractors.

Week 4 to 6: contract amendments with the most critical 20 percent of partners. Six clauses, one supplement per contract. Ten to fifteen contracts per plant are realistic in this phase.

Week 7 to 9: technical upgrade of the physical interfaces. Gates with camera and timestamp, ramps with lighting and patrol, maintenance airlocks with four-eyes principle after 22:00.

Week 10 to 11: integration into the internal incident reporting system. The gatehouse must know which incidents go to whom within which deadline.

Week 12 to 14: first internal audit round and documentation for the BSI. Two audits per week are feasible. Documentation runs in parallel.

In parallel: training the gatehouse and security management on the new documentation duty. Two hours per shift are enough, provided a checklist exists.

Next step: evaluate QR-2 for 24/7 outdoor perimeter as a building block for weeks 7 to 9.

Immediate measures for plant managers: the next 30 days

Five tasks. None of them takes more than half a working day.

First: request the supplier list from procurement and filter by physical access. An Excel export is enough. The list is the basis for everything else.

Second: reconcile the five most critical suppliers with current contract status. Which clauses are missing? Which contracts expire and can be adjusted on renewal?

Third: mirror the perimeter security concept against supplier risk. Where do gaps open after 22:00? Where does a supplier walk into a critical area without escort? A walk-around with the security manager shows this in two hours.

Fourth: arrange a pilot discussion on autonomous patrol for the handover zones. A three-month pilot costs less than an additional guard post and delivers the documentation NIS-2 requires.

Fifth: inform the management board in writing about the status of the NIS-2 supply chain duty. One page is enough. Written information is part of the discharge in a liability case.

Whoever completes these five steps in 30 days has grasped the duty and begun the evidence file. Whoever waits risks a gap that no BSI audit closes retroactively.

For concrete implementation at the physical interfaces: request a QR-2 pilot for NIS-2 interfaces. We deliver the audit trail you can present to the BSI.