NIS-2 Suppliers: 2026 Audit Programme for Operators

Any essential or important operator under NIS-2 audits its suppliers from 2026 against fixed rules. This article delivers the audit programme: scope, risk classes, contract clauses, audit workflow and documentation. For an entry into the full picture, see NIS-2 compliance overview.

NIS-2 suppliers: what Art. 21(2)(d) actually requires

Article 21 paragraph 2 letter d of the NIS-2 Directive names supply chain security as a standalone minimum measure. It ranks equal to risk analysis, incident handling and access control. It is not an annex, it is a primary duty.

In scope are all suppliers and service providers with access to the operator's network and information systems. Access does not only mean admin login. A maintenance technician with a USB stick at the engineering PC counts. A guard service with a master token at the server room counts.

The scope covers IT service providers, maintenance firms, cloud providers and physical security services. The split between cyber and physical dissolves here. A locking system with cloud uplink is both.

Mandatory is the assessment of the overall quality of security practices of each supplier. The wording demands a full view of all security practices, not a certificate check. The specific vulnerabilities of individual suppliers must feed into the operator's risk management. The Federal Ministry of the Interior lists supplier management and third party risk as a central pillar of NIS-2 implementation.

Which suppliers fall into the audit scope

Direct IT suppliers belong in every case. Software vendors, managed service providers, cloud hosting and SaaS tools with data access. Even if the contract predates NIS-2.

OT suppliers are often forgotten in practice. PLC manufacturers, maintenance firms for production lines, providers of remote access solutions. A remote maintenance tunnel from Siemens, ABB or a plant integrator is a supplier channel with full access.

Physical security is also in scope. Guard services, locking systems, video management, perimeter protection providers. As soon as these providers carry a key ring or feed cameras into the operator's network, they are suppliers in the sense of the directive.

Critical supply partners complete the list: power, cooling, telecommunications, backup power. What counts here is availability, not data access. The KritisV defines the thresholds above which operators must run a structured supplier audit.

Sub-suppliers of tier-1 partners belong in scope where data flow or system access exists. A subcontractor of a guard service who patrols the building alone at night is in fact a tier-1 risk.

Risk classification: which supplier needs which audit depth

Four classes are enough in practice. More differentiation costs effort without benefit.

Class A covers suppliers with full access to productive systems or personal data. Examples: the MSP that runs the SIEM. The cloud provider that hosts the SAP HANA database. The guard service that holds the key to the data centre. This class receives an annual on-site audit.

Class B covers suppliers with restricted system access or defined maintenance windows. Examples: the PLC maintenance technician who updates a line twice a year for four hours. The video analytics provider that only accesses a segmented stream. A self-assessment plus spot checks suffices here.

Class C covers suppliers without system contact but with physical site access. Examples: cleaning firm in the office wing, canteen operator, postal service. These provide an ISO 27001 certificate or equivalent evidence. For micro-providers a contractual commitment with a spot-check right is enough.

Class D covers pure material deliveries without access. Screws, packaging, office supplies. A ten-point basic questionnaire is enough.

The classification must be documented and reviewed at least annually. If a supplier shifts from material delivery to maintenance service, its class shifts. The supplier register is a living document.

Contract clauses for supplier contracts from 2026

Five clauses belong in every supplier contract in class A or B.

First: reporting duty of the supplier on security incidents within 24 hours to the client. This deadline is tighter than the 72-hour GDPR notification. It follows from the operator itself having to file an early warning to the BSI within 24 hours (Art. 23(1) NIS-2 Directive).

Second: audit right of the client or a commissioned third party without prior notice on suspicion. Scheduled audits run with lead time, incident-driven ones do not. This clause is awkward in negotiation and the most important one in a real incident.

Third: subcontractor clause requiring written approval before using further sub-suppliers with system access. Without this clause, control disappears past tier 2.

Fourth: evidence duty for technical and organisational measures under Art. 21 NIS-2, updated annually. A one-off proof at contract signing is not enough.

Fifth: right of termination on repeated breaches without compensation duty of the client. Without this clause the operator pays twice: first the regulator's fine, then the contractual penalty of the inadequate supplier.

Evidence the supplier must produce

An ISO 27001 certificate is the base currency. It gains value through the Statement of Applicability, which discloses the excluded controls. A certificate that excludes controls A.5.19 to A.5.23 (supplier relationships) is useless for NIS-2 purposes.

Sector-specific evidence is added on top. TISAX label for automotive suppliers. BSI C5 attestation for cloud providers. KRITIS audit under § 8a BSIG for operators of critical infrastructure that themselves act as supplier.

A working incident response process must be evidenced by documented exercises. A tabletop minute from the past twelve months is enough. An empty playbook without exercise proof is not.

The declaration on the use of critical components from third states under § 9b BSIG is mandatory for suppliers that install such components. Anyone delivering Huawei routers declares it in writing.

Current penetration tests for externally reachable systems must not be older than twelve months. [Source: BSI Technical Guideline TR-03116 or equivalent requirement to be inserted] The report itself need not be handed over, the management summary with remediation status does.

Audit practice: how an audit runs in 2026

Preparation starts with a supplier questionnaire of 60 to 90 items. Four weeks lead time is reasonable. Less leads to incomplete answers, more to deferral behaviour.

The remote audit follows. Review of policies, logs and certificates via a secure data room. Two auditors, half a day to a full day. This is where the need for an on-site visit is decided.

The on-site audit is mandatory for class A. Two auditors, one to two days. Technical spot checks (patch level, permissions, logging) and organisational spot checks (training records, contingency plans, key registers).

The findings report contains a maturity rating in four levels and a concrete remediation plan with deadlines. Maturity 1 means ad-hoc, maturity 4 optimised. Suppliers below maturity 2 in class A are not tenable.

The follow-up audit takes place after 90 days for critical findings, otherwise at the next annual audit. Critical are findings that would directly enable data exfiltration or system outage.

Physical security providers as NIS-2 suppliers

Guard services with key rings and access to server rooms are class A suppliers. This is still overlooked in many supplier registers. The reason: guard services were historically assigned to facility management, not IT security.

Classical staffing models show high turnover according to BDSW. That makes a reliable background check hard. Anyone equipping new staff with a master token every three months is in effect auditing a new workforce each quarter. That is barely manageable administratively.

Robotics patrol drastically reduces the number of audit-relevant persons with system access. Instead of twelve rotating guards per site, three fixed Quarero technicians run the service contract. The background check of these three persons is auditable and stable.

Quarero units operate on a documented patrol plan with a complete audit log. Every movement, every sensor value, every escalation is time-stamped. An auditor checks spot samples in one hour, not in one day. Details on the service layer are at Robotics-as-a-Service model and on the platform device at QR-3 for KRITIS perimeters.

The sensor stream data is held in DACH data centres, contractually auditable, without third-country transfer. That relieves the operator from Art. 28 GDPR duties and simplifies the NIS-2 supply chain audit in equal measure.

A single service contract replaces multiple subcontractor chains of classical guard services. A cost comparison is at guard service cost comparison.

Documentation and board liability

The supplier register is the central artefact. It contains classification, last audit date, open actions, contract expiry dates and named contacts. A table structure is enough for small operators, GRC tools become sensible from 200 suppliers upwards.

The quarterly report to the management board covers the top 20 suppliers by risk contribution and the risk trend over the previous quarter. Four pages suffice. More is not read.

The board is personally liable for the effectiveness of supplier management. The basis is the draft of the German implementing act. The draft KRITIS Umbrella Act (KRITIS-Dachgesetz) specifies the requirements for physical and organisational supplier control. The consequences for the management board are detailed at board liability under NIS-2.

Documented training of the procurement and IT security teams on NIS-2 requirements is mandatory. Once a year, with attendance list and learning check. A mandatory slide in onboarding is not enough.

Retention of all audit records is at least five years for regulatory review. [Legal basis to be inserted, e.g. § 8a BSIG or national implementing act] Contracts, questionnaires, audit reports, remediation plans and escalations. Structured filing is part of compliance, not an appendix. The operational implementation is in the KRITIS-Dachgesetz checklist 2026.

To set up the audit programme or restructure the guard service as a supplier, start with a pilot conversation with Marcus Köhnlein or directly via the contact page for KRITIS operators.