NIS2 Cross-Border Supply Chain Obligations: A 27-State Map

NIS2 is not a cybersecurity directive. It is a supply chain liability instrument with cybersecurity language attached.

The text reads as if Article 21 were the operative provision. In transposition practice across the twenty-seven Member States, the operative provisions are the ones that allow a competent authority in Helsinki to ask a question to an operator in Lisbon about a supplier in Bratislava and to expect an answer within a defined window. That is what cross-border bite means. It does not mean harmonised enforcement, because the directive is not a regulation. It means that an operator whose service depends on a supplier in a second Member State now carries documentation, notification and risk management obligations that the supplier may not be subject to in the same form. The asymmetry is the point. The directive shifts the cost of supply chain hygiene from regulators to operators, and from operators to procurement.

This article maps how the cross-border mechanism actually works, where it is fragmented by twenty-seven national transpositions, and what an industrial operator with installations or suppliers in more than one Member State has to organise to stay defensible. It is written from the perspective of a manufacturer that has been on both sides of the relationship, as supplier of security technology to operators of essential and important services, and as operator of its own facilities subject to scrutiny.

What Article 21 actually says, and what national transpositions add

Article 21 of Directive (EU) 2022/2555 lists ten categories of measures that essential and important entities must implement. The list reads as a generic risk management catalogue, covering policies on risk analysis, incident handling, business continuity, supply chain security, secure acquisition, vulnerability handling, training, cryptography, human resources and access control. None of these categories is new in substance. What is new is the legal weight attached to them. They are no longer best practice from ISO 27001 or NIST CSF 2.0. They are a legal obligation, with management body liability attached in Article 20 and sanctions defined in Article 34. The directive establishes upper limits of administrative fines of at least ten million euros or two percent of total worldwide annual turnover for essential entities, whichever is higher, and seven million or one point four percent for important entities. National transpositions have taken these floors and built ceilings on top of them, with variation. Germany's NIS2UmsuCG, the Belgian law of 26 April 2024, the Italian Legislative Decree 138/2024 and the French ordinance of October 2024 all introduce national specifics in scope, notification timelines, registration procedures and the definition of management body responsibility. The Commission's implementing regulation (EU) 2024/2690, adopted on 17 October 2024, adds technical specifications for the categories of digital infrastructure entities listed in Annex I of the directive.

For supply chain in particular, Article 21(2)(d) requires that entities address security in the relationships with direct suppliers and service providers, including assessment of the cybersecurity practices of those suppliers and the quality of their products and services. Recital 85 makes clear that the assessment is to be commensurate with the risk. The Cooperation Group, established under Article 14, has issued coordinated risk assessments of critical supply chains, the first of which addressed 5G in 2019 and was followed by the supply chain security toolbox. These assessments are not legally binding on Member States, but they shape national supervisory expectations. An operator that cannot demonstrate that its supplier risk assessment considered the Cooperation Group's findings on a given sector is exposed at the next audit.

How twenty-seven transpositions create twenty-seven supervisory perimeters

The directive provides minimum harmonisation. Member States are free to adopt more stringent measures. They have done so, and they have done so in different directions. Germany has retained its sector-specific approach inherited from the original KRITIS regime under BSI-Gesetz, with thresholds defined in the KRITIS-Verordnung. Belgium has aligned closely with the directive text and assigned supervisory competence to the Centre for Cybersecurity Belgium. France has retained the distinction between OIV under the LPM and OSE under NIS2, creating overlapping but not identical perimeters. Italy has centralised supervision under ACN. Spain has distributed it across sectoral authorities under the coordination of CCN-CERT. The Netherlands has moved supervision into the Dutch Authority for Digital Infrastructure for some sectors and retained it under sectoral regulators for others.

The consequence for an operator with sites in five Member States is that the same Article 21 measure has to be documented in five formats, with five reporting destinations, five definitions of significant incident, and five sets of thresholds for when registration is mandatory. The directive's Article 26 establishes jurisdiction primarily on the basis of the place of main establishment, but the cross-border supervision rules of Article 37 require Member States to assist each other and to share information through the CSIRTs network and the European cyber crisis liaison organisation network EU-CyCLONe. The result is that information flows across borders, but obligations do not consolidate. An operator that is supervised in Member State A may receive a request from Member State B's authority about a supplier incident reported in Member State C. The operator's obligation is to answer all three in the form each requires.

The book BOSWAU + KNAUER. From Building to Security Technology argues that complexity is not the sum of components but the behaviour that emerges from their interaction. This is the textbook case. The directive's components are reasonable. Their interaction across twenty-seven supervisory perimeters produces a behaviour that no single national authority controls and that no single operator can predict. The defensible response is structural. Treat supply chain compliance as a single internal function with a single source of truth, then export views of that truth in the formats each supervisor requires.

Where supply chain obligations bite hardest

Three pressure points dominate in practice. The first is supplier identification. Article 21(2)(d) does not specify a depth of supply chain. National guidance, including the BSI's orientation papers and ENISA's technical guidelines under the implementing regulation, expects operators to map at least direct suppliers and to identify critical sub-suppliers where dependencies concentrate. The mapping is not a one-time exercise. It is a continuous register that has to track changes in ownership, jurisdiction, certification status and incident history. Operators that maintain this register only at the level of procurement contracts will fail the first serious audit, because the register has to reflect operational reality, not contractual reality. A supplier whose contract is dormant but whose remote access remains active is still a supplier in the security sense.

The second pressure point is product security. The interaction between NIS2 and the Cyber Resilience Act, adopted as Regulation (EU) 2024/2847, is structural. CRA imposes security requirements on products with digital elements placed on the Union market. NIS2 imposes obligations on operators that use those products. The operator's defence in case of incident is that the product was placed on the market in conformity with CRA, and that the operator's selection and configuration followed Article 21(2)(d). The supplier's defence is that the operator deployed the product outside the documented use cases. The contractual surface where these defences meet is the procurement specification, and that specification has to reference IEC 62443 for industrial control systems, ISO 27001 for information security management, and the relevant CRA conformity assessment route. Operators that are not specifying in this vocabulary are buying products that will not survive an incident review.

The third pressure point is incident notification. Article 23 requires an early warning within twenty-four hours of awareness of a significant incident, an incident notification within seventy-two hours, and a final report within one month. The clock starts at awareness, not at attribution. When the incident originates in a supplier in another Member State, the operator's notification obligation does not wait for the supplier's confirmation. The operator notifies on the basis of what it knows, with the caveats it can document. The competent authority in the operator's Member State then coordinates with the authority in the supplier's Member State through the CSIRTs network. The supplier's own notification, if it is itself subject to NIS2, runs in parallel. An operator that has not pre-defined the decision authority for early warning at the management body level loses the twenty-four-hour window in internal coordination. The window is not extendable.

What cross-border coordination actually delivers

The directive establishes three coordination layers. The Cooperation Group under Article 14 sets strategic direction and produces coordinated risk assessments. The CSIRTs network under Article 15 handles operational coordination between national computer security incident response teams. EU-CyCLONe under Article 16 manages large-scale cybersecurity incidents and crises at operational level for Member States and the Commission. ENISA provides the secretariat for the Cooperation Group and supports the CSIRTs network. The architecture is sound on paper. In practice, what it delivers to an operator depends on the maturity of the operator's own coordination function.

An operator that maintains a single point of contact for cyber regulatory matters across all its Member State sites receives coordinated guidance through that point. An operator that has distributed the regulatory interface across local compliance officers receives twenty-seven versions of guidance, with differences in interpretation that the operator then has to reconcile internally. The directive does not provide for a one-stop-shop except in the limited case of digital infrastructure entities under Article 26(2), where jurisdiction follows main establishment. For all other operators, the multi-jurisdictional reality is the baseline. The CSIRTs network supports this reality by exchanging information about incidents that cross borders, but the network is a network of national bodies, not a substitute for them.

ENISA's threat landscape reports, the Cooperation Group's coordinated risk assessments and the Commission's implementing acts together produce a body of reference material that an operator can use to align its supply chain risk assessment with Union-level expectations. This material is not binding in itself. It becomes binding indirectly, when a national authority cites it in a supervisory decision. Operators that track this material continuously have a defensible reference. Operators that consult it only at audit time find that the reference has moved between consultations.

Sanctions, jurisdiction and the limits of administrative reach

Article 34 establishes the floor for administrative fines. Member States have transposed this floor with variation in the ceiling and in the procedural safeguards. The directive's Article 32 establishes the supervisory and enforcement measures available to authorities, including binding instructions, orders to bring infringements to an end, orders to comply with security requirements, orders to inform affected natural and legal persons, and the designation of a monitoring officer with defined tasks for a specified period. Article 32(5) extends to the temporary prohibition of management functions for any natural person performing managerial responsibilities at chief executive officer or legal representative level in case of essential entities. This provision is the cross-border bite at personal level. A managing director sanctioned under the German transposition cannot simply move the management function to the Italian subsidiary, because the prohibition is recognised across the Union through the cooperation mechanism of Article 37.

For supply chain obligations specifically, the sanctions follow the principal entity. The supplier is not directly liable under NIS2 unless the supplier is itself an essential or important entity. The operator is liable for its supplier selection and oversight. The contractual cascade is the only mechanism through which the operator can recover from the supplier, and that cascade has to be drafted before the incident, not after. Procurement specifications that reference Article 21(2)(d) compliance, audit rights, incident notification obligations from supplier to operator within timelines that allow the operator to meet its Article 23 obligations, and indemnification for regulatory sanctions caused by supplier failures, are the operative provisions. Operators that have not retrofitted their existing supplier contracts to this standard carry the full sanctions risk on their own balance sheet.

The interaction with ISO 27001, NIST 800-53 and IEC 62443 is one of evidentiary support. None of these standards by itself proves compliance with Article 21. All of them, applied with discipline and audited externally, provide the evidence base that a supervisory authority will accept as a starting point for the proportionality assessment. ASIS International's standards for security risk management add the physical and personnel security dimensions that NIS2's Article 21(2)(i) on human resources security references implicitly. The GDV's recommendations for industrial insurance policies create a second layer of pressure, because insurers are increasingly conditioning coverage on demonstrable NIS2 alignment. An operator that fails on the regulatory side also fails on the insurance side, and the two failures compound.

What holds

The cross-border supply chain obligations under NIS2 are not a transposition problem that will resolve itself once all Member States have completed implementation. They are a structural feature of a directive that places liability with operators while leaving supervisory competence with twenty-seven national authorities. The asymmetry is permanent. The defensible response is to treat supply chain compliance as a centralised internal function, with a continuously maintained supplier register, contractual cascades that pass the relevant obligations to suppliers, and a single management-level decision authority for incident notification that can act within the twenty-four-hour window without internal coordination delays.

For operators in the construction, industrial and logistics sectors that are within the scope of the directive's Annex I and Annex II, the most underestimated obligation is the integration of physical security and information security under the single Article 21 catalogue. Security technology at the perimeter, sensor data from autonomous systems, video analytics platforms and the data flows they generate are all in scope. An operator that has separated the governance of these systems from the governance of its IT cybersecurity is running two parallel compliance functions that the directive treats as one. The consolidation is overdue.

Operators that want to move from a defensive posture to a structured assessment of their position can do so through a focused audit. A three-to-five-day audit of the supply chain compliance function, conducted against the directive, the relevant national transposition and the operator's existing contractual base, produces a defensible map of obligations, gaps and priorities. That is Path II in the engagement model described in BOSWAU + KNAUER. From Building to Security Technology. For operators that prefer to begin with a confidential conversation at management level, Path I provides sixty minutes without follow-up obligation. The choice depends on how much of the answer the operator already has.

Frequently asked questions

What does Article 21 require?

Article 21 of Directive (EU) 2022/2555 requires essential and important entities to implement appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems. The article lists ten categories of measures, including risk analysis, incident handling, business continuity, supply chain security, secure acquisition, vulnerability handling, cryptography, human resources, access control and basic cyber hygiene. The measures must be commensurate with risk and aligned with European and international standards. National transpositions and Commission implementing acts add technical specifications for certain sectors, particularly digital infrastructure.

How is cross-border enforced?

Cross-border enforcement operates through three layers. The Cooperation Group under Article 14 sets strategic direction and issues coordinated risk assessments. The CSIRTs network under Article 15 coordinates operational incident response between national teams. EU-CyCLONe under Article 16 manages large-scale crises. Jurisdiction follows the place of main establishment under Article 26, with mutual assistance obligations under Article 37 governing requests between national authorities. Information flows across borders through these networks, but obligations do not consolidate. An operator subject to supervision in one Member State remains subject to information requests from authorities in other Member States where it operates or where its suppliers are located.

Who coordinates?

ENISA, the European Union Agency for Cybersecurity, provides the secretariat for the Cooperation Group and supports the CSIRTs network. At national level, each Member State designates one or more competent authorities, one or more CSIRTs, and a single point of contact for cross-border cooperation. The Commission coordinates the implementing acts and the periodic review of the directive. For sector-specific risk assessments, the Cooperation Group convenes Member State experts together with ENISA and the Commission. References to CISA and NIST in this context are informational, as the United States is not part of the NIS2 governance structure, but the technical alignment between NIST CSF 2.0, ISO 27001 and the Article 21 catalogue is substantive.

What sanctions cross borders?

Administrative fines under Article 34 are imposed by the national authority with jurisdiction and are enforceable in that Member State under national law. The floors are at least ten million euros or two percent of worldwide turnover for essential entities and seven million or one point four percent for important entities. Beyond fines, Article 32 provides for supervisory measures including binding instructions, monitoring officers and, for essential entities, temporary prohibition of management functions at chief executive or legal representative level. Through the cooperation mechanism of Article 37, supervisory decisions taken in one Member State are recognised by authorities in other Member States, which means that a management prohibition cannot be circumvented by moving the function to a subsidiary in another jurisdiction.