NIS2 Supplier Identity Register: What Auditors Check in 2026

NIS2 auditors examining Article 21(2)(d) check the supplier register first. They look for six artefacts: a classified register of every direct supplier, documented due diligence per critical supplier, contractual security clauses, continuous monitoring, incident communication records, and management oversight. The single most common gap is identity evidence for privileged personnel at non-EU suppliers.

Today — 18 April 2026 — is the first binding NIS2 conformity-assessment deadline in the European Union. Belgian essential entities must have placed their evidence of compliance with Article 21 risk-management measures in front of a BELAC-accredited Conformity Assessment Body (CCB Belgium — 18 April 2026 deadline). Of the ten measures in Article 21(2), the one that will consume the most audit hours this month is not MFA and not cryptography. It is measure (d) — supply chain security — and inside that, the single artefact every auditor opens first is the supplier register. The register is where NIS2 compliance stops being self-attestation and becomes documentary evidence.

What Article 21(2)(d) Actually Requires

Article 21(2)(d) of Directive (EU) 2022/2555 obliges every essential and important entity to implement measures covering "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers, taking into account vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures" (NIS2 Article 21 — full text).

The text is deliberately broad. Two clarifying instruments narrow it down for practical supervision:

• ENISA — Good Practices for Supply Chain Cybersecurity (June 2023) gives the interpretive baseline that national authorities lean on. Its survey of essential and important entities in the EU found that 86% had ICT/OT supply chain cybersecurity policies, 61% required security certification from suppliers, 43% used security rating services, and 37% documented due diligence or formal risk assessments (ENISA — Good Practices for Supply Chain Cybersecurity).
• EU ICT Supply Chain Security Toolbox, adopted by the NIS Cooperation Group, is a horizontal, non-binding set of voluntary measures that member states can adapt to their national supervisory model (Toolbox to improve ICT supply chain security).

Neither document is a regulation. Both are what an auditor reaches for when testing whether an entity's Article 21(2)(d) programme is credible. ENISA's numbers also quantify the gap: most entities have a policy on paper, roughly two-thirds have a certification requirement, and only a third can show documented due diligence per supplier — the evidence an auditor actually examines.

The Six Things an Auditor Asks to See

Practitioners working with first-round NIS2 audits have consolidated the documentary burden of Article 21(2)(d) into six tangible categories (Orbiq — NIS2 third-party risk documentation):

• A supplier register of every direct supplier and service provider with access to network and information systems, classified by criticality
• Documented due diligence evidence for each critical supplier — not a generic questionnaire, but risk-proportionate assessment
• Contractual security clauses aligning supplier controls to the entity's own Article 21 measures and flowing down incident-reporting obligations
• Continuous monitoring evidence — not a one-time onboarding check, but an ongoing view of supplier security posture
• Incident communication records between entity and supplier, including exercised notification channels
• Management-level oversight artefacts showing that supply-chain risk is reported into the governance structure

Notice what this list is not. It is not a "tick-box audit scorecard for suppliers." It is a documentary chain that auditors can traverse from a specific incident or privilege grant back to the moment the supplier was onboarded. The weakest link in that chain determines whether the programme passes.

Critical Suppliers Are Not "All Suppliers Slightly More Carefully"

The second most common finding in early 2026 audits is that entities classify suppliers but do not act differently on the classification. Article 21(2)(d) implicitly expects differentiated treatment: the depth of due diligence, the frequency of reassessment, and the contractual controls all scale with criticality.

A workable reassessment cadence — widely recommended by TPRM practitioners aligned to NIS2 — is annual reassessment for critical suppliers, every eighteen months for important suppliers, and contract-renewal review for the rest. The point is not the exact interval; the point is that if every supplier in the register gets the same questionnaire and the same cadence, criticality is an un-applied label, not a control.

Classification also determines which suppliers trigger the harder question: the identity of the people behind the supplier.

The Identity-of-Personnel Question

Article 21(2)(d) places the obligation on the entity, not on the supplier. That matters when a supplier's service engineer connects into the entity's environment under a change ticket. The entity's access-control policy under Article 21(2)(i) still governs that access; the entity is still responsible for knowing who is on the other end of the credential.

NIS2 does not let you outsource identity assurance to your supplier's HR department. If a supplier's employee holds a credential that can reach your regulated systems, you are accountable for the identity behind that credential.

For EU suppliers, this gap is narrowing. By December 2026, every Member State must make its EUDI Wallet available to citizens and residents, and a growing number of supplier contracts are beginning to require wallet-asserted identity for named personnel with privileged access. For non-EU suppliers — the third-country sub-processor, the offshore engineering team, the nearshore support desk — the EUDI Wallet does not extend. An EU essential entity buying identity assurance for those personnel needs a second pathway.

The cryptographic alternative for anyone whose government issues a biometric passport is a read of the passport's NFC chip at enrolment: data signed by the issuing state, verifiable offline, clone-resistant via Active or Chip Authentication, and bound to physical presence through the PACE protocol. Approximately 180 countries and regions issue passports to this standard (Signicat, December 2025). The cryptographic attestation, captured at supplier-personnel onboarding and countersigned under an advanced electronic signature, produces an evidence record that slots directly into the supplier register — and survives an auditor's traversal from an incident back to the enrolment moment.

The same identity-proofing primitive answers the analogous question under the CER Directive's Article 13(e) and Article 14 for critical-entity personnel — which explicitly reaches external service providers' personnel in the same way NIS2 Article 21(2)(d) does.

What Separates an Audit-Passing Register from a Failing One

In practice, four indicators consistently distinguish a register that holds up to supervisory review from one that does not:

• Scope completeness. Every direct supplier with access to regulated network and information systems is listed, with the nature of that access recorded. Shadow suppliers surfaced during the audit are a finding.
• Risk classification with methodology. Each supplier has a criticality rating, a documented rationale, and a dated last-review entry. Reviews are periodic, not one-off.
• Differentiated treatment applied. The register links classification to action — depth of due diligence, frequency of reassessment, specific contractual clauses — rather than recording criticality as a label alone.
• Identity evidence for named privileged personnel. For critical and important suppliers whose personnel hold access to regulated systems, the register can produce cryptographic enrolment evidence for those named individuals, not just a company-level attestation.

The fourth indicator is the one most supplier-register tools do not yet handle well. The first three can be produced by any competent GRC platform. The fourth requires the entity's onboarding workflow to capture identity evidence that is not only internally generated — a selfie and an uploaded PDF of an ID card — but independently verifiable against the issuing authority of the identity document itself. The same primitive sits beneath workforce identity verification for the sensitive-role and privileged-access categories the register asks you to enumerate.

2026 Is When the Register Starts Being Read

Before this year, many supplier registers in the EU existed primarily as spreadsheets for procurement. Article 21(2)(d) turns the register into a documentary artefact that external auditors read, question, and walk back through. Belgium is the first member state to place a hard deadline on that readability. Germany's BSI is the first regulator in a position to demand production of the register without a triggering incident. The Netherlands, Austria, and France will follow through 2026.

Entities whose register shows scope, classification, differentiated treatment, and cryptographic identity evidence for privileged supplier personnel have an answer to every Article 21(2)(d) question an auditor can ask. Entities whose register is a procurement list with a criticality column have a remediation project — and 2026 is the first year in which the cost of not having that remediation already done will be measured in supervisory findings rather than hypotheticals. The same dynamic is unfolding in financial services under DORA's Register of Information, where the first mandatory ICT third-party submissions closed on 31 March 2026.

Sources

NIS2 Directive and supply chain provisions

• NIS2 Directive, Article 21 — full text
• Directive (EU) 2022/2555 — EUR-Lex

ENISA and NIS Cooperation Group

• ENISA — Good Practices for Supply Chain Cybersecurity (June 2023)
• ENISA — NIS2 Technical Implementation Guidance, v1.0 (June 2025)
• EU ICT Supply Chain Security Toolbox — NIS Cooperation Group
• EU ICT Supply Chain Security Toolbox — news

National transposition and enforcement

• CCB Belgium — NIS2 18 April 2026 deadline
• CCB Belgium — NIS2 regulation page
• Bird & Bird — German Bundestag passes NIS2 Implementation Act

Audit evidence and TPRM

• Orbiq — NIS2 third-party risk documentation: what auditors actually want
• DLA Piper — NIS2 directive explained Part 3: Supply chain security
• EY — How will NIS2 affect the supply chain security approach

ePassport standard

• Signicat — Which countries have ePassports (December 2025)
• ICAO — Doc 9303 Machine Readable Travel Documents

About the author

Gustav Poola is co-founder of IdentiGate. He focuses on the technical architecture of passport-chip identity verification, advanced electronic signature production under eIDAS, and the engineering of identity flows that survive regulator and auditor walk-back.