NIS2 Third-Party Risk Mapping: A Practical Worksheet for Small and Mid-Market Companies
NIS2 requires supply chain risk management, but most guidance is written for enterprises with dedicated compliance teams. This worksheet is designed for organisations with 10 to 50 employees that need to get started now.
NIS2 (Directive 2022/2555) requires organisations in essential and important sectors to implement supply chain risk management measures. Article 21(2)(d) is specific: you must address “security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.”
Most of the guidance available for implementing this requirement is written for large enterprises with dedicated compliance, legal, and IT security teams. If you are a 15-person professional services firm, a 30-person fintech, or a 40-person manufacturing company that supplies essential-sector clients, the guidance does not match your resources.
This worksheet is designed for that gap. It walks you through mapping your third-party ICT risks in a structured way, using a format that is practical to fill in without a compliance department, while producing documentation that a supervisory authority would find credible.
Before You Start
You need three things:
-
A list of your SaaS tools and cloud services. If you do not have one, check your bank statements for recurring charges, review your identity provider’s connected applications, and ask each team lead what tools they use daily.
-
30 to 60 minutes per provider for the top 5 to 10 most critical ones. You do not need to map every tool on day one. Start with the ones that would halt operations if they disappeared.
-
One person who understands both the technical setup and the business impact. In many small organisations, this is the CTO, IT lead, or a technical co-founder.
The Worksheet
For each ICT third-party provider, work through the following five sections. We have included a worked example using a common scenario: a 20-person company running on Google Workspace.
Section 1: Provider Profile
| Field | Your Entry | Example |
|---|---|---|
| Provider name | Google (Alphabet Inc.) | |
| Contracting entity | Google Ireland Limited | |
| Service(s) used | Gmail, Google Drive, Google Calendar, Google Meet, Google Admin (identity) | |
| Contract type | Annual subscription, Google Workspace Business Standard | |
| Contract renewal date | 1 July 2026 | |
| Annual cost | €3,456 (€14.40/user/month x 20 users) | |
| Vendor HQ jurisdiction | United States | |
| Data processing location(s) | EU (Netherlands, Belgium per Google’s data region setting) | |
| Known sub-processors | Google LLC (US), various data centre operators (see Google’s sub-processor list) |
Section 2: Dependency Map
This section identifies what your organisation actually depends on this provider for. Be specific. “Email” is too vague. “All internal and external email communication, calendar scheduling, and contact management for 20 employees” is useful.
| Field | Your Entry | Example |
|---|---|---|
| Business functions supported | All email communication (internal and external). Calendar scheduling for all employees and client meetings. File storage for all departments. Video conferencing for internal and client meetings. Identity provider for SSO to 8 third-party applications. | |
| Departments affected | All departments (finance, operations, sales, engineering, management) | |
| Number of users | 20 (all employees) | |
| Data categories processed | Personal data (employee and client), financial documents, contracts, client deliverables, internal strategy documents, HR records | |
| Connected systems | Salesforce (SSO via Google), HubSpot (SSO via Google), Notion (SSO via Google), Slack (SSO via Google), GitHub (SSO via Google), Xero (email integration), Calendly (calendar sync), 2 internal tools via Google OAuth | |
| Automations dependent on this provider | 4 Apps Scripts (invoice generation, onboarding checklist, sales report aggregation, client folder creation) |
Section 3: Risk Assessment
For each risk type, score the risk as Low, Medium, High, or Critical. Then provide a brief justification. The justification matters more than the score. A supervisory authority will want to see your reasoning, not just your labels.
| Risk Type | Score | Justification |
|---|---|---|
| Concentration risk | Example: Critical. Google provides identity, email, file storage, calendar, and video conferencing. A single provider controls 5 of our 6 most critical ICT functions. Loss of Google would halt all operations. | |
| Jurisdictional risk | Example: High. Google is a US company subject to the CLOUD Act. US law enforcement can compel disclosure of our data regardless of EU storage location. The EU-US Data Privacy Framework provides some protection but rests on a US executive order that can be revoked. | |
| Operational continuity risk | Example: High. Google Workspace has a strong uptime record (99.9% SLA), but our organisation has no contingency for a prolonged outage or sudden access revocation. No backup email, no backup identity provider, no offline file copies beyond what is synced to laptops. | |
| Data protection risk | Example: Medium-High. Data is stored in the EU per our configuration, but Google retains administrative access and holds encryption keys. Transfer Impact Assessment identifies CLOUD Act as a residual risk. We process client personal data and financial records through this provider. | |
| Lock-in risk | Example: High. Identity (SSO to 8 apps), data gravity (estimated 200,000 files in Drive), and 4 Apps Scripts create significant switching barriers. Estimated migration timeline: 3 to 6 months. | |
| Supply chain depth risk | Example: Medium. Google’s own infrastructure (GCP, global network, certificate management) introduces dependencies we do not directly control or monitor. Google’s sub-processor list is published but changes without individual notification. |
Section 4: Existing Controls
Document what measures are already in place to manage the risks identified above. Be honest. If a control does not exist, write “None” and move on. A documented gap is better than a fabricated control.
| Control Type | Current Status | Example |
|---|---|---|
| Contractual safeguards | Google Workspace Enterprise Agreement with Data Processing Addendum. SLA: 99.9% uptime. Standard EU data processing clauses. | |
| Data backup | None. No independent backup of Gmail or Google Drive. Files on laptops are partially synced via Google Drive for Desktop, but this is not a systematic backup. | |
| Identity redundancy | None. No alternative identity provider. If Google SSO fails, all 8 connected applications become inaccessible. | |
| Exit strategy | None. No documented plan for migrating away from Google Workspace. No alternative providers evaluated. | |
| Monitoring | Google Workspace status dashboard checked ad-hoc. No automated alerting for service degradation. | |
| Access controls | 2-step verification enforced for all users. Admin accounts restricted to 2 people. Security keys required for admin access. | |
| Incident response | General incident response procedure exists. No specific runbook for Google Workspace outage or access revocation scenario. |
Section 5: Action Plan
For each gap identified in Section 4, define a specific, time-bound action. This is the section that turns a risk assessment into a compliance artifact. NIS2 does not require you to have eliminated every risk. It requires you to have identified risks, implemented proportionate measures, and documented your reasoning.
| Gap | Action | Owner | Deadline | Priority |
|---|---|---|---|---|
| No data backup | Implement daily backup of Gmail and Google Drive to EU-hosted storage (evaluate Veeam, Afi, or open-source alternatives) | IT Lead | Q2 2026 | High |
| No identity redundancy | Deploy Keycloak on EU infrastructure as standby identity provider. Configure SSO connections for top 3 critical applications. | IT Lead | Q3 2026 | High |
| No exit strategy | Complete dependency audit and document exit strategy for Google Workspace, including alternative providers, migration timeline, and cost estimates. | CTO | Q2 2026 | High |
| No outage runbook | Write specific incident response runbook for Google Workspace outage scenario. Test with tabletop exercise. | IT Lead | Q2 2026 | Medium |
| No automated monitoring | Configure uptime monitoring for Google Workspace services with alerting to IT team. | IT Lead | Q2 2026 | Medium |
Extending the Worksheet
Complete this worksheet for your top 5 providers first. For most small and mid-market organisations, those are:
- Primary productivity suite (Microsoft 365 or Google Workspace)
- Cloud hosting provider (AWS, Azure, GCP, or EU alternative)
- CRM (Salesforce, HubSpot, Pipedrive)
- Communication tool (Slack, Teams, Zoom, if separate from productivity suite)
- Payment processor (Stripe, Mollie, Adyen)
Once those five are documented, extend to the next tier: DNS provider, code repository, project management, marketing tools, HR/payroll.
What a Supervisory Authority Will Look For
When (not if) your national NIS2 supervisory authority reviews your third-party risk management, they will look for evidence that you have:
- Identified your critical ICT providers. The worksheet covers this in Sections 1 and 2.
- Assessed the risks. Section 3.
- Implemented proportionate measures. Section 4.
- Planned for gaps. Section 5.
- Assigned accountability. Named owners in the action plan.
- Maintained the documentation. Date your worksheets and review them at least annually.
The standard is not perfection. The standard is documented, proportionate effort. An organisation with five completed worksheets, honest gap assessments, and a time-bound action plan is in a far stronger position than one with a generic risk policy and no operational detail.
Getting Started Today
Pick your most critical provider. Set aside 45 minutes. Work through the five sections. You will learn more about your third-party risk exposure in that single exercise than in any amount of policy reading.
The worksheet is a starting point. Over time, refine the scores, update the controls, close the gaps. Each iteration makes your documentation more credible and your organisation more resilient.
Sovereign Shift completes this analysis for your entire stack as part of every dependency audit, covering all providers, all risk dimensions, and all gaps, with a prioritised action plan. See how the audit works →