NIS2 (Directive 2022/2555) requires organisations in essential and important sectors to implement cybersecurity risk management measures that specifically address “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers” (Article 21(2)(d)).
This means you need a documented understanding of your ICT third-party dependencies, the risks they introduce, and the measures you have in place to manage those risks. Most organisations call this an ICT third-party risk register.