NIS2 | Sovereign Shift

Apr 22, 2026

NIS2, DORA, and the Regulatory Case for Knowing Your Dependencies

Two pieces of EU legislation, NIS2 and DORA, are fundamentally changing how European organisations must think about their technology suppliers. Neither regulation bans US cloud providers. But both make it legally necessary to understand, document, and manage the risks that come with depending on them.

Most organisations are not ready. Here is what the regulations actually require, and what compliance looks like in practice.

NIS2: Supply Chain Risk Is Now Mandatory

The Network and Information Security Directive 2 (NIS2), which EU member states were required to transpose into national law by October 2024, significantly expands the scope of cybersecurity obligations across Europe.

Apr 1, 2026

How to Build an ICT Third-Party Risk Register for NIS2 Compliance

NIS2 (Directive 2022/2555) requires organisations in essential and important sectors to implement cybersecurity risk management measures that specifically address “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers” (Article 21(2)(d)).

This means you need a documented understanding of your ICT third-party dependencies, the risks they introduce, and the measures you have in place to manage those risks. Most organisations call this an ICT third-party risk register.

Mar 5, 2026

NIS2 Third-Party Risk Mapping: A Practical Worksheet for Small and Mid-Market Companies

NIS2 (Directive 2022/2555) requires organisations in essential and important sectors to implement supply chain risk management measures. Article 21(2)(d) is specific: you must address “security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.”

Most of the guidance available for implementing this requirement is written for large enterprises with dedicated compliance, legal, and IT security teams. If you are a 15-person professional services firm, a 30-person fintech, or a 40-person manufacturing company that supplies essential-sector clients, the guidance does not match your resources.