NIS2 (Directive 2022/2555) requires organisations in essential and important sectors to implement supply chain risk management measures. Article 21(2)(d) is specific: you must address “security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.”
Most of the guidance available for implementing this requirement is written for large enterprises with dedicated compliance, legal, and IT security teams. If you are a 15-person professional services firm, a 30-person fintech, or a 40-person manufacturing company that supplies essential-sector clients, the guidance does not match your resources.