The NIS2 Directive entered into application on October 17, 2024, the deadline for member state transposition, and the 2025 and 2026 enforcement cycles have produced the first substantive view of how national competent authorities are interpreting the directive. The supply chain obligations under Article 21 are the ones generating the most operational uncertainty, particularly for in-scope entities that did not previously have a structured supply chain risk program. This post is a working summary of where the enforcement landscape sits in 2026.
The framing point: NIS2 is a directive, not a regulation, which means each member state has implemented it through national law with some variation. The substantive obligations are harmonized but the enforcement mechanisms, penalty calibration, and registration processes differ. This post focuses on the obligations as they generally apply across the EU, with the understanding that the specifics in your member state may differ in material ways.
Who is in scope and how is it being enforced?
NIS2 covers entities in eighteen sectors classified as essential or important. The size thresholds typically pull in medium and large enterprises, with some sectors covered regardless of size. Essential entities face proactive supervision and higher penalty caps; important entities face reactive supervision after incidents. The classification matters because the supervisory regime is meaningfully different in practice, though the substantive obligations are largely the same.
National competent authorities have been issuing the first substantive penalties in 2025 and 2026, with the typical patterns being incomplete incident reporting, inadequate risk management documentation, and weak supply chain governance. The penalty caps are substantial: up to 10 million euros or 2 percent of global turnover for essential entities, with personal liability for management bodies in some member states. The reputational cost of being on the list of penalized entities has been meaningful for sectors where customer confidence matters.
What does Article 21(2)(d) actually require?
Article 21(2)(d) requires in-scope entities to implement supply chain security measures, including security-related aspects of relationships with direct suppliers and service providers. The European Commission's implementing regulation and the Cooperation Group guidance have fleshed out what this means in practice: a documented supply chain risk management process, assessment of suppliers based on their security posture, and contractual arrangements that allow the in-scope entity to maintain oversight.
The expectation that has caught entities off guard is the breadth of "supply chain." National authorities are reading it to include software dependencies and not just contracted service providers. An in-scope entity that operates a SaaS platform built on open source components is expected to have visibility into and risk management for those components, comparable to its treatment of contracted vendors. The Cooperation Group's coordinated risk assessments, including the 2024 work on ICT supply chain, are now the reference points for what good looks like.
How is incident reporting playing out in 2026?
The 24-hour early warning, 72-hour incident notification, and one-month final report cycle under Article 23 is now the operational reality, and the practical lessons are clear: entities that have not rehearsed the reporting process produce poor early warnings, which generates supervisory follow-up that is more expensive than the incident itself. The early warning is supposed to be a brief notification with what is known at the time, not a complete analysis, and the supervisory authorities are tolerant of incomplete information at the early warning stage if the subsequent notifications fill in the picture.
Supply chain incidents are explicitly in scope for the reporting obligation when they affect the security of the in-scope entity's services. A compromise in a critical software dependency that affects service availability is reportable on the same timeline as a direct breach. The reporting obligation is one of the strongest practical reasons for in-scope entities to maintain real-time visibility into their software supply chain, because retrospective discovery of a supply chain incident creates a 24-hour clock that is already running.
What does the management body obligation mean?
Article 20 requires the management bodies of in-scope entities to approve the cybersecurity risk management measures and to oversee their implementation. The management body must follow specific training and may be held personally liable for breaches of these obligations in member states that have implemented personal liability. This is a meaningful shift from previous EU cybersecurity regimes, which generally treated cybersecurity as a management discipline without personal accountability at the board level.
The practical implication is that boards and executive committees of in-scope entities are now asking for visibility into supply chain risk in a way they were not before. The reporting that satisfies the management body's oversight obligation is typically quarterly, with metrics covering supplier risk posture, identified incidents, remediation timelines, and material changes to the supply chain. Generic narrative reporting without metrics is not satisfying the supervisory expectation, and entities are restructuring their board reporting to address this.
How Safeguard Helps
Safeguard provides the supply chain visibility and risk management evidence Article 21(2)(d) expects. Continuous SBOM generation gives in-scope entities the dependency inventory that supply chain incident reporting under Article 23 requires within hours of discovery. Griffin AI runs reachability analysis to support the risk-based prioritization national authorities are looking for in management documentation. Policy gates in CI enforce supply chain criteria at the build stage, producing operating effectiveness evidence for supervisory review. TPRM scoring of suppliers and dependencies feeds the management body reporting cadence, and zero-CVE base images reduce the volume of supply chain risk the program has to manage. The result is a NIS2 supply chain program that operates continuously rather than during quarterly board cycles.