Coordinated Supply Chain Risk Assessments: EU Evaluating ICT Dependencies

NIS2 Article 22 establishes coordinated supply chain risk assessments. Learn how EU evaluates critical ICT dependencies and what it means for your sector.

Daniel Grigorovich
Daniel Grigorovich
Founder · 24 Jun 2026 · 8 min read
NIS2
Coordinated Supply Chain Risk Assessments: EU Evaluating ICT Dependencies

Who should read this: risk managers, procurement teams, supply chain specialists, sector policy makers, government officials, regulated entities.

The NIS2 Directive introduces a novel governance mechanism: coordinated security risk assessments of critical supply chains conducted at the Union level. These assessments are not compliance requirements imposed on individual entities; rather, they are strategic evaluations conducted by the Cooperation Group, the Commission, and ENISA to identify systemic dependencies, vulnerabilities, and risks in the supply chains of critical ICT services, systems and products. The results of these assessments inform sectoral policy, influence procurement decisions, and guide investment in resilience. This post explains the rationale for coordinated assessments, how they work, and how they affect regulated entities and supply chains.

The rationale is clear: individual organisations are not well-positioned to assess risks across entire supply chains. A telecommunications operator might know which vendors it buys from, but it cannot easily assess those vendors’ suppliers, or the geopolitical risks affecting those suppliers. A financial institution cannot predict which semiconductor manufacturers will face supply disruptions or which software vendors will be acquired by foreign entities. Yet these systemic risks matter enormously. A single-point failure in a critical supply chain can cascade across sectors. This is why Article 22 of the NIS2 Directive empowers the Cooperation Group, in cooperation with the Commission and ENISA, to conduct coordinated assessments.

Article 22 and the Coordination Framework

Article 22 of the NIS2 Directive is spare in its details: “The Cooperation Group, in cooperation with the Commission and ENISA, may carry out coordinated security risk assessments of specific critical ICT services, ICT systems or ICT products supply chains, taking into account technical and, where relevant, non-technical risk factors.”

This creates a flexible framework. The Cooperation Group (a body composed of representatives from each Member State) is empowered to initiate assessments. It works with ENISA (the European Union Agency for Cybersecurity) and the Commission to carry them out. The assessments focus on “critical” ICT services, systems, or products, a term that will be defined pragmatically based on sectoral importance. The assessments examine both technical risks (are there known vulnerabilities in the product?) and non-technical risks (is the supplier geopolitically aligned with a potential adversary?).

Recital 90 elaborates the rationale: “To further address key supply chain risks and assist essential and important entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related risks, the Cooperation Group, in cooperation with the Commission and ENISA, and where appropriate after consulting relevant stakeholders including from the industry, should carry out coordinated security risk assessments of critical supply chains, as carried out for 5G networks following Commission Recommendation (EU) 2019/534, with the aim of identifying, per sector, the critical ICT services, ICT systems or ICT products, relevant threats and vulnerabilities. Such coordinated security risk assessments should identify measures, mitigation plans and best practices to counter critical dependencies, potential single points of failure, threats, vulnerabilities and other risks associated with the supply chain and should explore ways to further encourage their wider adoption by essential and important entities.”

The reference to 5G is important. The Commission published a coordinated risk assessment for 5G networks in 2020, identifying that dependencies on non-EU suppliers and the concentration of supply chains created systemic risk. That assessment led to recommendations for supplier diversification, security requirements in procurement, and investment in European alternatives. NIS2 formalises this approach, making coordinated supply chain assessments an ongoing governance function.

Technical and Non-Technical Risk Factors

Coordinated assessments examine both technical and non-technical factors. Technical risks are familiar to cybersecurity professionals: are there known vulnerabilities in the software or hardware? How quickly does the vendor patch vulnerabilities? What is the quality of the development process? Non-technical risks are broader and more contentious.

Recital 91 defines non-technical risk factors: “To identify the supply chains that should be subject to a coordinated security risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, ICT systems or ICT products; (ii) the relevance of specific critical ICT services, ICT systems or ICT products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, ICT systems or ICT products; (iv) the resilience of the overall supply chain of ICT services, ICT systems or ICT products throughout their lifecycle against disruptive events; and (v) for emerging ICT services, ICT systems or ICT products, their potential future significance for the entities’ activities.”

These criteria are designed to identify chokepoints and concentrations. If 80% of European cloud services rely on storage hardware from a single supplier, and that supplier faces disruption, the impact is systemic. If alternative products do not exist, the risk is acute. If a supply chain cannot recover from a disaster, for instance a natural disaster in a single location disrupting production globally, resilience is at risk.

The Directive also references “particular emphasis should be placed on ICT services, ICT systems or ICT products that are subject to specific requirements stemming from third countries.” This is a euphemism for geopolitical risk. Some third countries, notably China, Russia, and Iran, seek to embed hidden vulnerabilities in ICT products for espionage or sabotage. Some countries restrict the export of critical technologies or exert political pressure through supply chain control. Coordinated assessments should identify these risks.

How Assessments Are Conducted

Coordinated assessments follow a structured process:

  • Scoping: the Cooperation Group identifies sectors and supply chains worthy of assessment. This is driven by Member State concerns, Commission priorities, industry feedback, and ENISA’s ongoing analysis of threats.
  • Data collection: ENISA and national cybersecurity authorities gather information about supply chains. This includes identifying major suppliers, understanding dependencies, and cataloguing known vulnerabilities.
  • Stakeholder consultation: where appropriate, the assessment team consults with industry stakeholders to understand technical feasibility, cost implications, and market dynamics.
  • Risk analysis: technical experts assess the likelihood and impact of various risks. This includes vulnerability analysis, supply chain modelling, and scenario planning.
  • Mitigation identification: the assessment identifies practical measures to reduce risk. These might include diversifying suppliers, investing in domestic or allied alternatives, setting security standards for procurement, conducting security audits of suppliers, or building redundancy into supply chains.
  • Reporting: the assessment results are published, typically with recommendations for Member States and regulated entities.

What Happens to Assessment Results?

Coordinated assessments do not directly impose obligations on individual entities. Instead, they inform policy and influence compliance requirements. For example, if an assessment identifies that a particular software vendor poses supply chain risk, a Member State competent authority might issue guidance that essential and important entities should review their reliance on that vendor and develop contingency plans. If an assessment identifies that supplier diversity is low in a particular technology, the Commission might propose procurement policies that reward or require supplier diversification.

Assessments also influence Implementing Acts. The Commission uses the findings of assessments to shape technical and methodological requirements that apply to entities. If an assessment identifies that a particular class of ICT products should be subject to enhanced security testing, that requirement might appear in Commission Implementing Acts.

For regulated entities, assessments provide valuable intelligence for supply chain risk management. Article 21 of the NIS2 Directive requires entities to “take appropriate measures to assess and mitigate supply chain risks.” Coordinated assessments give entities evidence-based information about which supply chains pose the greatest risk and which mitigation measures are most effective.

Practical Implications for Regulated Entities

If you are an essential or important entity, coordinated assessments should inform your procurement and supplier management processes:

  • Monitor assessment results. Subscribe to notifications from ENISA and the Commission about coordinated assessments. When an assessment is published for a supply chain relevant to your sector, read it carefully.
  • Adjust supplier strategy. If an assessment identifies concentration risk or geopolitical concerns, adjust your procurement strategy. This might mean diversifying suppliers, negotiating escrow arrangements for source code, or investing in domestic alternatives.
  • Set supplier standards. Incorporate findings from assessments into your supplier security requirements. If an assessment identifies particular threats, ensure your suppliers have controls to address them.
  • Plan for alternatives. If an assessment identifies that a supplier might face disruption, develop contingency plans. Can you switch to an alternative supplier? Can you maintain a buffer of critical inventory? Can you implement compensating controls if the supplier’s product becomes unavailable?
  • Share information. If you have insights about supply chain risks, perhaps you have discovered vulnerabilities in a widely-used product, share them with your competent authority or ENISA. Assessments benefit from industry intelligence.

Emerging Assessments and Future Focus

The Directive does not specify which supply chains will be assessed first. However, likely candidates include:

  • Cloud computing services and infrastructure: cloud providers are used by nearly all critical sectors. Concentration among major providers (Amazon, Microsoft, Google) creates systemic risk.
  • Semiconductors and components: semiconductor manufacturing is concentrated in a few countries and facilities. Disruption has cascading effects across all ICT-dependent sectors.
  • Software supply chains: the Log4j vulnerability of 2021 demonstrated that a flaw in a single open-source library can affect millions of systems. Software supply chains need better visibility and security practices.
  • 5G and telecommunications: building on the existing 5G assessment, NIS2 will likely deepen analysis of telecom supply chains, particularly in light of geopolitical concerns about equipment suppliers.
  • Managed service providers and outsourcing: as entities outsource more cybersecurity, managed security service providers themselves become part of critical supply chains.

Key Takeaways

  • NIS2 Article 22 establishes a mechanism for coordinated security risk assessments of critical supply chains, conducted by the Cooperation Group, Commission and ENISA.
  • Coordinated assessments examine both technical risks (vulnerabilities, patch responsiveness) and non-technical risks (geopolitical dependencies, concentration, resilience).
  • Assessments identify critical ICT services, systems and products that pose systemic risk, as well as mitigation measures and best practices.
  • Assessment results inform Member State policy, Commission Implementing Acts, and individual entity supply chain risk management decisions.
  • Regulated entities should monitor assessments relevant to their sector, adjust supplier strategies based on findings, and use assessment results to set supplier security requirements.
  • Initial focus is expected on cloud services, semiconductors, software supply chains, telecommunications, and managed service providers.
Daniel Grigorovich

Daniel Grigorovich · Founder

I believe that no business should suffer from "compliance checklists" or navigating vague regulatory text. While I still stand by the principle that all software products should be reliable and secure, I want to give companies a way to overcome the challenges faced when implementing these requirements.