--- title: "Supply Chain Security Under NIS2: How to Evaluate Your Hardware Vendors" date: 2026-01-27T11:25:00+01:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/lieferkettensicherheit-nis2-hardware" section: "Entries: Articles" --- ### What NIS2 Concretely Requires for Supply Chain Security [\#](#what-nis2-concretely-requires-for-supply-chain-security "What NIS2 Concretely Requires for Supply Chain Security") Article 21(2)(d) of Directive (EU) 2022/2555 requires essential and important entities to implement measures addressing supply chain security, including security-related aspects of the relationships with direct suppliers and service providers. The provision is deliberately broad, but guidance from the European Union Agency for Cybersecurity (ENISA) and the national transposition acts have clarified its practical scope. In Germany, for example, the amended BSIG operationalises these requirements; other member states have equivalent provisions. The core obligations include: **Risk management for the supply chain:** - Identify which suppliers and service providers affect the security of the organisation’s network and information systems - Assess the security practices of suppliers, including their own supply chains - Establish contractual security requirements with critical suppliers **Ongoing monitoring:** - Supply chain assessments are not a one-time procurement activity; NIS2 requires periodic review - Security incidents at suppliers that affect the organisation must be handled through the organisation’s own incident management process **Documentation:** - Organisations must be able to demonstrate to supervisory authorities that supply chain risks have been assessed and managed - Assessment records, contractual provisions, and review cycles must be producible on demand The scope of “supply chain” under NIS2 extends explicitly to hardware. ENISA’s good practices for supply chain cybersecurity treat hardware integrity, the assurance that physical components have not been tampered with or compromised before delivery, as a distinct risk category. --- ### Why Hardware Vendors Are Systematically Overlooked [\#](#why-hardware-vendors-are-systematically-overlooked "Why Hardware Vendors Are Systematically Overlooked") The focus of supply chain security programmes on software suppliers reflects the origins of the discipline in application security. Software bills of materials (SBOMs), vulnerability scanning, and code audits are mature practices with established tooling. Hardware due diligence has no equivalent ecosystem. Three structural factors contribute to hardware being underweighted: **Visibility is lower.** Software suppliers are visible in procurement records, contract databases, and often in the product itself. Hardware manufacturers are frequently several tiers removed from the end customer: the organisation buys from a reseller, which sources from a distributor, which buys from the manufacturer. The actual origin of components (processors, controllers, firmware) may be unknown to the procurement team. **The attack surface is less intuitive.** Most security teams are trained to think about software vulnerabilities. Hardware-level compromises (implanted components, malicious firmware, counterfeit parts) require a different mental model. The 2018 Bloomberg report on alleged supply chain implants in server hardware, disputed by the named manufacturers, nonetheless demonstrated that the threat model is credible enough to require institutional attention. **NIS2 implementation focus has been elsewhere.** The first wave of NIS2 compliance effort concentrated on incident response, vulnerability management, and business continuity. Supply chain assessments, particularly for hardware, are among the last items to receive systematic attention in most compliance programmes. --- ### Hardware Vendor Evaluation: The Criteria That Matter [\#](#hardware-vendor-evaluation-the-criteria-that-matter "Hardware Vendor Evaluation: The Criteria That Matter") Apply these criteria to every hardware vendor providing systems that process, store, or transmit data relevant to NIS2-covered functions. Score each criterion and document the assessment. **Country of origin and legal framework.** Where is the vendor legally domiciled, and which jurisdiction governs data access requests to it? Risk indicator: non-EU domicile with extraterritorial data access laws (for example the US CLOUD Act or the Chinese National Intelligence Law). **Manufacturing location.** Where are the products physically manufactured and key components sourced? Risk indicator: manufacturing in countries with documented state-sponsored supply chain interference. **ISO 9001 certification.** Is manufacturing quality management certified by an accredited body? Risk indicator: no certification, or certification by an unaccredited body. **ISO 27001 certification.** Does the vendor have a certified ISMS, and does the scope cover manufacturing and R&D? Risk indicator: no certification or a scope that excludes the relevant processes. **Supply chain transparency.** Can the vendor provide a hardware bill of materials including key component origins? Risk indicator: no BOM available, refusal to disclose component origins. **Firmware and patch capability.** How are firmware updates delivered, are they cryptographically signed and verified, and what is the SLA for critical vulnerabilities? Risk indicator: no documented firmware lifecycle, unsigned updates. **EU support availability.** Is technical and security support available within the EU, or routed through non-EU entities with access to customer data? Risk indicator: support exclusively from non-EU entities. **Incident notification.** Does the vendor have a documented process for notifying customers of security incidents affecting their products, and a CVE disclosure practice? Risk indicator: neither exists. **End-of-life policy.** How long does the vendor commit to security updates, and is there a published end-of-life schedule? Risk indicator: no published policy, short support windows. **Contractual security obligations.** Will the vendor accept contractual security requirements and, where applicable, a GDPR Art. 28 data processing agreement? Risk indicator: refusal. --- ### Critical Questions for Procurement and Vendor Assessments [\#](#critical-questions-for-procurement-and-vendor-assessments "Critical Questions for Procurement and Vendor Assessments") Pose these questions to every hardware vendor supplying systems to NIS2-covered environments. Request written responses; verbal assurances are not sufficient for NIS2 documentation requirements. **On manufacturing and supply chain:** 1. Where are your products designed, manufactured, and assembled? List each location by function. 2. Which countries supply your primary components (processors, storage controllers, network chips, memory)? 3. Do you maintain a hardware bill of materials? Can you provide it to customers on request? 4. What processes do you have to detect and prevent counterfeit or tampered components entering your supply chain? 5. Have you experienced any supply chain security incidents in the past three years? If so, how were they handled? **On firmware and software:** 1. How are firmware updates cryptographically signed and verified before installation? 2. What is your published SLA for releasing patches for critical firmware vulnerabilities (CVSS 9.0+)? 3. Do you have a published vulnerability disclosure policy? Provide the URL. 4. How long do you commit to providing security updates for each product line? **On legal and jurisdictional matters:** 1. In which country is your company legally domiciled? Which jurisdiction’s law governs your operations? 2. Are you or any of your subsidiaries subject to laws that could require disclosure of customer data or product functionality to a government authority without the customer’s knowledge? (Specifically: US CLOUD Act, Chinese National Security Law Art. 7, or equivalent.) 3. Where is your technical support team located? Do support personnel have access to customer data or customer system configurations? **On certifications and audits:** 1. Provide current ISO 9001 and ISO 27001 certificates including scope statements. 2. Are you willing to participate in customer-initiated security audits or provide third-party audit reports? 3. Will you sign a Data Processing Agreement (GDPR Art. 28) where applicable? --- ### Red Flags: When a Hardware Vendor Represents a Security Risk [\#](#red-flags-when-a-hardware-vendor-represents-a-security-risk "Red Flags: When a Hardware Vendor Represents a Security Risk") These indicators should trigger escalated review or disqualification from procurement: **Jurisdictional red flags** - Vendor domiciled in a country with documented state-sponsored industrial espionage targeting European organisations (assess using ENISA and national authority advisories) - Vendor subject to laws that require cooperation with intelligence services without judicial oversight or customer notification - Support infrastructure located outside the EU with access to customer system data **Supply chain opacity red flags** - Inability or unwillingness to disclose component origins for critical hardware elements (processors, storage controllers) - No hardware bill of materials available in any form - Subcontractor manufacturing with no documented quality or security oversight **Firmware and patch red flags** - No published vulnerability disclosure policy - No cryptographic signing of firmware updates - Patch response time for critical vulnerabilities exceeding 90 days - End-of-life products still in production use with no security update commitment **Contractual red flags** - Refusal to accept contractual security requirements - Standard terms that reserve the right to update firmware without notification - Indemnification clauses that exclude security incidents caused by the vendor’s supply chain **Incident history** - Confirmed prior supply chain compromise: assess response quality, not just occurrence - Pattern of late or non-disclosure of security vulnerabilities in products --- ### NIS2 Documentation Requirements for Supplier Assessments [\#](#nis2-documentation-requirements-for-supplier-assessments "NIS2 Documentation Requirements for Supplier Assessments") Supervisory authorities (in Germany, for example, the BSI and sector-specific regulators) may require organisations to produce evidence of supply chain risk management on demand. Maintain the following records: **Supplier register.** A structured list of all suppliers whose products or services affect NIS2-covered systems, categorised by criticality tier. **Assessment records.** For each critical hardware vendor: completed evaluation, written responses to procurement questions, copies of certificates, date of assessment, assessor identity. **Risk decisions.** Documented decisions where a vendor was accepted despite identified risk factors, including the compensating controls applied and the accountable decision-maker. **Contractual provisions.** Copies of signed security annexes, DPAs, and any vendor-specific security requirements included in purchase contracts. **Review cycle.** Evidence that assessments are repeated on a defined cycle (recommendation: annually for Tier 1 vendors, every two years for Tier 2) and triggered by material changes (ownership change, security incident, significant product update). --- ### The “Made in EU” Advantage for Secondary Storage Hardware [\#](#the-made-in-eu-advantage-for-secondary-storage-hardware "The ") For secondary storage hardware specifically, the systems that hold backup copies and archives for NIS2-covered organisations, the vendor’s legal framework is not an abstract consideration. It determines whether a government authority can compel access to data stored on or managed through that hardware without the organisation’s knowledge. The US CLOUD Act (2018) allows US authorities to compel US-domiciled companies to produce data stored anywhere in the world, including on hardware located within the EU. This applies to the vendor’s management interfaces, firmware update mechanisms, and any cloud-connected features, not only to data hosted in US datacentres. European hardware manufacturers operating exclusively under EU law are not subject to this extraterritorial reach. For organisations whose NIS2 obligations include ensuring that critical data cannot be accessed by non-EU authorities without EU judicial process, the vendor’s domicile is a determinative criterion, not a preference. Additional advantages of EU-manufactured secondary storage hardware for NIS2 compliance: **Transparent supply chain.** EU manufacturing regulations and the NIS2 supply chain obligations themselves create incentives for EU manufacturers to maintain and disclose supply chain documentation. **No CLOUD Act exposure.** Data stored on hardware from a vendor with no US legal nexus is not reachable via CLOUD Act compelled disclosure. This applies both to the stored data and to any management or telemetry data the vendor’s systems collect. **Aligned regulatory framework.** EU manufacturers are subject to GDPR, the EU Cybersecurity Act, and the NIS2 supply chain requirements themselves, creating a common legal baseline that simplifies compliance verification. **Predictable support jurisdiction.** When support personnel are located in the EU, the legal framework governing their access to customer data is the same framework the customer operates under. FAST LTA, as an example of this category, develops and manufactures its Silent Cubes (hardware WORM archive) and Silent Brick System (backup and secondary storage) in Germany, with support delivered from the EU. --- ### Hardware Vendor Assessment Template [\#](#hardware-vendor-assessment-template "Hardware Vendor Assessment Template") Use this structure to document assessments for NIS2 compliance records. Complete one record per vendor per assessment cycle. **Header:** assessment date, vendor name, products covered, criticality tier (1 critical / 2 important / 3 standard), assessor, approver. **Section A, jurisdictional profile:** legal domicile, applicable extraterritorial laws, manufacturing locations, support locations, each with a risk rating. **Section B, supply chain transparency:** hardware BOM available, component origins disclosed, counterfeit prevention process documented, sub-supplier security requirements in place, each with evidence reference. **Section C, certifications:** ISO 9001 and ISO 27001 validity, issuing body, whether the scope covers manufacturing. **Section D, firmware and patch management:** cryptographic firmware signing, published vulnerability disclosure policy with URL, critical patch SLA in days, published end-of-life schedule. **Section E, contractual security:** security annex accepted, GDPR Art. 28 DPA signed, incident notification clause, audit right included. **Section F, overall assessment:** identified risk factors, compensating controls if the vendor is accepted despite risks, decision (approved / approved with conditions / rejected), next review date. --- ### Further Resources [\#](#further-resources "Further Resources") → Data Sovereignty Guide (/en/blog/datensouveraenitaet-leitfaden/) → US CLOUD Act Explained (/en/blog/us-cloud-act-erklaert/) → Avoiding Vendor Lock-In: Strategies for IT Decision-Makers (/en/blog/avoid-vendor-lock-in/) → Made in Germany IT Infrastructure (/en/blog/made-in-germany-it-infrastruktur/) → Silent Brick System (/en/produkte/silent-brick-system/) → Silent Cubes: Hardware WORM Archiving (/en/produkte/silent-cubes/) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### Data Sovereignty Data sovereignty describes an organization's complete control over its data: where it is stored, who can access it, which legal framework applies to it and whether it is available at any time without dependency on a single provider. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/data-sovereignty) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)