NIS2 and Continuous Cyber Assurance: Why Certification Alone Is No Longer Enough
NIS2 Is Not a Compliance Exercise. It Is a Signal.
Most organisations initially approach NIS2 as a governance requirement to be satisfied: map the obligations, update the policies, tick the boxes. That framing misses the more significant shift the Directive represents. NIS2 does not simply extend cybersecurity obligations to a broader population of essential and important entities. It accelerates a transition that was already underway — from compliance-based trust toward evidence-based cyber resilience.
The Directive introduces greater executive accountability, stronger incident reporting requirements, increased regulatory scrutiny, supply chain security obligations and enhanced operational resilience expectations. Crucially, it recognises that organisational resilience depends on supplier ecosystems, not just internal IT controls. This shifts cybersecurity from an internal function to a broader assurance challenge — one that runs through every significant supply chain relationship a regulated entity maintains.
For technology vendors and service providers selling into NIS2-regulated organisations, this shift has immediate commercial consequences. Organisations subject to NIS2 will increasingly demand stronger assurance from their suppliers. Security claims without demonstrable evidence will create growing commercial and operational risk.
The Supply Chain Assurance Problem
Modern organisations rely on increasingly complex software and service supply chains. Most procurement processes still depend heavily on security questionnaires, self-attestations, generic certifications and vendor declarations. These approaches provide limited visibility into the things that actually matter under NIS2: product security maturity, development assurance, vulnerability handling capability, secure deployment practices and operational resilience.
As supply chain attacks continue to increase — and as the regulatory consequences of supply chain compromise become more significant under NIS2 — buyers are demanding stronger assurance evidence. The question is no longer "does this supplier have ISO 27001?" It is: how is security validated? What evidence supports resilience claims? Are vulnerabilities actively managed? Can secure development practices be demonstrated? Has assurance been independently assessed?
These questions represent a broader market transition from compliance-based trust toward substantiated assurance. Vendors unable to answer them credibly will increasingly struggle to maintain positions in regulated or security-sensitive supply chains.
Why Principles-Based Assurance Aligns With NIS2
Principles-Based Assurance (PBA), delivered through the NCSC Cyber Resilience Test Facility scheme, evaluates security outcomes rather than process compliance. Rather than asking whether a defined set of controls has been implemented, PBA evaluates evidence quality, security effectiveness, risk understanding, operational maturity and lifecycle resilience — exactly the dimensions NIS2 requires regulated entities to evidence to their competent authorities.
This alignment is not coincidental. NIS2's risk management requirements are outcome-focused by design. Article 21 requires essential and important entities to implement appropriate and proportionate technical and organisational measures to manage cybersecurity risks — with the emphasis on appropriateness and proportionality relative to the actual risk, not on implementing a prescribed list of controls. PBA's evidence-based, outcome-focused methodology maps directly to this requirement.
For NIS2-regulated entities, CRTF-based PBA assessment provides evidence of supply chain security that satisfies Article 21(2)(d) supply chain security obligations — not through a questionnaire completed by the supplier, but through independently validated assessment conclusions that the regulating entity can present to its competent authority as genuine evidence of supply chain due diligence.
What Buyers Will Ask Vendors
As NIS2 expectations mature, the questions that procurement and security teams direct at vendors will become more specific and more demanding. The transition is already visible in the most sophisticated procurement frameworks, and it will cascade through the supply chain as regulated entities implement their NIS2 obligations.
The questions vendors need to be able to answer credibly are: Can you demonstrate secure development practices? How do you manage vulnerabilities — before they are reported to you, not just after? What evidence supports your security claims — and who validated it? How do you maintain product security over time, not just at the point of certification? Has your product undergone independent assurance, and from whom?
Vendors who can answer these questions with structured, independently validated evidence — CRTF assessment conclusions, current penetration testing from accredited providers, documented vulnerability management processes, maintained SBOMs — will be materially better positioned than those offering questionnaire responses and certification badges.
Preparing for the Next Phase
Forward-looking organisations are already moving beyond minimum compliance toward demonstrable resilience. The practical priorities are consistent: secure development governance, structured evidence collection, product security maturity programmes, independent assurance reporting and supply chain visibility. These are not new obligations invented by NIS2 — they are the operational disciplines that responsible product manufacturers and service providers should already be building. NIS2 provides the commercial incentive to build them faster.
Security claims alone are no longer sufficient. Trust must be substantiated through evidence, validation and demonstrable resilience outcomes. The organisations that build this capability now — before the procurement consequences of NIS2 become universal across regulated sector supply chains — will have competitive and regulatory advantages that are increasingly difficult to replicate quickly.
Key Takeaways
NIS2 signals a broader shift from compliance-based trust to evidence-based cyber resilience — not just for regulated entities but across their entire supply chains.
Supply chain security obligations under NIS2 Article 21(2)(d) require regulated entities to assess and manage the cybersecurity of their suppliers, creating procurement pressure throughout regulated sector supply chains.
Security questionnaires, self-attestations and generic certifications provide limited visibility into the security dimensions NIS2 regulated entities need to evidence to competent authorities.
Principles-Based Assurance evaluates evidence quality, security effectiveness, risk understanding, operational maturity and lifecycle resilience — aligning directly with NIS2's outcome-based risk management requirements.
CRTF assessment provides independently validated evidence of supplier security posture that regulated entities can present to competent authorities as genuine supply chain due diligence.
Vendors unable to answer credibly whether their security has been independently assessed will increasingly struggle to maintain positions in NIS2-regulated supply chains.
Security claims alone are no longer sufficient. Trust must be substantiated through evidence, validation and demonstrable resilience outcomes.
Download the Full Paper
The full paper covers the strategic impact of NIS2 on supply chain assurance; the limitations of traditional compliance models under NIS2 obligations; how Principles-Based Assurance supports NIS2 resilience objectives; the questions NIS2-regulated buyers will direct at vendors; and a practical preparation framework for the next phase of cyber assurance.
Free to download. No registration required.
NIS2 and Continuous Cyber Assurance: Why Certification Alone Is No Longer Enough