On 13 February 2026, the NIS Cooperation Group — comprising EU Member States, the European Commission, and ENISA — adopted the EU ICT Supply Chain Security Toolbox. This is the first EU-level framework specifically designed to help organizations identify, assess, and mitigate cybersecurity risks across their ICT supply chains.
Why a Supply Chain Toolbox Matters
Supply chain and third-party compromises are now the second most frequently cited cybersecurity concern across EU organizations, according to ENISA's 2025 NIS Investments report. The ENISA Threat Landscape confirms the trend: cybercriminals are increasingly targeting dependencies rather than the primary organization.
NIS 2 Article 21(2)(d) already requires supply chain security management. What the toolbox provides is a structured methodology for how to do it — something many organizations, especially SMBs, have been asking for since the directive took effect.
What the Toolbox Contains
The toolbox outlines risk scenarios and recommends mitigation measures across three pillars:
- Critical supplier assessment. A methodology for evaluating the cybersecurity posture of your most important ICT suppliers. This includes security certifications, incident response capabilities, and data handling practices — aligned with what NCAs are asking for during audits.
- Multi-vendor strategies. Guidance on reducing single-supplier dependencies. If your organization relies entirely on one cloud provider, one ERP vendor, or one managed security service, the toolbox recommends documenting the risk and planning alternatives.
- High-risk supplier management. Approaches to handling suppliers that pose elevated risk — whether due to jurisdiction, security posture, or strategic dependencies. This includes both technical mitigations and contractual controls.
The Trusted ICT Supply Chain Framework
Alongside the toolbox, the revised Cybersecurity Act (proposed January 2026) introduces a trusted ICT supply chain framework focused on non-technical risks — including foreign interference and strategic dependencies. While this framework is still in the legislative pipeline, it signals the EU's intent to address supply chain security holistically, not just at the technical level.
Practical Steps for Your Organization
You don't need to wait for the trusted framework to act. The toolbox is available now and directly actionable:
- Tier your suppliers. Separate critical ICT vendors (hosting, security, core SaaS) from standard suppliers. Apply proportionate assessment intensity.
- Run assessments using the toolbox methodology. The framework aligns with what NCAs expect under NIS 2 compliance audits. Using it now creates defensible evidence.
- Review contracts for security clauses. Right to audit, incident notification obligations, sub-processor controls, and termination rights for security failures should be standard in your critical supplier agreements.
- Document your dependency risk. If you have single-vendor dependencies in critical functions, document the risk, the mitigation strategy, and any diversification plans.
How ShieldBase Aligns
ShieldBase's supply chain module was built around the same principles the toolbox now formalizes: tiered supplier assessments, AI-powered risk scoring, contractual clause templates, and ongoing monitoring. If you've been using ShieldBase for vendor management, your existing documentation already maps to the toolbox's recommended approach.