OpenChainGraph Suite · ART-145 · wave 26

NIS2 ICT Supply-Chain Diligence Scorer (Art. 21(2)(d) / ENISA)

Score an ICT vendor's diligence posture against NIS2 Article 21(2)(d) supply-chain security requirements and the ENISA framework. Evaluates 7 controls: ISO 27001 certification, incident history, contractual audit rights, breach notification SLA, EU data residency, subcontractor exposure, and availability SLA.

NIS2 Art.21(2)(d)ENISA Framework7 ControlsActive Oct 2024W3C VC §13.11Zero PII

🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.

Scope

Middle node of the nis2-incident-response chain (art-144→145). Scores ICT vendor supply-chain diligence across 7 ENISA-aligned controls. Risk score 0–100+ maps to tiers: low (0–20), medium (21–50), high (51–80), critical (>80). Each active risk flag adds to the score; critical/high tiers trigger NIS2_SUPPLY_CHAIN_REMEDIATION_REQUIRED flag.

Presets

Vendor Certification & Incident History

Vendor holds ISO 27001 certification (current, third-party audited)

Absence adds 20 risk points

Vendor Security Incidents (last 12 months)

Contractual Controls

Audit / right-to-inspect clause in contract

Contractual right to audit vendor security controls; absence adds 25 risk points

Breach Notification SLA (hours) — leave blank if not specified in contract

Data Residency & Infrastructure

Data residency confirmed EU-only

All data processed and stored within EU/EEA; absence adds 15 risk points

Number of Sub-contractors — >3 adds 10 risk points

Service Availability SLA (%) — <99.5% adds 15 risk points

Result

Execution Hash & §4 Artifact

SHA-256 execution hash (JCS canonical — RFC 8785):