Your EHR vendor, PACS provider, and cloud infrastructure partner all have direct access to patient data and clinical systems. A compromised supplier does not just create a compliance finding; it halts operations. NIS2 and GDPR now require structured, documented vendor risk programmes for hospitals and healthcare entities above the essential entity threshold. Supplier Shield gives you the register, the assessments, and the audit trail.
Trusted by global organisations
§ The challenge
NIS2 transposition is complete across most EU member states. National supervisors are in active inspection mode. Healthcare entities are a priority enforcement sector, and supervisory questionnaires and on-site inspections are already underway.
NIS2 Article 21(2)(d) requires documented security measures for every supplier that could affect your security posture. For most healthcare teams, this is still done by email. Questionnaires go out. Responses are filed in shared drives. No scoring, no monitoring, no audit trail. When a supplier has a breach, you find out when they call you.
Every vendor processing patient data, staff records, or operational health data must have a current, compliant data processing agreement. Sub-processor changes, new EHR integrations, and cloud migrations create gaps that go undetected for months. A single DPA audit finding can trigger a full supervisory review.
Most healthcare organisations run their vendor risk programme with one to three people covering hundreds of suppliers across clinical, IT, facilities, and procurement. Without a structured system, the team is always catching up, never ahead. Evidence sits across email threads, shared drives, and individual inboxes.
§ How we help
One structured platform for supply chain security assessments, DPA governance, and continuous monitoring, built for small compliance teams managing large supplier bases.
Run formal security assessments for every relevant vendor category.
Structured questionnaires aligned to NIS2 Article 21 requirements: network security, access controls, incident response capability, and physical security. Track contractual security requirements and monitor compliance status continuously. Vendors respond via a secure browser link with no account required.
Maintain a live register of all data processing agreements and sub-processor chains.
Document every DPA, track review dates, and auto-flag when vendors change sub-processors or expand data processing scope. Integrates with your GDPR compliance programme inside Acuna GRC. No more chasing DPAs by email.
Every assessment, finding, and remediation action: immutable, timestamped, and exportable.
When your national NIS2 supervisor or external auditor asks for evidence of your supply chain security measures, you export a structured pack in one click. No manual assembly, no reconstructing email threads from 18 months ago.
§ Why us
Acuna GRC is hosted in Switzerland, which holds a GDPR adequacy decision. Transfers to Supplier Shield are lawful under GDPR Article 45 without additional safeguards. For healthcare DPOs managing sensitive personal data, this is a simpler legal basis than standard contractual clauses and aligns with most national DPA expectations.
Most tools cover either security assessments or DPA tracking, but not both. Supplier Shield handles NIS2 Article 21 supply chain security assessments and GDPR Article 28 processing agreement governance in the same vendor record. One entry per supplier, no data duplication, no separate systems to reconcile.
Healthcare compliance teams cannot afford a 6-month implementation. No custom development, no infrastructure work, no professional services engagement to get started. Import your vendor list, configure supplier tiers by clinical and data risk, and send your first NIS2-aligned assessments. Your team runs the programme; the platform handles the process.
§ Regulatory obligations
These are the specific articles that national supervisors, certification bodies, and external auditors will verify. Supplier Shield maps your vendor program to each one.
Essential entities must implement security measures addressing risks in the supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers and service providers.
Incidents caused by third-party suppliers must be reported to national CSIRTs within 24 hours of awareness. Supplier Shield tracks supplier-related incidents and maintains the evidence chain for notifications.
All vendors processing personal data on your behalf must have a current DPA with mandatory clauses including sub-processor disclosure, data subject rights facilitation, and deletion obligations.
For healthcare entities using medical device software, supplier qualification requirements under MDR/IVDR may apply. Supplier Shield documents the applicable QMS and certification evidence per vendor.
§ Acuna GRC
Supplier Shield is the TPRM module inside Acuna GRC. Your vendor assessments connect directly to your GDPR record of processing activities, NIS2 risk register, and internal audit workflows, all on one Swiss-hosted platform.
§ Platform capabilities
Supplier Shield is the TPRM module inside Acuna GRC. Here is what the full platform means in practice for a healthcare organisation managing both NIS2 and GDPR vendor obligations.
The Acuna Data Protection module maintains your record of processing activities and tracks every data processing agreement, linked directly to the same vendor record used for NIS2 security assessments. When a medical imaging vendor changes their cloud sub-processor, both the security and the DPA record update in one place.
A supplier security assessment satisfies NIS2 Art. 21, ISO 27001 A.15, and generates the evidence for your GDPR Art. 28 DPA review simultaneously. In Acuna, one control maps to all applicable frameworks, with no duplicate assessments and no inconsistent conclusions across your compliance programs.
Your medical device vendors, EHR providers, and cloud suppliers are continuously scanned for breach exposure, DNS hygiene, TLS configuration, and threat intelligence signals. Composite A–F grades update automatically. You see a supplier's posture change the moment it does, without waiting for the next annual questionnaire.
Ask Aiko: "Which of our vendors are processing patient data without a current DPA?" or "Show me all suppliers with a security grade below C that have access to our EHR." Answers from your live data in seconds. NIS2 supervisory preparation that used to take a day takes minutes.
Launch a full NIS2 supply chain security assessment across all your medical device vendors in one session. Select the template, choose the supplier group, personalise the outreach, and track completion from one dashboard. Automated reminders follow up without any manual chasing from your team.
Full platform overview: Acuna GRC cloud platform
§ FAQ
It is not too late, but the window is narrowing. Most national supervisors are now in active inspection mode, not a grace period. The good news is that Supplier Shield is designed to get you from zero to a structured programme quickly. Most healthcare teams complete their initial vendor register, send their first NIS2-aligned assessments, and have a defensible evidence base in place within 30 days.
Healthcare providers are explicitly listed as essential entities under NIS2 Annex I. This includes hospitals, private clinics, reference laboratories, medical device manufacturers where they also provide digital services, and pharmaceutical manufacturers. If you are unsure about your classification, our advisory team can assist.
Any organisation providing ICT services, software, or hardware that supports your healthcare operations: cloud providers, EHR vendors, PACS systems, diagnostic software suppliers, medical device integrators, IT managed service providers. NIS2 is broad. If a compromise of the supplier could affect your security posture, they are in scope.
The platform maintains a structured register of all your data processing agreements, vendor by vendor. Each entry tracks DPA version, review date, sub-processor disclosures, and compliance status. When a vendor notifies you of a sub-processor change, you log it, review the impact, and update the DPA record, all with an immutable audit trail.
Yes. Supplier Shield operates as the TPRM module within Acuna GRC, which supports integration with existing ISMS documentation (ISO 27001) and can align with QMS structures. Our advisory team handles implementation and scope mapping.
Talk to our team about your current supplier base. We will map your NIS2 and GDPR obligations to Supplier Shield and show you which vendor categories need immediate attention before your next supervisory review.