Supply Chain Due Diligence
Problem
If a regulation requires you to assess the risk of your AI supply chain, how do you prove you actually did the work rather than ticking a box? For companies in scope under NIS2 the question is not optional. The directive requires proper third-party risk assessments and vetting, and AI suppliers fall squarely inside that obligation. The difficulty is that "assess your supply chain" is easy to write into a directive and hard to operationalize across dozens of vendors, each arriving with its own posture and its own documentation.
The deeper trap is the same one the infrastructure operators learned about their cloud AI tools. Whatever you build on a supplier's platform, you remain responsible for, while the supplier disclaims liability. The deployer therefore inherits risk from every provider in the chain and must be able to show, on demand, that the inheritance was assessed rather than assumed. Building that demonstration from scratch for each supplier is slow, inconsistent, and difficult to defend when an auditor asks to see the evidence.
Solution
It turns out a recognized governance framework works as a shortcut to demonstrable due diligence, because it gives both sides a common standard to point at. When a supplier holds a credential such as ISO 42001, the assessing company can lean on that certification rather than reconstructing the entire evaluation itself. Major platform vendors already operate this way, treating the right certification as sufficient evidence that AI requirements are met. Modulos structures both halves of the exchange. Upward, every quantified risk links to its mitigating controls and the evidence that proves them in an audit-defensible chain, so demonstrating diligence to your own regulator becomes a query you can answer on demand. Downward, the platform itself carries the world's first ISO 42001 product conformity certificate, which is a concrete piece of evidence a customer can present when proving the AI tools in their supply chain were vetted.
The result is a supply chain risk process that is consistent, repeatable, and auditable rather than a folder of ad hoc emails. Each supplier relationship is documented against the same standard, so demonstrating due diligence turns into a query rather than a fresh project every time. Used this way, governance frameworks convert a regulatory burden into a mechanism for moving faster with the suppliers who can prove they are trustworthy.
NIS2 obliges us to vet our AI supply chain properly, and "we asked around" is not a defensible answer. Modulos lets us run every supplier against the same standard, so our due diligence is documented and we can lean on certifications instead of starting from zero each time.
— Head of Compliance, NIS2-Regulated Enterprise