Supply Chain Security

Supply chain security is about assessing and managing cybersecurity risks from your suppliers and service providers. Under NIS2, it is a legal requirement to map which suppliers pose a security risk and to actively address those risks.

Back to Dictionary

What is supply chain security?

Supply chain security covers the processes and controls that ensure your organisation's cybersecurity is not compromised through the suppliers, partners and service providers you depend on.

Attacks via the supply chain have increased dramatically. Examples such as the SolarWinds attack have demonstrated that even well-managed organisations can be compromised through trusted suppliers' systems. NIS2 addresses this directly by making supplier assessment a legal requirement.

NIS2's requirements for the supply chain

NIS2 Article 21(2)(d) requires that organisations implement security measures regarding supply chain security, including security-related aspects of the relationship between the organisation and its direct suppliers or service providers.

This typically means you must:

Identify and map critical suppliers and service providers
Assess the security risks these suppliers pose
Ensure that contracts with critical suppliers contain appropriate security requirements
Continuously monitor suppliers' security posture
Have a plan for handling supplier-related incidents

Remember the chain behind your suppliers: NIS2 covers not only your direct suppliers but also the chain behind them. Ask your critical suppliers which sub-suppliers they use for critical services.

What should you do in practice?

A practical approach to NIS2's supply chain security requirements includes these steps:

Map your suppliers: Create a register of all suppliers with access to your systems or data.
Risk-assess your suppliers: Classify suppliers by risk – critical, high, medium, low.
Contracts and requirements: Ensure that contracts with critical suppliers contain requirements for security standards, audit rights and incident notification.
Ongoing monitoring: Conduct periodic assessments of critical suppliers' security posture.
Documentation: Document your supplier management as part of your overall NIS2 compliance.

Frequently Asked Questions about Supply Chain Security

What does NIS2 require regarding supply chain security?

NIS2 Article 21 requires that organisations assess and address security risks from suppliers and service providers. This includes assessing suppliers' security practices and contractual obligations regarding security.

Which suppliers must be assessed under NIS2?

As a starting point, all suppliers and service providers with access to or supplying components to your critical systems. This particularly applies to IT suppliers, cloud service providers, managed security services and software vendors.

Does NIS2 cover sub-suppliers as well?

Yes. NIS2 covers not only your direct suppliers but also the chain behind them. You should ask your critical suppliers which sub-suppliers they use for critical services and how they manage those risks.

How should suppliers be risk-assessed under NIS2?

A risk-based approach involves classifying suppliers by their level of access to sensitive data or critical systems, their criticality to business operations, and their own security maturity. High-risk suppliers should provide documentation of their security level.

What contractual requirements should be included for critical suppliers?

Contracts with critical suppliers should include requirements for security standards, audit rights, incident notification, data protection obligations and the right to terminate in the event of serious security breaches.