NIS2 and the Supply Chain: Why Do Companies Need to Pay Attention?
The NIS2 Directive introduces far‑reaching new requirements for cybersecurity. Organizations that fall within the scope of NIS2 must not only raise the security level, review their IT systems and cybersecurity measures to ensure compliance with NIS2 rules, but companies must also keep a close eye on the security of their supply chain.
The supply chain poses a security risk as it is a common entry point for cyberattacks. Attacks on service providers or IT vendors are attractive to cybercriminals because they allow access to many companies at once. Incidents from the past have shown that a single weak link in the supply chain may be enough to compromise an otherwise well‑protected organization.
NIS2 affects not only the regulated entities but their suppliers as well
Through the requirement for the cybersecurity of the supply chain, the legal responsibility placed on NIS2‑regulated entities is effectively passed on to their suppliers as well. The suppliers must therefore ensure cybersecurity within their own organizations – regardless of whether they themselves fall under NIS2 or not. Such compliance requirements are normally passed on through contractual obligations.
This means that companies not directly regulated by NIS2 may still be indirectly required to implement higher IT security standards simply because they provide services to an entity that is NIS2‑regulated.
This is in line with the recommendations of UP KRITIS, the German public‑private partnership for critical infrastructure protection, which stipulates that if a service provider does not sufficiently support and demonstrate the required level of information security, IT security, and data protection in line with the state of the art for the critical services of the respective operator, it is strongly recommended to refrain from using such service.
NIS2 now transfers this principle into a Europe‑wide, cross‑sector regulatory framework where suppliers must be able to demonstrate a security level that meets the requirements of the contracting organization or otherwise they jeopardize their client organization’s compliance.
Why the supply chain is a critical attack vector
Many successful cyberattacks in recent years have shared the same root cause: the attackers did not target the primary organization directly but instead infiltrated a less well‑protected service provider.
Typical scenarios include compromised software updates, manipulated cloud services, or the misuse of maintenance access. The more interconnected organizations are, the larger their attack surface becomes. NIS2 therefore deliberately promotes a holistic security mindset requiring organizations to systematically assess and control risks originating from their suppliers.
What organizations must do now: assess suppliers, define standards, review contracts
To comply with NIS2, organizations need a structured process for assessing and monitoring their suppliers. This includes:
- performing a risk analysis of all service providers,
- evaluating their technical and organizational security measures, and
- continuously monitoring compliance with required standards.
Organizations should review their contracts with suppliers to ensure that the contractual minimum requirements for information security, including provisions for incident reporting, audit rights, security certifications, and obligations for subcontractors, are duly defined. Without clear contractual obligations, there is a risk to jeopardize one’s own NIS2 compliance.
Support for NIS2 obligations: focus on supply chain assessment
Many organizations now face the challenge of aligning their supplier relationships, internal processes, and contracts with NIS2 requirements. We are ready to offer support along the way with our practice-oriented approach.
Our services include:
- analysis of your existing supplier relationships and the scope of your obligations under NIS2
- development of an NIS2‑compliant supplier management process
- drafting or reviewing contractual clauses
- strategic cybersecurity consulting across the entire supply chain
With a clearly structured approach, you can ensure that your supply chain does not become a security risk, and that you reliably fulfill your NIS2 obligations. We work closely with technical cybersecurity providers to ensure seamless and holistic NIS2 compliance, as both legal and technical expertise are required to ensure compliance.
