- By Emil Galletta Rene, assistant attorney
Supply Chain Security under NIS2: Get Started with These 8 steps
- October 8, 2024
There’s a reason I’m publishing a blog post about supply chain security during NIS2 this month:
Every year in Europe, we focus on digital security and cyber hygiene with Cyber Month throughout October.
And an essential way to do that is by helping you and other NIS2-affected companies ensure supply chain security – and compliance.
In your preparation, I suggest that you follow these 8 steps:
- Step #1: Map your suppliers
- Step #2: Map your other assets
- Step #3: Risk assess your supplier/your assets
- Step #4: Ensure security measures
- Step #5: Follow international standards
- Step #6: Be aware of coordinated risk assessments of critical supply chain
- Step #7: Keep an eye on national and special rules
- Step #8: Set contractual requirements for your supplier
Step #1: Map your suppliers
The NIS2 Directive aims to strengthen cybersecurity in the EU by imposing stricter requirements for network and information systems in critical sectors.
This means that organizations in these sectors – also known as essential and important entities in NIS2 – must manage security in supplier relationships.
The most important part of your NIS2 work is to assess whether your organization has adequate security and the right measures in place in the supply chain. This is to manage the risks in the network and information systems you use for operations or to deliver services.
It’s a good idea to ensure security throughout your supply chain but start with the suppliers that are most critical to your business and your cybersecurity.
In practice, the requirement applies to the network and information systems that your organization did not build but provided by your direct suppliers.
You need to map suppliers to prove that you’ve made sure they have adequate security. You should start with your direct, critical suppliers.
A question that can help you along the way is:
Step #2: Map your other assets
To ensure a comprehensive assessment of your suppliers’ importance and security, you must identify and document the critical assets they provide to you.
Assets can include IT systems, OT (operational technology), hardware, databases and network infrastructure (such as Wi-Fi).
Get an overview of possible assets here:
Step #3: Risk assess your suppliers/assets
It’s important to assess the risks of using your organization’s suppliers.
In a risk assessment, you need to identify the vulnerabilities specific to each of your direct suppliers and service providers and the overall quality of your suppliers’ services (meaning your assets) and cybersecurity practices.
NIS2 requires you to assess the likelihood and severity of incidents, including their societal and economic impact.
For example, if a supplier is exposed to a cyberattack, it could result in the disruption or compromise of the services you rely on. For example, an attack on a cloud service could lead to data loss and downtime.
Step #4: Ensure security measures
You should ensure adequate security measures around the assets the supplier provides. This should be seen as the ‘sum’ of the security measures of your organization and your supplier.
For example, an IT system provided by a professional party will often have sufficient technical security measures.
However, if you do not implement organizational security measures such as confidentiality and user access restrictions, and the system is used in an insecure manner, the supplier’s security measures may be ineffective.
Your risk assessment will shed light on the measures you need to implement.
Step #5: Follow international standards
International standards can give you a systematic approach to ensuring security in your organization’s supply chain – and can therefore also help you document your NIS2 compliance.
These include standards such as ISO 27002, ISO 27036-2, CIS 18 controls, and the ISA/IEC 42443 series.
Step #6: Be aware of coordinated risk assessments of critical supply chains
One of the minimum requirements of NIS2 (Article 21(3)(2)) is that as a covered organization, you must “take into account the results of the coordinated security risk assessments of critical supply chains carried out in accordance with Article 22(1)” when doing risk assessments.
These coordinated security risk assessments will be conducted at the EU level to ensure security in specific critical services, systems, and production supply chains.
We’re still waiting for them to be finalized.
When that happens, you must take the results of these coordinated assessments into account when assessing what measures you need to implement to ensure adequate supply chain security.
The NIS Cooperation Group already has several publications to include in your risk assessments.
For example, they’ve made a coordinated security risk assessment of the 5G network.
Step #7: Keep an eye on national regulations and special rules
As NIS2 is a directive, it needs to be implemented in your country as national legislation before the rules apply to your organization. This means you must consider how the parliament in the country you operate in chooses to implement the requirements of the NIS2.
For instance, it may choose to introduce stricter requirements for utility companies.
Step #8: Set contractual requirements for your supplier
As a rule, only organizations covered by NIS2 must comply with these requirements.
However, because ”supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers” is at the center of NIS2, your suppliers may be indirectly covered by the NIS2 requirements.
Therefore: Once you have completed the preparatory part of the NIS2 work by mapping your direct critical suppliers, you now also have an overview of the NIS2 requirements that you should oblige your suppliers to comply with and not least document.
In other words, you should set contractual requirements for your suppliers to ensure that they have their NIS2 implementation and documentation in place by for instance:
- Following an international standard
- Having appropriate security measures around their IT systems
- Having effective incident reporting procedures (more on this under Ongoing NIS2 work)
- Ensuring IT security training and education among relevant employees
This is to make sure that your organization can meet and document your supply chain responsibilities under NIS2.
Those were the 8 steps that lay a solid foundation of security in your supply chain.
However, the work doesn’t stop there. Compliance tasks are awaiting you in your ongoing work and when you need to terminate a supplier.
If you need help – and a customized checklist – for all compliance tasks related to your supplier relationships under NIS2, feel free to grab our guide here.
Complete guide and checklist for your supply chain security
Get a customized NIS checklist to ensure your compliance when implementing, using, and terminating suppliers.
