EU

NIS2: Supply Chain Security

Supply Chain Security [Art 21(2)(d), 22]

Rule: Entities must address security risks arising from relationships with suppliers and service providers, including specific security requirements in contracts.

Core Requirement [Art 21(2)(d)]

Cybersecurity risk management measures must address:

security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

And specifically:

supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers

What Supply Chain Means

RelationshipExample
Direct suppliersHardware vendors, software vendors
Service providersCloud providers, managed services, SaaS
Development partnersOutsourced development, contractors
Maintenance providersIT support, system integrators

Risk Assessment for Suppliers [Art 21(2)(d)]

Must assess:

  • Supplier’s security practices — Do they have adequate controls?
  • Dependency criticality — How critical is this supplier to operations?
  • Data access — What data can the supplier access?
  • System access — What network/system access do they have?
  • Geographic risk — Jurisdiction and geopolitical considerations

Contractual Requirements

Contracts with suppliers should address:

ElementPurpose
Security requirementsMinimum security measures supplier must implement
Incident notificationSupplier must notify you of security incidents
Audit rightsRight to audit or request certifications
Subcontractor controlsSupplier’s obligations for their suppliers
Termination provisionsData return/deletion on contract end
Compliance certificationRegular attestation of compliance

Due Diligence Process

Before engagement:

  1. Security questionnaire — Assess supplier security posture
  2. Certification review — Check ISO 27001, SOC 2, etc.
  3. Risk classification — Categorize by access and criticality
  4. Reference checks — Security track record

During relationship:

  1. Ongoing monitoring — Review supplier security status
  2. Incident tracking — Monitor for supplier breaches
  3. Contract compliance — Verify contractual obligations met
  4. Annual review — Reassess risk and controls

Coordinated Security Risk Assessments [Art 22]

EU and Member States may conduct coordinated risk assessments of critical supply chains (e.g., 5G security assessment model):

  • Coordinated at EU level by NIS Cooperation Group
  • Results may inform procurement requirements
  • May result in specific product/vendor restrictions

ICT Products and Services

Special attention for ICT supply chain:

  • Hardware — Risks of backdoors, tampering
  • Software — Vulnerabilities, malicious code
  • Cloud services — Data sovereignty, availability
  • Managed services — Access privileges, incident handling

Practical Checklist

For critical suppliers:

CheckFrequency
Security certification current?Annual
Incident history reviewQuarterly
Access permissions appropriate?Quarterly
Contract terms enforced?Annual
Subcontractor list updated?Annual
Exit plan current?Annual

High-Risk Supplier Indicators

IndicatorRisk
No security certificationsWeak security program
History of breachesPattern of incidents
Refuses audit rightsTransparency concerns
High staff turnoverInsider risk
Single point of failureConcentration risk
Opaque subcontractingUnknown exposure

Supplier Categorization

CategoryCriteriaControls
CriticalEssential to operations, access to sensitive dataFull due diligence, annual audits, strong contractual controls
ImportantSignificant but not essential, limited accessStandard due diligence, certification review, contractual controls
StandardLimited impact if compromisedBasic due diligence, standard terms

Integration with Art 21 Measures

Supply chain security links to other requirements:

  • Risk analysis (a) — Include supplier risks in assessment
  • Incident handling (b) — Include supplier incident procedures
  • Business continuity (c) — Plan for supplier failure
  • Secure development (e) — Secure supplier code, dependencies

Citation

Art 21(2)(d), Art 22, Directive (EU) 2022/2555

Contains public sector information licensed under the Open Government Licence v3.0 where applicable. This is not legal advice. Always refer to official sources for authoritative text.

llms.txt