"Six in 10 suppliers who are familiar with the NIS2 rules think that the NIS2 rules apply integrally to suppliers to NIS2 companies." This mistaken assumption was revealed in the flash poll Perception of NIS2 Regulations among Suppliers that the Digital Trust Center commissioned in September 2024.
Meanwhile, the NIS2 Directive has been incorporated into the Cybersecurity Act (Cbw) and sent to the House of Representatives sent. The Cbw imposes a heavier duty of care on an estimated 8,000 organizations in so-called critical sectors when it comes to their digital security. Much clarity has already been provided on the measures that organizations covered by this law must take. For the thousands of companies that supply to these Cbw organizations - according to the flash poll - the effect of the Cbw is still unclear.
"The law does not impose any obligations on suppliers to these Cbw organizations. Nevertheless, the law does affect suppliers, because it is likely that Cbw organizations will impose additional requirements on their suppliers to secure the chain," said Jacco van der Kolk of the Digital Trust Center.
The Cbw requires Cbw organizations to ensure that their supply chain is secure (Art. 21(3)(d)). Cbw organizations may require their suppliers, to be defined more precisely below, to take measures resulting from a risk-based approach. As a result, this new cyber law may therefore have an indirect impact on suppliers.
If there is a risk to the Cbw organization's network and information systems through a direct supplier or service provider, the Cbw organization must take measures (or have them taken). Suppliers of subcontractors are thus outside the scope of this law.
Cbw organizations must identify risks in the supply chain with the goal of protecting the network and information systems and the physical environment of those systems from incidents. In this risk inventory, the legislature requires an "all hazards approach. This means looking at all hazards that exist to the network and information systems. So it is not just about digital security, but also the physical security of the location where the systems to be protected are located.
The criteria are not explicitly stated in the law, but if your supply relationship with a Cbw organization includes any of the following, chances are you will appear in a chain risk assessment.
You provide services or products related to network and information systems of a Cbw organization;
You provide an ICT component of a Cbw organization's network or information systems;
You will have access to the network and information systems of a Cbw organization.
If you have any of the above chain relationships to a Cbw organization, it may require you, as a direct supplier, to take mitigating measures to manage existing risks.
If a supplier poses a risk to the Cbw organization's network and information systems, the supplier may be required to take measures. These may be technical, operational or organizational measures. Not every measure can be required of a supplier. The law requires Cbw organizations to take "appropriate and proportionate" measures. So the effectiveness of the measure is important; the right measure in the right place.
Whether the measures are appropriate and proportionate is something a regulator can determine when the Cbw organization is audited for its chain security duty. Suppliers themselves are not under supervision and are not accountable to a supervisor. However, the Cbw organization can ask for proof that the measures have been taken so that this can be shown to the supervisor upon request.
There are no hallmarks or certificates with which you can demonstrate that your organization complies with the Cbw provisions. After all, which measures should be taken depends entirely on the company-specific risk analysis. Moreover, complying with the Cbw's duty of care is not a snapshot, but an ongoing activity and responsibility. This also applies to the efforts made by suppliers for chain safety.
Some suppliers like to demonstrate their level of digital resilience through a cybersecurity certificate or seal of approval. This is voluntary; there is no legal provision forcing a supplier to do so.
Suppliers who pose a risk to a Cbw organization's network and information systems through their supply relationship can start working on increasing their cyber resilience ahead of time. The 5 basic principles of digital resilience offer a handy guide to identify where your defenses can be improved. Those who have the basics in order can take more in-depth measures.
Cbw organizations can also get started on the 10 duty of care measures. And, of course, with the inventorying the suppliers that pose a supply chain risk.
In addition to taking preparatory measures, the Digital Trust Center calls on chain partners to actively seek dialogue. Be open about your security approach, systems and processes and focus on the essential cyber risks for the chain. Record agreements and prepare prepare for incidents together if possible.
