The European NIS2 Directive aims to strengthen the digital resilience of organizations as well as their suppliers. This means that companies need to understand not only their own cyber risks, but also those of their suppliers. This raises an important question for many organizations: what does this mean for our supplier management?
NIS2 is a European directive that each country is translating into national legislation. This has already happened in a number of European countries. In the Netherlands, we expect the law to take effect in the second quarter of 2026. Many companies covered by NIS2 are wondering what exactly they need to do to comply with these new rules.
Robert van Vianen, Partner BDO Digital, recently discussed the introduction of NIS2 and the impact on supplier management with Jasper Nagtegaal, Director of Digital Resilience at regulator RDI, Noël Jansen, Senior Manager BDO Digital, and Bas Dijkhuizen Head of Competence Center Infrastructure HERO.
In practice, Van Vianen sees companies focusing primarily on compliance and looking for tools to comply with NIS2. According to him, there are no ready-made answers or lists to tick off. He advises companies to start from a risk analysis of their own organization and talk to suppliers. Where are the risks? And how can suppliers help address them?
Many companies already have procedures in place to assess risk at their suppliers. For them, therefore, implementing supplier management according to NIS2 does not start from scratch. It is mainly about coordination. Here, management plays an important role, but departments such as legal and supply chain must also be involved. Moreover, processes set up for other laws and regulations, such as ESG, also contain components useful for NIS2.
It is up to companies to determine what suppliers, to the extent they are not covered by NIS2, must comply with. In practice, having ISO certification is often a good starting point. For critical suppliers, an audit or right-to-know can be applied. Another option is to create scenarios of what happens if a supplier defaults. While the focus is often on suppliers, it is just as important to set up one's own organization to respond quickly to potential risks.
As a supervisor, Jasper Nagtegaal advises companies to start strengthening their digital resilience now. Talk to your suppliers and make them jointly responsible. Look together at what is important and take measures accordingly.' According to him, it is important that companies do this well themselves. Supervision is based on: tell me, show me and prove me. The supervisor will not only look at whether you comply on paper, but will also want to see proof in policy, audits and certifications. Even reports to management will be included to see how seriously the issue is taken.'
Van Vianen emphasizes that companies need to set their strategy now and get started. There is no reason to wait until all the details are clear; what you set up now, you can always improve later. The key question you need to ask yourself is, "What happens when things go wrong with a supplier? With that question, you can explain to the entire organization where the risks lie.
