Free download: Building blocks for contracts with IT service providers and suppliers

Has the NIS 2 Directive been required in relation to the supply chain?

The NIS 2 Directive obliges affected companies to undertake comprehensive risk management tasks.

Article 21 requires that affected companies take appropriate technical and organizational measures to ensure the security of the supply chain.

The focus is not only on the specific vulnerabilities of the individual direct providers, but also on the overall quality of the products and the cybersecurity strategy of their service providers and suppliers, including the security of their development processes. Article 22 also requires coordinated risk assessments of critical supply chains. Industry-oriented regulations such as DORA, which will represent the IT security benchmark for the financial services sector in the future, provide for similar requirements.

Who are the obligations aimed at?

The requirements of the NIS 2 Directive are aimed at essential and important facilities within the scope of the Directive. These are mainly medium and large companies in certain sectors (e.g. energy, health, chemicals, food), but also digital infrastructure. A much larger number of companies are indirectly affected as suppliers or service providers to these essential and important facilities.

In personal terms, NIS-2 also addresses the management level directly. Due to the corresponding liability regulations, management will have to ensure proper selection in the supply chain in the future.

What do service providers and suppliers need to consider?

Companies within a supply chain of facilities can be required by their customers to meet NIS-2 compliant security standards as part of risk and supply chain management. For service providers and suppliers, this means that they should prepare for this and establish basic security measures in the company in good time. Supplier audits as well as certifications and certificates play a major role here.

Authors: Anna Flor (Managing Director MORGENSTERN consecom GmbH, lawyer & data protection officer (IHK) www.morgenstern-privacy.com), Ragna Rösner (lawyer for IT and data protection law, MORGENSTERN consecom GmbH www.morgenstern-privacy.com)