NIS2 Supply Chain Security

A NIS2-covered entity must implement appropriate and proportional technical, operational and organizational measures to ensure supply chain security. NIS2 establishes standards for assessing NIS2 supply chain security.

NIS2 Supply Chain Security explained

NIS2 entities are responsible for the cybersecurity of their supply chain. Your liability includes your direct suppliers and service providers, as well as their suppliers. NIS2 entities must monitor and manage (a) the potential vulnerabilities of each direct supplier, (b) the general quality and resilience of their products and services and (c) how well the supplier implements relevant cybersecurity requirements (Article 21:2 point d).

NIS2 supply chain security will impact how IT suppliers are evaluated in a procurement process within the public sector, not the least. This requirement will be applied in parallel with the requirements for security and privacy of the GDPR.

Standards to assess supply chain security

NIS2 introduces three mechanisms to guarantee supply chain security:

1. Coordinated risk assessment, a procedure carried out on the EU level to assess the risk of a specific supply chain;
2. National risk assessment, a procedure available to the EU member states that allows for an expansion of NIS2 to entities of national importance and
3. Internal risk assessment, an obligation for the NIS2 entity to perform their risk assessments of their supply chain.

Internal risk assessment of NIS2 supply chain security

When validating your NIS2 supply chain security, you should consider the following:

• overall quality in products and services;
• overall resilience in products and services;
• embedded cybersecurity risk-management measures in products and services;
• secure development procedures;
• legally binding obligations in supply chain contracts (all from recital 85);
• exercise increased due diligence in selecting a managed security service provider (recital 86);
• exercise increased due diligence in cooperating with academia and research institutions (recital 88) and
  • exercise increased due diligence in relying on third-party service providers’ data transformation and data analytics (recital 88).

You may ensure the supply chain security through (a) requirements on security levels in the supply chain, (b) certifications such as ISO 27001:2022 Annex A, SOC2, upcoming ENISA certifications of EUCS and EUCC, (c) requesting external security reports and audits (e.g. SLA/QoS, Pen-tests, Redunancy, encryption, etc.).

An example of (a) above is the Complementary Subservice Organization Controls (EUCS – CSOC) relevant to the coming EUCS certification on cloud services. Controls for NIS2 entities’ use cases classified as ”substantial”, ”high”, and ”high+” may state controls like access control, authentication protocols, data encryption, data sovereignty and contractual requirements.

Start with a desktop assessment of a supplier’s NIS2 supply chain security

Start your initial assessment by listing the sub-suppliers/services (sub-services) that are important for the operation of the service, IT-systems, digital services e.g. a cloud service (CSP), including SCADA/Operational Technology processes. The following must be clear:

1. The role and name of the subservice;
2. Scope of functions/services provided;
3. Which requirements CSOC apply to the subservice and its supplier providing it.
4. Assurance from the supplier that the sub-service complies with the CSOC controls defined by your cloud service provider (CSP);
5. Assurance that the CSP complies with the sub-service provider’s requirements for secure operation of their service (i.e. properly implemented);
6. Assurance that CSP assumes responsibility for regular checks of the sub-service are carried out;
7. Other information that substantiates the subcontractor and their sub-services (e.g. certifications, SOC2 reports, etc.)

Base your requirements on what can be considered relevant and proportionate in relation to the nature and complexity of your business operations. NIS2 allows for a risk-based holistic perspective on risk. Present the management with your assessment and recommendations on how you will ensure the security of your supply chain.

What to ask your supplier to assess their NIS2 readiness

NIS2 supply chain security requires a new dialogue with your existing suppliers. Plan and hold meetings with your critical and important suppliers to cover the obligations under NIS2.

Some key questions to ask your critical suppliers:

• What is their view of NIS2, and how they are affected?
• What is out of scope?
• How far have they come in their NIS2 compliance work?
• What frameworks and standards are part of their cybersecurity program?
• Ask specific questions regarding the quality, resilience, embedded measures, and secure development procedures.
• How many suppliers and service providers are part of their value chain?
• Ask specific questions on how they view and manage an incident, reporting, and mitigation.
• Ask specific questions about how they practically would go about informing you of an incident. Who, when and how will your organisation be notified?
• Ask for statistics on reported incidents and near incidents to gather more information on their cybersecurity maturity.
• Ask for feedback on your NIS2 adapted minimum security requirements appendix to gauge if you are asking for relevant, proportionate and cost-efficient safety requirements.

Take the dialogue in phases and include the process and data owners, as well as cyber security and legal competencies.

Create a snapshot of each critical supplier’s cybersecurity maturity level and outline an action plan. Keep it internal at first, and when you have validated the observations, invite the supplier as relevant in solving the issues with your team.

What to include in the supply agreement

Once you have a well-thought-out maturity assessment and action plan, you may adapt your contractual documents. Build upon what is good and strengthen the reporting, governance, training and incentives for transparency and collaboration.

Agreements may vary, but generally, the following topics are worth covering:

• Right to perform regular risk assessments of material suppliers, including e.g. method, time intervals, and consequences.
• Obligation to adhere to your organisation’s minimum security requirements
• Include a chapter on how to manage an incident, agree on definitions of an incident and near incident, periods and deadlines, form of notification, and get practical.
• Mechanism for the supplier to audit its subsuppliers and reporting
• Obligation on the supplier to report vulnerabilities
• Transparency requirements can include organisation, resources, material changes in security and privacy practices, organisation, etc.
• Obligations to perform training on
• Governance mechanisms on dialogue and proactive planning include practical details.
• Risk mitigation
• Consequences in case of failure

How to plan a recurring audit

Develop a process and procedures for regular risk assessments of critical suppliers. Take a risk-based approach and focus on the suppliers that you have identified as most critical both for your infrastructure and for your offerings to customers.

Consider what type of review would be suitable – a formal audit performed by a third party?, a limited risk assessment performed by IT Sec and in-house legal?, or something else?

Agree on the form, scope, and procedure for the review with the supplier. Insert the necessary language in your agreement. How much is a relevant ISO certification or SOC2 report worth in the context of your review of supplier security? Take this into consideration when determining the scope of the review.