In the age of accelerating digital transformation, trust in business partners is no longer based solely on reputation, references, or market position. Increasingly, the level of maturity in cybersecurity risk management plays a decisive role. The introduction of the NIS2 Directive and the accompanying Commission Implementing Regulation (EU) 2024/2690 establishes specific obligations in the area of supply chain security, the implementation of which may become a significant competitive advantage.
Today’s organizations operate within a dense web of technological dependencies. An incident affecting a single partner—be it a hardware supplier, ICT service provider, or software vendor—can disrupt the continuity of the entire operational ecosystem. According to the NIS2 Directive, the protection of digital assets should not stop at the organization’s boundaries but must also extend to partners, service providers, and subcontractors.
Cyber Awareness as the New Currency of Business Trust
Meeting NIS2 requirements brings benefits that go far beyond regulatory compliance. It fosters trust in the eyes of clients, investors, and business partners. Organizations characterized by a high level of cybersecurity awareness are perceived as stable, resilient to disruptions, and reliable in long-term cooperation. Their key advantages include:
Cyber maturity strengthens not only the position of the individual organization but also the resilience of the entire supply chain—particularly vital in critical sectors such as healthcare, transport, energy, and manufacturing.
Key Supply Chain Security Obligations under NIS2
1. Supply Chain Security Policy
Every organization should develop a document that outlines the principles of cooperation with ICT suppliers and service providers, clearly indicating its own role in the value chain.
An effective first step is to inventory all existing—even informal—procedures used in collaboration with partners. Based on this, a structured policy can be drafted. It should have an internal (operational) version as well as a simplified one for external partners, for example, as an annex to contracts. Assigning responsibility for updating the document (e.g., to an IT or procurement team) is also advisable.
2. Supplier and Service Provider Selection Criteria
The partner qualification process must take into account, among others:
In practice, tools supporting supplier selection are increasingly used—such as simplified assessment forms that include questions about certifications (e.g., ISO/IEC 27001), system update policies, incident response procedures, and subcontractor oversight. These documents can serve as both ex-ante evaluation tools and a basis for periodic reviews.
3. Incorporating Risk Assessments
Whenever possible, reference should be made to coordinated risk assessments for critical supply chains published by national CSIRTs, sectoral bodies, or ENISA.
It is not necessary to conduct independent risk analyses from scratch—available industry resources are often sufficient. These risks can be integrated into the organization’s annual audit or supplier review cycle. This approach avoids duplication of analytical efforts while strengthening the basis for procurement and strategic decisions. Incorporating risk assessments into internal documentation also facilitates reporting to stakeholders.
4. Contractual Requirements
Contracts with suppliers and service providers should include, depending on the nature of the cooperation:
Preparing a standardized annex to contracts that includes these security requirements significantly streamlines the implementation process. Ready-made templates (e.g., ISO/IEC 27036 or ENISA recommendations) may be used. In procurement systems, it is beneficial to automate the inclusion of such annexes in every ICT contract.
5. Applying Criteria Across the Procurement Lifecycle
Security criteria must be enforced not only when signing new contracts but also when updating agreements with existing partners and throughout procurement procedures.
A proven approach involves applying a rule that every procurement related to ICT products or services requires a prior risk assessment and confirmation of alignment with the NIS2 policy. Procurement staff should also be trained to identify services that fall within the scope of NIS2 requirements.
6. Regular Reviews and Monitoring
Security policies and supplier practices should be periodically reviewed—especially after incidents, organizational changes, or regulatory updates.
It is advisable to establish a schedule of reviews (e.g., annually for key suppliers). Automated triggers should also be set up to initiate reviews in response to significant changes in a partner's structure or operations.
7. Supplier Register
An up-to-date register should be maintained that includes:
Depending on the size of the organization, this register may take the form of a simple spreadsheet or be integrated with service management systems. Ensuring the currency and availability of this information is essential—particularly in the event of an audit or incident.
Conclusion and Recommendations
Supply chain security is no longer the sole domain of IT or compliance departments. It has become an integral element of strategic management, influencing reputation, growth potential, and the ability to build trusted relationships. Organizations that adopt an approach aligned with the NIS2 Directive gain not only legal compliance but also long-term business value.
In a world where cybersecurity has become a new benchmark for partnership quality, NIS2 should not be viewed as a regulatory burden, but as an investment in trust, resilience, and competitive advantage. Today, cyber maturity is not merely about regulatory alignment—it is the foundation for sustainable business relationships and enduring market leadership.