Navigating NIS2 Requirements: Transforming Supply Chain Security

Understanding NIS2: A New Era for Supply Chain Security

Talking to fellow CISO’s around the globe - and in particular Europe - the topic of cybersecurity regulations and compliance has taken on a new life. Most recently, the Network and Information Security (NIS 2) Directive is the latest regulation shaking up the region. NIS2 is much more than an update though—it's transforming the cybersecurity landscape of the EU. The directive, which aims to enhance cybersecurity resilience across the EU, is pushing organizations to rethink their approach to supply chain security. And many of the security leaders I’ve spoken to, are trying to understand what that looks like exactly.

In the interconnected world of digital supply chains, the weakest link can bring down the entire network. The NIS2 Directive recognizes this and has placed a significant emphasis on supply chain security. But what does this mean for your organization? Let’s break it down.

Three Key Supply Chain Security Requirements Under NIS2

1. Comprehensive Supply Chain Risk Management

[Articles 21(2)d and 21.3]

Under NIS2, supply chain risk management isn’t optional—it’s mandatory. Adopting a comprehensive strategy that addresses your entire digital ecosystem to help adhere to the directive is crucial.

• Identify and assess risks: Understand the risks associated with each supplier.
• Implement security measures: Apply appropriate security measures based on supplier risk assessments.
• Continuous monitoring: Regularly monitor - and respond - to ongoing supplier risk.

2. Supplier Accountability

[Recital 85]

Suppliers are now held accountable for their cybersecurity practices. This means that organizations and security leaders need to:

• Set clear expectations: Incorporate cybersecurity risk management measures into contractual arrangements
• Regular audits: Conduct regular audits to ensure compliance.

3. Incident Reporting and Response

[Article 21.3]

Timely incident reporting and response are critical under NIS2. Organizations must ensure:

• Clear communication channels: Establish clear channels for reporting incidents.
• Rapid response protocols: Quick detection and response to supplier security vulnerabilities
• Collaboration: Communicate and coordinate cybersecurity risks with suppliers

Steps to Enhance Supply Chain Security

Conduct Thorough Supplier Assessments

As outlined by ENISA’s “GOOD PRACTICES FOR SUPPLY CHAIN CYBERSECURITY”, assessing your suppliers' security posture is crucial. Some of the more impactful methods to do this include:

• Assessment questionnaires: Use detailed questionnaires to gauge suppliers’ cybersecurity maturity. Bonus if you can automate this process on a regular basis.
• Leverage external data insights: Don’t just rely on questionnaires. Bridge the gap from subjective responses to objective evidence to determine real supplier risk.
• On-site Assessments: Conduct on-site assessments for high-risk suppliers.
• Third-party Certifications: Require suppliers to obtain certifications like ISO 27001 or SOC 2.

Implement cyber risk measures into contractual obligations

Contracts are your first line of defense. Ensure your contracts include:

• Security Standards: Clearly defined security standards and protocols.
• Regular Audits: Mandatory regular audits and assessments.
• Incident Reporting: Defined incident reporting timelines and processes.

Leverage Technology for Continuous Monitoring

Technology is your ally in maintaining supply chain security. Use tools and platforms that offer:

• Near real-time Monitoring: Continuous monitoring of supplier networks.
• Threat Intelligence: Access to up-to-date threat intelligence feeds.
• Automated Alerts: Automated alerts for any deviations or potential threats.

Foster a Culture of Cybersecurity

Building a strong cybersecurity culture extends beyond your organization. Encourage your suppliers to:

• Regular Training: Conduct regular cybersecurity training and awareness programs.
• Information Sharing: Promote information sharing about threats and best practices.
• Vulnerability Handling: Understand risks of vulnerabilities and manage, monitor and patch vulnerabilities.
• Collaborative Approach: Foster a collaborative approach to cybersecurity challenges.

Take Control of Your Supply Chain Security with Bitsight

Adhering to NIS2 is not just about meeting regulatory requirements—it's about building a resilient, secure supply chain. Bitsight is here to empower you on that journey. Our solutions are designed to help you manage, monitor and respond to your digital supply chain risk throughout the lifecycle of your suppliers. And, as the growing regulatory landscape continues to evolve it’s more important than ever to partner with experts who understand the shifting needs that security leaders face on a regular basis.

As you build your plan to address NIS2 supply chain requirements, Bitsight is THE partner to help you navigate the complexity - and are ready to join you side by side every step of the way.

From automating your supplier assessment program to mapping data insights to those assessments. From providing third and fourth party visibility to pinpointing actionable insights that you can respond to. All while offering expert, seasoned resources to help you jumpstart your supply chain cyber risk program. Schedule some time with us to learn more on how we can help.

Tim Grieveson Senior Vice President - Global Cyber Risk Advisor, Bitsight Recognised as one of the UK Top 30 Security professionals by the CSO30 2023, Tim is an inspirational security leader and “Chief Storytelling Officer” helping organizations transform how they measure and manage cyber risk based on 25+ years of experience as a CSO, CISO, and CIO.