NIS2 Compliance: How to Identify and Evaluate Critical Suppliers

NIS2 Requirements- Get a Handle on Critical Supplier Assessments
Francisco Fonseca
Written by Francisco Fonseca
SVP, National Cybersecurity

As the NIS2 Directive reshapes the cybersecurity landscape across Europe, a key focus for organisations is understanding and managing their critical suppliers. The directive mandates heightened scrutiny and tighter controls around these essential entities, underscoring their importance in your overall cybersecurity strategy.

But the pivotal question remains: How do you determine who qualifies as a 'critical supplier'? Let’s delve into practical strategies to identify these crucial partners and ensure compliance with NIS2 requirements.

Identifying Critical Suppliers: A Strategic Imperative

With the NIS2 Directive emphasising operational resilience, identifying which suppliers are 'critical' to your cybersecurity infrastructure is more crucial than ever.

A critical supplier is not just any vendor—it's one whose failure could significantly disrupt your operations or compromise your data security.

This definition requires a strategic approach, where the impact of a supplier is assessed not just in terms of service delivery, but also through the lens of potential risk to your cybersecurity posture. A payment processing partner, for example, plays a crucial role in transaction completions. A compromise in their systems could not only halt sales but also expose sensitive financial information, thereby attracting regulatory penalties and damaging customer trust.

The Directive states in Recital 85 that addressing supply chain risk is particularly important given the prevalence of incidents where malicious perpetrators were able to compromise organisations by exploiting vulnerabilities affecting third-party products and services—like the SolarWinds attack. In fact, ENISA predicts that ‘Supply Chain Compromise of Software Dependencies’ will be the most prominent cyber threat in 2030.

“Essential and important entities should therefore assess and take into account the overall quality and resilience of products and services, the cybersecurity risk-management measures embedded in them, and the cybersecurity practices of their suppliers and service providers, including their secure development procedures.”

So how do you put that into practice? There are three key initiatives that will help you get a hold on the security posture of your critical suppliers.

Practical Steps to Classify Critical Suppliers

1. Perform a Comprehensive Risk Assessment

As part of your Vendor Risk Management program, you will need to identify, evaluate, and prioritise suppliers’ risks to determine how integral they are to your operations and the potential impact of their compromise. This encompasses identifying potential threats and vulnerabilities, assessing the likelihood and impact of these threats materialising, and determining the organisation's readiness to address them.

Consider aspects like access to sensitive data, integration with critical systems, and compliance with relevant cybersecurity standards. These can be embedded into your requirements across the vendor onboarding process, including assessments, questionnaires, and certifications.

Example: For an energy utility company, a supplier providing smart grid control software would undergo a thorough risk assessment to gauge vulnerabilities that could disrupt power distribution.

For more information and practical examples, download our ebook: 40 Questions You Should Have In Your Vendor Security Assessment.

2. Calculate Supplier’s Business Impact

Determine the criticality of each supplier to your operations. This analysis should consider the potential repercussions on your business should the supplier's services be disrupted, looking at factors like the supplier's role in your supply chain, the cost and challenges associated with replacing the supplier, and the overall impact on operational continuity.

Example: A public transportation provider may evaluate a traffic management system vendor to assess the potential impacts on transit operations and commuter safety if the vendor’s systems were compromised.

A CISOs Compliance Playbook Strategies to meet NIS2_DORA and PS21-3 Requirements

Stay ahead of the compliance curve. Dive into our playbook curated by Tim Grieveson, Senior Vice President and Global Cyber Risk Advisor. Unearth insights to not just comply but lead in the era of NIS2, DORA, PS21/3, and emerging cyber regulations.

3. Perform Continuous Monitoring

Once you have identified critical suppliers, implement continuous monitoring systems to oversee their security posture. This should include regular security audits and real-time monitoring of their compliance with security policies, supplemented by performance reviews against predefined security metrics.

Continuous monitoring not only helps in maintaining an up-to-date view of your supply chain’s security posture but also aligns with ENISA’s recommendations for ICT/OT Supply Chain Risk Management: to monitor supplier and service provider performance.

Example: A government health agency might utilise security ratings services to persistently monitor the cybersecurity health of a medical records software provider, ensuring any security degradation is promptly detected and mitigated.

Leveraging Technology for Enhanced Compliance

Incorporating advanced technological solutions is key to effectively managing supplier risk. Bitsight’s Third-Party Risk Management solutions, including Continuous Monitoring and Vendor Risk Management, offer robust mechanisms for assessing and monitoring your suppliers. With these tools, you can:

  • Prioritise Your Suppliers: Automatically tier vendors based on predefined criteria that reflect their criticality to your operations.
  • Set Stringent Alerts: Configure customised alerts for critical suppliers to ensure immediate notification of potential risks or breaches, enabling swift action.
  • Conduct Comprehensive Assessments: Utilise detailed assessments that combine Bitsight’s data with evidence-based insights to offer a granular view of each supplier’s risk landscape.

Understanding who your critical suppliers are and managing their risks effectively is not just a regulatory necessity under NIS2—it’s a strategic imperative that enhances your organisational resilience. By employing a systematic approach to classify and monitor these essential entities, and leveraging cutting-edge solutions like those from Bitsight, you can ensure that your supply chain becomes a bastion of security, not a source of vulnerability.

Ready to transform how you manage supplier risk under NIS2? Discover how Bitsight can streamline your efforts and elevate your compliance posture. Connect with us today to see our tools in action and take the first step towards robust supply chain security.