Many companies today invest significant resources to secure their internal IT. Firewalls, monitoring, incident response plans, and awareness programs are well-established. At the same time, a dangerous illusion is growing: the assumption that risks can be controlled within the boundaries of one’s own system.
The reality is quite different. Modern business models are virtually inconceivable without external IT service providers, cloud services, software vendors, and specialized subcontractors. This is precisely where the greatest uncertainties arise.
NIS2 addresses this development and clarifies that cybersecurity doesn’t end at the company’s own firewall. The guideline compels companies to reassess their supply chains not only technically, but also strategically. It makes external dependencies an integral part of the security architecture and thus a management responsibility.
NIS2 shifts the focus of systems to dependencies.
At its core, NIS2 follows a clear approach: Risks should be addressed where they originate. Statistics and incident analyses have shown for years that attacks are increasingly carried out via third parties. Software updates, maintenance access, or outsourced services serve as entry points.
NIS2 addresses this by explicitly including supply chains in its scope. Companies are obligated to assess risks related to their direct service providers as well as downstream subcontractors. The decisive factor is no longer whether an incident originates internally or externally, but rather its impact on critical services.
This marks a departure from a purely technical understanding of security in the regulatory framework. It demands a structured management of dependencies that makes risks visible and manageable.
Why supply chains are particularly vulnerable
The supply chain is an attractive target for attackers for several reasons. External partners often have privileged access, work with sensitive data, or are deeply integrated into operational processes. At the same time, they are often not subject to the same security standards as large organizations.
Furthermore, there is a structural lack of transparency. Companies often don’t know which other service providers their partners use or how access is technically implemented. This lack of visibility leads to a fragmented security landscape in which risks are known but remain unquantifiable.
NIS2 addresses this issue directly and requires transparent processes for identifying, assessing, and monitoring these risks.
The break with traditional compliance
Many organizations are accustomed to formally fulfilling regulatory requirements. Questionnaires are sent out, certificates are filed, checklists are ticked off. This approach generates documentation, but not security.
NIS2 makes it clear that formal compliance is not enough. The directive requires the effective implementation of security measures and verifiable monitoring of their effectiveness. This also applies to, and especially applies to, external partners.
A security concept that relies solely on self-reported information no longer meets the requirements. A realistic picture of the actual security maturity along the supply chain is needed.
What NIS2 specifically expects from companies
NIS2 does not specify detailed technical requirements but defines clear objectives. Companies must identify, prioritize, and appropriately manage risks. For supply chains, this entails several key tasks:
- First, dependencies must be systematically identified. Which service providers are essential for operations? What data do they process? What access rights do they have?
- Secondly, appropriate security requirements must be defined. These must be commensurate with the risk and contractually stipulated.
- Third, NIS2 requires continuous monitoring. Risks change. Business models, threat landscapes, and technical architectures evolve. Security assessments must therefore not be a one-off project.
The role of the CISO under NIS2
For CISOs, NIS2 represents a significant expansion of their responsibilities. Technical excellence alone is no longer sufficient. Communication skills, risk assessment, and the ability to enforce security requirements across the organization are now essential.
The CISO becomes the intermediary between technology, management, procurement, and legal. They must explain why certain requirements are necessary, what risks exist, and what the consequences of inaction might be. NIS2 strengthens this role by defining clear responsibilities and anchoring the importance of cybersecurity at the board level.
Why many supply chain assessments go wrong
In practice, supply chain assessments often fail for the following three reasons:
- Lack of prioritization: Companies try to treat all partners equally and lose focus on the truly critical dependencies.
- Lack of enforceability: Safety requirements are formulated but not checked or consistently enforced in case of deviations.
- Organizational silos: Purchasing, IT, and legal departments operate separately. As a result, security risks are viewed in a fragmented way and not managed holistically.
NIS2 makes it clear that these approaches are no longer sufficient. An integrated risk management system is required.
Control mechanisms with substance
Effective control does not mean maximum bureaucracy. The quality of the measures is crucial. For critical partners, this could include regular technical assessments, structured audits, or clearly defined escalation processes.
It is important that companies retain the ability to assess risks independently and do not completely outsource them to third parties. NIS2 requires taking responsibility, not delegating it.
Control mechanisms must also be scalable. Not every partner requires the same level of effort. The potential impact of a security incident is crucial.
Supply chains as a strategic resilience factor
Companies that view NIS2 as a purely compliance-related task are missing out on potential. A realistic assessment of supply chains not only strengthens their regulatory position but also increases operational stability. Transparent dependencies, clear security requirements, and effective control processes reduce the risk of disruption and improve responsiveness in emergencies. Supply chains are thus transformed from a weak point into a strategic resource.
Conclusion: NIS2 forces honesty
NIS2 confronts companies with an uncomfortable truth: Cybersecurity doesn’t end at the boundaries of their own systems. Those who outsource critical processes remain responsible.
The directive calls for an honest assessment of dependencies, risks, and the ability to control them. For CISOs, this presents both a challenge and an opportunity. Supply chains are no longer a side issue under NIS2. They are the touchstone for effective cybersecurity and sustainable resilience.