Login
Contact us
Become a partner
What does the NIS-2 cyber security directive mean for the supply chain?
NIS-2 tightens the requirements for cyber security – for the first time, the entire supply chain is in focus, from your service providers to cloud providers. Find out which companies are affected and how you can build effective risk management for your supply chain and NIS-2 compliance step by step.
What is the NIS 2 Directive and what does it mean for the supply chain?
With the NIS 2 Directive, the EU is tightening the requirements for companies’ cyber resilience. The focus is not only on a company’s own IT, but also on the entire supply chain: service providers, suppliers and IT or cloud providers are increasingly becoming a gateway for attacks. Companies must therefore be aware of their dependencies, systematically assess risks and implement suitable security measures for partners and service providers. The supply chain is thus becoming a central lever for compliance with the directive and for the company’s digital resilience.
Which institutions and companies are affected by NIS-2?
This no longer only affects traditional operators of critical infrastructure, but also numerous so-called “particularly important” and “important” facilities – including many companies from industry, production, IT, logistics, energy, healthcare and digital services with 50 or more employees or a turnover of EUR 10 million or more. The “particularly important” facilities, shown in the table, have to implement the strictest requirements.
| Particularly important facilities | Facilities / Examples |
|---|---|
| Energy | Electricity, gas, oil, district heating/cooling, water supply, charging infrastructure for electric vehicles |
| Transportation & Logistics | Air, rail, road and shipping transportation, including shipping companies and port operators |
| Finance | Banks, trading platforms, market infrastructures, insurance companies |
| Healthcare | Hospitals, research institutions, pharmaceutical companies, medical technology |
| Water supply | Drinking water and wastewater management |
| Digital infrastructure | DNS services, operators of top-level domains |
| Public administration | Authorities and other state institutions |
Although the “important” facilities – depending on their size and sector – do not have quite as far-reaching obligations and are not classified as critical per se, they must nevertheless act in a NIS-compliant manner. These include:
- Food production
- Postal and courier services
- Chemical industry
- Manufacturing industry
- Digital services
- Research facilities
- Waste management
When does NIS-2 apply to companies and their supply chains?
All EU member states should have transposed the NIS-2 Directive into national law by October 17, 2024, but many, including Germany, missed the deadline. In Germany, NIS-2 has therefore only been law since December 2025.
Whether in one country sooner or later, the fact is: companies in the EU must now adapt their security measures in the company and in the supply chain to NIS-2. And they need to be careful: NIS-2 affects significantly more companies than its predecessor, NIS-1. In Germany, around 30,000 organizations are covered by NIS-2, while fewer than 2,000 were affected by NIS-2.
The difference between NIS-2 and ISO-27001
In contrast to established information security standards such as ISO/IEC 27001, NIS-2 goes much further: the focus is not only on securing the company’s own IT, but also on holistic risk management that includes the entire corporate environment, including the supply chain.
| Aspect | ISO 27001 | NIS-2 |
|---|---|---|
| Regulatory status | International standard (voluntary) | EU directive (mandatory) |
| Area of application | Industry-independent, for organizations of all sizes | Specific sectors and companies |
| Objective | Establishment and operation of an information security management system (ISMS) | Increasing the cyber security level of critical and important infrastructures in the EU |
| Information protection | Protection of all types of information (digital, physical, cloud) | Focus on IT, OT and network security with critical importance |
| Risk management | Systematic information security risk management | Extended and deeper requirements for cyber and information security risks |
| Asset Management | Part of the ISMS | Significantly expanded and explicitly required |
| Supply chain & procurement security | Generally addressed | Explicit and central requirement (suppliers & partners) |
| Awareness & training | Employee training recommended | Training courses planned, especially mandatory for management and the Executive Board |
| Management involvement | Responsibility defined, but limited personal liability | Strong involvement of top management including personal liability |
| Degree of coverage | Covers approx. 70% of NIS 2 requirements | Goes well beyond ISO 27001 |
What does NIS-2 require of companies and supply chains?
The NIS 2 directive takes cyber security to a new level – organizationally, technically and strategically. Essentially, the requirements can be divided into three central fields of action:
1. establish systematic risk management: Use of technical protective measures such as multi-factor authentication (MFA), documented cryptography guidelines, established incident response and emergency plans, regular training to raise employee awareness
2. clear responsibilities at management level: active co-design and approval of cybersecurity measures, mandatory further training, personal liability in the event of gross breaches of duty
3. binding reporting obligations & business continuity: early warning report within 24 hours in the event of serious incidents, detailed report after 72 hours with root cause analysis and initial countermeasures, final report within one month including long-term preventive measures
NIS-2 requirements for supply chain management
What is particularly relevant with NIS-2 is that the requirements extend into the supply chain. Companies must be able to clearly demonstrate which suppliers and service providers have access to systems, data or critical processes – and how the associated risks are managed. This applies in particular to IT and cloud service providers, software providers, external service providers with system or data access and suppliers with digitally connected processes.
The specific requirements for supply chain management:
Risk management for third parties
Companies must identify risks arising from collaboration with suppliers and service providers – especially where external partners have access to systems, data or critical processes.
- Example: An external IT service provider has remote access to productive systems or administers cloud infrastructures. Companies must assess what impact a failure, a security incident or inadequate protective measures at this service provider would have.
Evaluation of security measures at suppliers
It is not enough to rely on contractual assurances. Companies must be able to understand which security measures are actually in place at relevant suppliers and whether they match their own risk profile.
- Example: A software provider confirms “appropriate security measures”. NIS-2 compliance is only achieved when it is clear whether, for example, access controls, patch management, incident response processes or certifications are in place – and how up-to-date they are.
Documentation and verifiability
Assessments, decisions and measures must be documented in a structured manner. In the event of an audit or incident, it is not just what has been implemented that counts, but that risks have been systematically assessed, decisions justified and measures recorded in a comprehensible manner.
- Example: Why a certain supplier was classified as an “acceptable risk” – or why additional measures are required – must be explained transparently even months later.
Regular checks instead of one-off queries
NIS-2 understands cyber security as an ongoing process. Information from the supply chain must therefore not be collected once, but must be checked and updated regularly.
- Example: The risk assessment must be adjusted in the event of contract extensions, new system access, changed services or security-relevant incidents – not just at the next audit.
How companies ensure NIS 2 compliance (also in the supply chain)
NIS-2 can seem complex at first glance, but with a clear roadmap, the requirements can be systematically implemented. This step-by-step guide shows which measures companies should take now – from risk assessment to audit preparation.
1. clarify NIS-2 affectedness
To begin with, you should check whether your company is affected by the scope of the directive. Anyone who is part of the supply chain may also fall under the requirements.
2. carry out a gap analysis
Check risk management and incident response in particular: Are there clear processes for detecting and reporting incidents? Have access rights, encryption and MFA been implemented? How well are your service providers secured and are emergency and recovery plans up to date?
3. develop a risk management strategy
Effective risk management forms the basis of every NIS 2 strategy.
The core components are:
- Regular risk assessments for early identification of weak points
- Strong access controls (incl. MFA)
- Encryption
- Consistent patch management
- Regular penetration tests
- Establish a structured incident response plan and reporting process
Those who proactively implement these measures reduce risks in the long term and strengthen cyber security throughout the company.
4. clarify and strengthen governance and responsibilities
NIS-2 clearly makes cybersecurity a management task. Management is responsible for actively designing, adopting and regularly reviewing security guidelines.
The central elements are:
- Mandatory training for managers
- Clearly defined responsibilities (e.g. a designated security officer)
- a systematic review of the entire security strategy
- continuously maintained and complete safety documentation
Strong governance not only ensures fewer security risks, but also reduces personal liability risks for management.
5. secure the supply chain
Third-party providers and service providers are increasingly becoming a central cyber risk factor – and with NIS-2, they also have a clear responsibility.
To secure your supply chain, you should in particular:
- Systematically check the security level and protective measures of your service providers
- Make NIS 2 and compliance requirements binding in contracts
- Establish ongoing monitoring and control mechanisms to identify risks at an early stage
This turns the supply chain into an effective protective shield: your company reduces both the real attack surface and the regulatory risk.
Conclusion: NIS-2 does not start in IT, but in the supply chain
NIS-2 makes it clear that cyber risks cannot be managed in isolation in IT. Transparency in the supply chain, uniform assessments and the ability to monitor and verify risks on an ongoing basis are crucial. This is precisely where many companies fail due to manual processes and a lack of structure.
With the VERSO Supply Chain Hub, the NIS-2 guideline and cyber security in the supply chain can be mapped centrally: from structured risk queries with suppliers and a uniform assessment of third parties to the ongoing updating and central documentation of all evidence. In this way, NIS-2 is not only implemented in the supply chain in compliance with regulations, but also in a practicable and scalable manner.
* This information is summarized editorial content and should not be construed as legal advice. VERSO accepts no liability.
This might be also interesting for you:
Subscribe to our newsletter!
Sign up and receive regular news about:
- Current ESG topics and legislative changes
- Individual advice from the VERSO experts
- News about VERSO
- Sustainability Events and more