{"id":7739,"date":"2026-02-04T15:40:06","date_gmt":"2026-02-04T15:40:06","guid":{"rendered":"https:\/\/verso.de\/blog\/nis-2-in-the-supply-chain\/"},"modified":"2026-03-09T09:06:04","modified_gmt":"2026-03-09T09:06:04","slug":"nis-2-in-the-supply-chain","status":"publish","type":"post","link":"https:\/\/verso.de\/en\/blog\/nis-2-in-the-supply-chain\/","title":{"rendered":"NIS-2 in the supply chain"},"content":{"rendered":"\t
\n\t\t
\n\t\t\t
\n\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\"Bild\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t
04.02.2026<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t

What does the NIS-2 cyber security directive mean for the supply chain?<\/h1>\n\n\t\t\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t\tNIS-2 tightens the requirements for cyber security – for the first time, the entire supply chain is in focus, from your service providers to cloud providers. Find out which companies are affected and how you can build effective risk management for your supply chain and NIS-2 compliance step by step. \t\t\t\t\t\t\t<\/p>\n\t\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\n\t\t\t<\/div>\n\t\t<\/div>\n\t<\/section>\n\t\n\n\n\t

\n\t\t
\t\n\t\t\t\n\t\t\t
\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t

What is the NIS 2 Directive and what does it mean for the supply chain?<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t

With the NIS 2 Directive, the EU is tightening the requirements for companies’ cyber resilience. The focus is not only on a company’s own IT, but also on the entire supply chain: service providers, suppliers and IT or cloud providers are increasingly becoming a gateway for attacks. Companies must therefore be aware of their dependencies, systematically assess risks<\/a> and implement suitable security measures for partners and service providers. The supply chain is thus becoming a central lever for compliance with the directive and for the company’s digital resilience.<\/p>\n\t\t\t\t\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\n\t\t<\/div>\n\t<\/section>\n\n\t\n\n\n\t

\n\t\t
\t\n\t\t\t\n\t\t\t
\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t

Which institutions and companies are affected by NIS-2?<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t

This no longer only affects traditional operators of critical infrastructure, but also numerous so-called “particularly important<\/strong>” and “important<\/strong>” facilities – including many companies from industry, production, IT, logistics, energy, healthcare and digital services with 50 or more employees or a turnover of EUR 10 million or more. The “particularly important” facilities, shown in the table, have to implement the strictest requirements. <\/p>\n\n\n\n\n\n\n\n\n\n\n
\n Particularly important facilities\n <\/th>\n\n Facilities \/ Examples\n <\/th>\n<\/tr>\n
\n Energy\n <\/td>\n\n Electricity, gas, oil, district heating\/cooling, water supply, charging infrastructure for electric vehicles\n <\/td>\n<\/tr>\n
\n Transportation & Logistics\n <\/td>\n\n Air, rail, road and shipping transportation, including shipping companies and port operators\n <\/td>\n<\/tr>\n
\n Finance\n <\/td>\n\n Banks, trading platforms, market infrastructures, insurance companies\n <\/td>\n<\/tr>\n
\n Healthcare\n <\/td>\n\n Hospitals, research institutions, pharmaceutical companies, medical technology\n <\/td>\n<\/tr>\n
\n Water supply\n <\/td>\n\n Drinking water and wastewater management\n <\/td>\n<\/tr>\n
\n Digital infrastructure\n <\/td>\n\n DNS services, operators of top-level domains\n <\/td>\n<\/tr>\n
\n Public administration\n <\/td>\n\n Authorities and other state institutions\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Although the “important<\/strong>” facilities – depending on their size and sector – do not have quite as far-reaching obligations and are not classified as critical per se, they must nevertheless act in a NIS-compliant manner. These include: <\/p>\n