In this regulatory explainer, we outline the key NIS2 mandates, their implications for third-party risk management (TPRM), and how companies can achieve compliance and become more resilient to supply chain incidents.
The NIS2 Directive, enacted on January 16, 2023, aims to introduce an enhanced compliance framework to ensure “a high common level of cybersecurity across the Union”.
Driven by a 57% increase in cyber attacks from 2022 to 2023, NIS2 imposes stringent requirements on critical sectors to counter escalating risks, particularly within supply chains.
Although the UK operates outside the EU’s direct jurisdiction following Brexit, its Critical National Infrastructure (CNI), encompassing energy, transport, health, and other vital sectors, aligning with NIS2 requirements will strengthen operational resilience and prepare organisations for the upcoming UK Cyber Security and Resilience Bill.
In this brief regulatory explainer we outline the mandates NIS2 enforces, their implications for third-party risk management (TPRM), and how companies are able to effectively strengthen their cyber security posture and become more resilient to supply chain incidents.
Replacing the 2016 NIS Directive, NIS2 aims to move beyond the focus on “operators of essential services” to include “Essential Entities” (e.g. energy, transport) and “Important Entities” (e.g., postal services, waste management). Now spanning over 15 sectors and also bringing under its remit digital providers such as cloud services, NIS2 also expects heightened accountability and implements stricter enforcement measures to achieve these goals.
One of the most notable developments in NIS2 is executive accountability - the fact that senior management could now be held personally liable for breaches. Article 20 of NIS2 states: “Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.” (Article 20).
Another key aspect of NIS2 is it requires “appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems,” explicitly encompassing “supply chain security” and “incident handling.”
Unlike its predecessor, NIS2 directly integrates TPRM into compliance obligations, reflecting the fact that 73% of companies experienced a cybersecurity incident caused by a third party vendor in the past 3 years.
To achieve its goal of elevating cybersecurity across the board, NIS2 outlines a cybersecurity framework that requires companies to strengthen risk management and resilience. Key elements include:
Supply chain security is central to NIS2’s strategy, with the directive explicitly stating that companies must address “security in network and information systems acquired, developed, or maintained by third parties,” a response to incidents like the 2021 SolarWinds breach, which affected upwards of 18,000 organisations worldwide.
To this end, NIS2 establishes a comprehensive requirement framework relating to hardening regulated entities resilience to supply chain incidents, including:
For UK CNI, these requirements are highly relevant. For instance, should a UK hospital work with an EU telemedicine provider, NIS2 mandates continuous vetting of the provider’s security on the hospital’s behalf, with incident reports due within 24 hours.
Furthermore, NIS2 introduces union-level cooperative security risk assessments to identify systemic risks within industries - something which aligns directly with Risk Ledger’s Defend-as-one approach.
Under this framework, the Cooperation Group, the EU Commission, and ENISA will conduct risk assessments of critical ICT services, infrastructure, and supply chains, with the goal of spotting and mitigating potential systemic risks facing entire sectors of CNI.
Furthermore, acknowledging the importance of shared intelligence, NIS2 encourages collaboration between organisations and industry peers through cyber threat information sharing. Although voluntary, this initiative gives business leaders the opportunity to use real-time alerts from other parties within their sector. Under NIS2, members are tasked with facilitating these information-sharing arrangements, and making sure that all parties have the tools and channels necessary to effectively participate.
Meeting NIS2’s supply chain security requirements can understandably seem demanding, and meeting these requirements requires precision and scalability.
Risk Ledger simplifies compliance by providing a complete platform that streamlines third-party risk management, offering real-time assessments and automated security monitoring across any organisations’ extended supply chain.
Risk Ledger can help address the supply chain risk management requirements that NIS2 imposes on organisations. These encompass:
Risk Ledger can help address certain components of NIS 2 relating in the Incident Management. This includes:
ICT-related incident management process – supports with the recording of supply chain-related incidents.
Classification of ICT-related incidents and cyber threats – supports the classification of cyber threats and potential impact of incidents
Reporting of major ICT-related incidents and voluntary notification of significant cyber threats – supports reporting of incidents and voluntary notification of cyber threats originating from a supplier.
Risk Ledger can also support organisations with enhancing their digital operational resilience. Risk Ledger supports the identification of suppliers and the supply chain to be considered for incorporation into the digital operational resilience testing programme, including for conducting advanced threat-led penetration testing.
Risk Ledger also supports the development of a testing plan that is risk-based therefore helping balance the scale of resources vs. time spent.
Finally, Risk Ledger supports with the exchange of cyber threat information and intelligence (such as indicators of compromise, tactics, techniques, and procedures, tooling capabilities etc.) between trusted communities in a confidential manner (and potentially, under the aegis of a supervisory authority) thereby improving awareness in relation to cyber threats and increasing resilience at the industry-level.
NIS2 represents a critical response to the doubling of supply chain attacks annually.
This was the impetus for implementing NIS2 - to try and protect the increasingly interconnected business ecosystem of suppliers and companies who are directly impacted by third-party risk management.
Its TPRM mandates compel UK CNI to treat vendor risk as a cornerstone of resilience, backed by executive accountability and substantial penalties for non-compliance. With the UK Cyber Security & Resilience Bill approaching, adopting NIS2’s standards now is a strategic imperative to avert fines and mitigate preventable breaches.
We strongly recommend any UK entity operating within a CNI to schedule a Risk Ledger demonstration so you can secure your supply chain against NIS2’s rigorous standards, and futureproof your cybersecurity posture in today’s ever-escalating cyber threat environment.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.