NIS2 is Now in Force: What Are Its TPRM Implications for UK CNI?

The NIS2 Directive, enacted on January 16, 2023, aims to introduce an enhanced compliance framework to ensure “a high common level of cybersecurity across the Union”. 

Driven by a 57% increase in cyber attacks from 2022 to 2023, NIS2 imposes stringent requirements on critical sectors to counter escalating risks, particularly within supply chains. 

Although the UK operates outside the EU’s direct jurisdiction following Brexit, its Critical National Infrastructure (CNI), encompassing energy, transport, health, and other vital sectors, aligning with NIS2 requirements will strengthen operational resilience and prepare organisations for the upcoming UK Cyber Security and Resilience Bill.

In this brief regulatory explainer we outline the mandates NIS2 enforces, their implications for third-party risk management (TPRM), and how companies are able to effectively strengthen their cyber security posture and become more resilient to supply chain incidents.
‍

NIS2: An Overview

Replacing the 2016 NIS Directive, NIS2 aims to move beyond the focus on “operators of essential services” to include “Essential Entities” (e.g. energy, transport) and “Important Entities” (e.g., postal services, waste management). Now spanning over 15 sectors and also bringing under its remit digital providers such as cloud services, NIS2 also expects heightened accountability and implements stricter enforcement measures to achieve these goals.

One of the most notable developments in NIS2 is executive accountability - the fact that senior management could now be held personally liable for breaches. Article 20 of NIS2 states: “Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.” (Article 20).

Another key aspect of NIS2 is it requires “appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems,” explicitly encompassing “supply chain security” and “incident handling.” 

Unlike its predecessor, NIS2 directly integrates TPRM into compliance obligations, reflecting the fact that 73% of companies experienced a cybersecurity incident caused by a third party vendor in the past 3 years.
‍

Key Elements of NIS2

To achieve its goal of elevating cybersecurity across the board, NIS2 outlines a cybersecurity framework that requires companies to strengthen risk management and resilience. Key elements include:

• Risk Management: Companies need to make strong security controls aimed at mitigating cyber threats and meeting compliance requirements.
  ‍
• Incident Reporting: Any significant security incident needs to be reported to the Computer Security Incident Response Team.
  ‍
• Business Continuity: Recovery plans, emergency protocols, and crisis response teams must be in place.
  ‍
• Supply Chain Security: Companies must assess and manage cybersecurity risks across their entire supply chains, and only operate with suppliers that can demonstrate up-to-date and best practice security.
  ‍
• Incident Handling: Real-time incident and threat management systems must be established.
  ‍
• Cybersecurity Training & Awareness: Companies must train their employees in cybersecurity best practices.
  ‍
• Information Security Management: Clear policies for risk analysis and information system security. 
  ‍
• Vulnerability Management: Organisations must constantly scan for, address, and disclose any vulnerabilities.
  ‍
• Cryptography & Encryption: Secure data handling and encryption protocols must be enforced to protect sensitive information.
  ‍

The TPRM Implications of NIS2

Supply chain security is central to NIS2’s strategy, with the directive explicitly stating that companies must address “security in network and information systems acquired, developed, or maintained by third parties,” a response to incidents like the 2021 SolarWinds breach, which affected upwards of 18,000 organisations worldwide. 

To this end, NIS2 establishes a comprehensive requirement framework relating to hardening regulated entities resilience to supply chain incidents, including:

• Continuous Vendor Assessment: The directive mandates ongoing “risk assessments” of third-party ICT services, necessitating real-time insight into supplier security controls.
  ‍
• Contractual Accountability: Organisations must ensure vendors adhere to NIS2-equivalent standards, incorporating audits and incident reporting obligations.
  ‍
• Real-Time Oversight: Companies must employ “mechanisms to detect anomalies” in vendor systems, rendering annual audits insufficient and necessitating advanced monitoring tools.
  ‍
• Executive Responsibility: Senior management faces direct liability, with fines reaching €10 million or 2% of global turnover if TPRM failures—such as a supplier breach—stem from oversight lapses.
  ‍
• Industry-Wide Coordination: Union-level risk assessments offer UK CNI potential access to EU intelligence on shared suppliers, fostering resilience across borders.
  ‍

For UK CNI, these requirements are highly relevant. For instance, should a UK hospital work with an EU telemedicine provider, NIS2 mandates continuous vetting of the provider’s security on the hospital’s behalf, with incident reports due within 24 hours.

Furthermore, NIS2 introduces union-level cooperative security risk assessments to identify systemic risks within industries - something which aligns directly with Risk Ledger’s Defend-as-one approach.  

Under this framework, the Cooperation Group, the EU Commission, and ENISA will conduct risk assessments of critical ICT services, infrastructure, and supply chains, with the goal of spotting and mitigating potential systemic risks facing entire sectors of CNI.

Furthermore, acknowledging the importance of shared intelligence, NIS2 encourages collaboration between organisations and industry peers through cyber threat information sharing. Although voluntary, this initiative gives business leaders the opportunity to use real-time alerts from other parties within their sector. Under NIS2, members are tasked with facilitating these information-sharing arrangements, and making sure that all parties have the tools and channels necessary to effectively participate.
‍

How Risk Ledger Helps with NIS2 Compliance

Meeting NIS2’s supply chain security requirements can understandably seem demanding, and meeting these requirements requires precision and scalability. 

Risk Ledger simplifies compliance by providing a complete platform that streamlines third-party risk management, offering real-time assessments and automated security monitoring across any organisations’ extended supply chain.

Risk Management

Risk Ledger can help address the supply chain risk management requirements that NIS2 imposes on organisations. These encompass:

• Governance and organisation – Risk Ledger supports with third-party policy review, and reporting and monitoring of supplier criticality.
• ICT risk management framework – shows critical third-party service providers (incl. 4th parties and beyond) helping map out key dependencies.
• Identification – supports with the identification of suppliers, including critical ones.
• Protection and prevention – supports the procurement of suppliers that ensure resilient ICT systems, especially for critical functions.
• Response and recovery – supports with identification of incidents in the supply chain.
• Learning and evolving – supports with the identification of emerging cyber threats and vulnerabilities in the supply chain.

Incident Management

Risk Ledger can help address certain components of NIS 2 relating in the Incident Management. This includes:

ICT-related incident management process – supports with the recording of supply chain-related incidents.

Classification of ICT-related incidents and cyber threats – supports the classification of cyber threats and potential impact of incidents

Reporting of major ICT-related incidents and voluntary notification of significant cyber threats – supports reporting of incidents and voluntary notification of cyber threats originating from a supplier.

Digital Operational Resilience

Risk Ledger can also support organisations with enhancing their digital operational resilience. Risk Ledger supports the identification of suppliers and the supply chain to be considered for incorporation into the digital operational resilience testing programme, including for conducting advanced threat-led penetration testing. 

Risk Ledger also supports the development of a testing plan that is risk-based therefore helping balance the scale of resources vs. time spent.

Collaboration and Information Sharing

Finally, Risk Ledger supports with the exchange of cyber threat information and intelligence (such as indicators of compromise, tactics, techniques, and procedures, tooling capabilities etc.) between trusted communities in a confidential manner (and potentially, under the aegis of a supervisory authority) thereby improving awareness in relation to cyber threats and increasing resilience at the industry-level.
‍

Conclusion

NIS2 represents a critical response to the doubling of supply chain attacks annually. 

This was the impetus for implementing NIS2 - to try and protect the increasingly interconnected business ecosystem of suppliers and companies who are directly impacted by third-party risk management. 

Its TPRM mandates compel UK CNI to treat vendor risk as a cornerstone of resilience, backed by executive accountability and substantial penalties for non-compliance. With the UK Cyber Security & Resilience Bill approaching, adopting NIS2’s standards now is a strategic imperative to avert fines and mitigate preventable breaches. 

We strongly recommend any UK entity operating within a CNI to schedule a Risk Ledger demonstration so you can secure your supply chain against NIS2’s rigorous standards, and futureproof your cybersecurity posture in today’s ever-escalating cyber threat environment.