In the past decade, supply chain security has become a top priority for many organizations. What, until recently, was mostly considered good management practice is now, with the NIS 2 Directive officially in force, a regulatory requirement. In this article, we’ll explore the details of this shift and what companies need to do in practice to stay compliant.
Supply Chain Security and Technological Interdependence
Every structured organization is part of a network of suppliers, partners, and service providers, often interconnected not only relationally but also digitally. APIs, collaborative platforms, ERP modules, and shared digital solutions (B2B portals, invoicing platforms, etc.) create real technological interdependence. While this enables efficiency and innovation, it also exposes each node in the chain to vulnerabilities that can trigger a devastating domino effect.
In recent years, we’ve seen striking examples of this. One of the most notable is the attack on SolarWinds’ Orion platform, used in high-level government and corporate networks. The compromise of a software update allowed hackers to infiltrate thousands of organizations and gain access to sensitive data. More recently, in 2023, 3CX—a VoIP software provider—was compromised due to a vulnerability introduced in a third-party software component. Cybercriminals were able to spread malicious code through legitimate updates, reaching the company’s entire customer base.
These examples show that attackers no longer aim directly at their primary target. Instead, they probe networks in search of the weakest link: a small company with limited defenses, a neglected technology partner, or an outdated piece of software. This is why protecting the supply chain is not only a strategic necessity but, with NIS 2, also a legal obligation.
NIS 2, Supply Chain Security, and Corporate Responsibility
The link between NIS 2 and supply chain security is explicitly established in Article 21 of the Directive, which sets out the core principle of the new regulatory framework: “Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems which those entities use in their operations or in the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services.”
These measures, based on what lawmakers call a multi-risk approach, explicitly include “supply chain security, including aspects relating to the security of the relationships between each entity and its direct suppliers or service providers.”
With NIS 2, cybersecurity responsibility no longer stops at the company’s boundaries—it extends both upstream and downstream along the supply chain. The Directive assigns an active, central role to essential entities (public and private operators in critical sectors), making them responsible even for potential vulnerabilities introduced by their suppliers.
This distributed responsibility has two key effects: it requires organizations directly subject to the Directive to implement structured processes for assessing and monitoring their partners’ security posture, and (indirectly) to report incidents that may not hit them but still significantly affect their ability to deliver services.
At the same time, the regulation pushes suppliers—including small and medium-sized businesses—to raise their security standards or risk being excluded from contracts and tenders. In other words, NIS 2 introduces a systemic mechanism where SMEs, even if not directly obligated at first, must adapt to remain competitive in an increasingly interconnected digital ecosystem.
How to Manage Supply Chain Security to Comply with NIS 2
So what does it actually mean to secure the supply chain in compliance with the new EU Directive? NIS 2 is a high-level legislative act: it doesn’t prescribe specific tools or operational methods but instead sets principles, responsibilities, and the need for a structured, risk-based approach. Here’s how organizations can act.
Supplier Assessment: Start with Risk Evaluation
Conducting a supplier assessment means analyzing the level of cyber risk each external partner poses to the organization. The main challenges here lie in the complexity of supply networks—often made up of dozens or even hundreds of diverse entities distributed worldwide and operating under different regulations—as well as in a lack of transparency. To overcome these challenges, organizations can rely on a combination of tools.
-
Self-assessment questionnaires are a starting point, helping to collect information on security practices, credential management, past incidents, and the use of specific frameworks or standards. For critical or strategic suppliers, on-site assessments can be conducted by the internal team or qualified third parties. A useful reference model here is the Clusit framework.
-
Certification checks, such as ISO 27001 or SOC 2, provide strong indicators of maturity. However, these can be supplemented with data from external sources, such as automated scans of internet-exposed assets or threat intelligence signals.
Embedding Cyber Risk Management in Contracts
Once risks are measured, the results of the assessment must be translated into clear, binding contractual commitments—a decisive step in making security a shared responsibility.
In practice, this means defining, in black and white, which standards must be met, the minimum expectations for data protection and operational continuity, and what happens in cases of non-compliance. Among the most effective clauses are those requiring the adoption of specific security frameworks (such as ISO 27001), mandatory notification of incidents or vulnerabilities, and the client’s right to conduct regular audits or request security posture updates. These measures help maintain focus throughout the entire lifecycle of the partnership.
Technologies and Tools for Continuous Monitoring
To comply with NIS 2 principles, companies need to go further: continuous monitoring of supply chain security.
Today, technologies exist that provide dynamic, real-time visibility into suppliers’ cyber risk, without waiting for a new audit cycle or the completion of increasingly complex questionnaires. The solution landscape is broad: third-party risk management (TPRM) platforms centralize the supplier risk lifecycle—from onboarding and due diligence to ongoing monitoring. These platforms streamline questionnaire collection, help identify gaps, and track corrective actions, integrating workflows for incident notification and management.
Also noteworthy are security rating platforms, which assess a supplier’s security posture from an external perspective. They analyze publicly available data as network configurations, known vulnerabilities, and potential information leaks on the dark and deep web. These services deliver objective scores and complement other measures to identify at-risk suppliers and monitor trends over time.
Toward an Integrated and Scalable Approach
For all these activities to be truly effective, they must be part of a systemic risk management strategy. This requires coordination among legal, procurement, IT security, and compliance functions. Only then can organizations properly address the complexity of supply chains, ensure regulatory compliance, and avoid wasting resources or creating bottlenecks that undermine productivity.
Visit our website to explore all Kirey’s services in the manufacturing sector and contact us for more information.
