Home Current Affairs NIS2: Why suppliers can't sit back

NIS2: Why suppliers can't sit back

At a time when cyber threats are commonplace, the European Union has created the NIS2 Directive. The purpose of this directive is to strengthen the digital resilience of key and essential sectors. But what does this mean for you as a supplier to an NIS2-compliant organization? Even if you yourself are not directly covered by the NIS2 legislation, the implications can be far-reaching for your company and your operations. Failure to comply with these requirements can affect your relationship with customers and your position in the market. In this blog, Daniek Regterschot highlights why NIS2 compliance is also very important for suppliers and how you can prepare for it.

#cybersecurity

Date: October 03, 2024

Modified October 03, 2024

Written by: Daniek Regterschot

Reading time: +/- 3 minutes

The chain approach of NIS2

NIS2 introduces a chain approach. The effect of this is to extend the effect of the directive beyond directly designated organizations. While you as a supplier may not be directly covered by the NIS2 directive, your customers may be. 

This means that they can require you to meet certain security standards to ensure that the entire chain is secure. These requirements can range from implementing specific security measures to obtaining certifications. Failure to meet these requirements can result in losing contracts or even entire customer relationships.

What should you consider? 

NIS2-mandatory organizations may require the following from you, among other things:

  1. Conducting a risk inventory;
  2. Implementation of adequate security measures;
  3. Regular security audits and assessments;
  4. Development of an incident response plan and a business continuity plan; and
  5. Training and awareness among your employees. 

How can you prepare?

To meet the expectations of your NIS2-regulated customers, you need to be proactive about your cybersecurity. Start by mapping out your current situation. What security measures have you already implemented? Where are the weaknesses?
Next, it is advisable to establish a sound cybersecurity policy. This policy should include not only technical measures, but also incident management procedures and awareness among your employees.

Contractual implications of NIS2

In addition, be prepared for changes in your contracts with NIS2-mandatory customers. Clauses may be added that relate to cybersecurity, such as obligations to report security incidents or allow periodic audits. It is wise to seek legal advice prior to entering into these to safeguard your interests.

The opportunities of the NIS2

Once you meet the requirements set by your NIS2 mandatory customers, this can also bring opportunities. In an increasingly digital economy, it is vital that suppliers are adequately armed against cyber risks from both inside and outside. By proactively investing in cyber security, you position yourself as a reliable partner. This can not only help you retain existing customers, but also attract new clients who value a secure supply chain.

Conclusion and next steps

The impact of the NIS2 directive extends far beyond the companies covered by the obligations of the directive itself. As a supplier, it is therefore crucial to take steps toward better cybersecurity now. 

Should you need assistance, we can help you create a cybersecurity policy, prepare for audits and adapt your contracts to the new reality of NIS2.

Stay Focused

Need help understanding and complying with your cybersecurity obligations? Contact one of our IT law specialists, they will be happy to help.

Contact

Daniek Regterschot

Attorney-at-law

Commercial contracts, Intellectual property, IT, Transportation and logistics

More on this topic:

Most read articles

Knowledge

Five years on, still PAS in place

read more
Knowledge

Everything you need to know about the European AI act

read more
Knowledge

The Environment Act: the preparatory decision under the microscope

read more
Knowledge

Beyond the firewall: directors' liability under the NIS2 Directive

read more