NIS2 & Third-Party Risk Management: From contracts to effective supplier control

The new oneNIS2 Directive (Directive (EU) 2022/2555)andtheir national implementation (Law implementing the NIS-2 Directive)mark a turning point for strategic corporate management. Cybersecurity is no longer a purely technical IT problem;key business risk, for which theManagement is held personally responsible. A particularly critical aspect is thisSupply chain security, as attacks via third-party providers (“supply chain attacks”) are increasing massively and can threaten the existence of entire facilities.

The new responsibility of management

According to Section 38 of the Act Implementing the NIS-2 Directive, management of particularly important and important institutions are obliged to implement the prescribed risk management measures themselves and to continuously monitor their implementation.

• Personal liability:In the event of a culpable breach of these obligations, members of the management can claim damages from their institutionbe held liable.
• Training requirement:In order to be able to assume this responsibility, management mustregularly attend training courses,to gain knowledge of risk identification and evaluation of risk management practices.

Strategic supplier management according to Art. 21 (Directive (EU) 2022/2555)

Particularly important and important institutions must, as part of their risk management,Supply chain securitytake into account. This includes not only technical security, but also the establishment of a holistic governance model for relationships with direct suppliers and service providers

Unsure if you are affected by NIS2? The BSI's NIS 2 impact assessment offers you initial orientation in just a few steps.

Risk analysis and assessment (all-hazards approach)

The basis of every decision is a well-founded oneRisk analysis, which also includes non-technical factors such as undue influence by third countries on providers. This means that when selecting their suppliers, companies must not only pay attention to technical quality, but also assess whether the provider could be forced to act against the security interests of its customer or the European Union due to its origin or connections. Management must do thisCriticality of your assetsand understand the dependency on external service providers (e.g. cloud providers or managed security services).The CRA serves as a tool here:It obliges manufacturers to provide information (such as theSoftware bill of materials (Software Bill of Materials – SBOM for short),which absolutely requires an NIS2 facility in order to be able to do soSupply chain according to Art. 21 NIS2to evaluate.

Auswahl und Sorgfaltspflicht (Due Diligence)

When selecting partners, you need to be clearCybersicherheits-Kriterienbe created. These include:

• The assessment of thesafe development processesof the provider. A secure development process ensures that cybersecurity is not added as an afterthought, but rather viewed as an integral part throughout the entire life cycle of a product or service (so-calledSecurity by Design).
• Checking the financial stability and reputation of the service provider.
• The avoidance ofVendor lock-in(vendor dependency) to maintain resilience in the event of failures. AVendor lock-inarises when a company is so dependent on the products or services of a single provider that switching to another partner would only be possible at extremely high cost, time or operational risk.

Vertragsgestaltung und Mindestanforderungen

Contracts must contain specific security clauses to maintain control over data sovereignty. Important components are:

• Audit rights:The right of the company or authorized third parties to inspect the supplier's security measures on site.
• Reporting requirements:The supplier's obligation to report security incidents that may affect the facilityto report immediately.
• Vulnerability handling:Clear rules for dealing with vulnerabilities and providing security updates.
• Exit strategies:Defined processes for the secure return or deletion of data at the end of the contract or upon request from the client (e.g. as a result of customer inquiries).

Transparency through SBOMs and technological control

In order to make the supply chain transparent, theSBOMinto focus. Manufacturers are required by the CRA to provide these machine-readable lists. Für IT-Leiter und CISOs bedeutet dies:

• Component tracking:Only those who know which third-party libraries are in a software can react quickly when new vulnerabilities (such as Log4j) become known.
• Patch management:Facilities must ensure that suppliers provide patches for critical vulnerabilities in a timely manner.

Special case of the financial sector:DORAas a sharper sword

Hier ist das Management vonICT third party risksnoch detaillierter reguliert:

In addition to NIS2, the stricter rules of the DORA regulation apply to financial companies.

• A comprehensive register of information on all third-party ICT service providers must be maintained.
• At theSubcontracting(Subcontracting) critical or important functions, the financial company must ensure that the entire chain of subcontractors meets the same strict standards.

Conclusion for the management level

Supplier management under NIS2 is not a one-off project;ongoing process. As management, you should ensure that:

1. A current oneRegister of all critical suppliersexists.
2. The security requirements in the contractsState of the artreflect.
3. RegularPerformance reports and auditsof the most important partners are included in your management assessment.

Supply chain security is now a key pillar of organizational resilience, protecting not only your data but also your reputation and personal immunity from liability.

If you would like to find out more about the topiccontact usfor a non-binding conversation and take part in our webinar on the topic:

“When trust becomes a risk: How you can secure your supplier management with NIS2”

📅February 12, 2026 | 10:00 a.m 👉Register now:https://lnkd.in/d3rH4D_z

📖 Also read:NIS Consulting: Your compass for cybersecurity according to NIS and NIS2

📖 Also read:NIS Consulting: Your compass for cybersecurity according to NIS and NIS2