Supply chain security
Supply chain security covers all measures by which an organisation identifies, assesses and manages cyber risks arising from its relationships with suppliers and service providers – an explicit NIS2 obligation to protect its own security across third parties.
Supply chain security refers to the systematic management of cyber risks that arise for an organisation from its relationships with suppliers, service providers and other third parties. Because modern IT value creation is highly distributed – cloud providers, managed service providers, software suppliers and hardware manufacturers – a vulnerability or security incident at a third party can directly affect an organisation's own availability, integrity and confidentiality. The NIS2 Directive explicitly highlights this risk and makes the security of the supply chain a distinct component of risk management.
Under Article 21(2)(d) of the NIS2 Directive, essential and important entities must address the security of the supply chain, including security-related aspects of the relationships between each entity and its direct suppliers or service providers. Decisive factors are the specific vulnerabilities of each supplier and the overall quality of its products and cybersecurity practices. In the German transposition (the NIS2 implementation act, which reshapes the new Section 30 BSIG), these requirements become binding for affected companies. Management is liable for approving and overseeing the risk-management measures, making supply chain security a leadership responsibility as well.
In practice, supply chain security requires end-to-end supplier management: suppliers are classified on a risk basis, subjected to a security assessment before contracting, and bound by contractual security requirements (service levels, incident-notification duties, audit and evidence rights, subcontractor provisions). During the term of the relationship, organisations apply continuous monitoring, periodic re-assessments and integration of service providers into emergency and incident-response planning. To make these requirements verifiable and auditable, entities rely on recognised frameworks such as ISO/IEC 27001 with its supplier-relationship controls, the German BSI IT-Grundschutz, or ENISA's recommendations.
Legal Basis
Article 21(2)(d) and (e) NIS2 Directive (EU) 2022/2555; Section 30 BSIG (NIS2 transposition); ISO/IEC 27001 Annex A (supplier relationships)
Practical Example
A machinery manufacturer classified as an important entity sources its ERP platform from an external SaaS provider and outsources its IT operations to a managed service provider. The information security officer maintains a supplier register, rates both as critical service providers, and extends the contracts to include incident-notification duties within 24 hours, an annual audit or evidence right (for example via an ISO 27001 certificate or SOC 2 report), and requirements on encryption and the handling of subcontractors. At the annual re-assessment she requests up-to-date certificates and checks whether the providers are integrated into her own emergency plan – thereby demonstrating to the supervisory authority that supply chain security under Section 30 BSIG is actively managed.