NIS2, DORA & Co: Aren’t we all part of someone’s relevant supply chain?

The EU’s current cybersecurity regulations have identified a core risk factor in cyber threat scenarios: the supply chain. An increasing number of attacks is carried out indirectly via enterprise supply chain channels. Typical scenarios include malware being distributed along the supply chain as well as triggering outages in mission-critical service platforms or at key service providers. Consequently, regulatory frameworks such as the NIS2 Directive, the DORA Regulation, the Cyber Resilience Act, and the new Product Liability Directive increasingly emphasize the security and resilience of interfaces with external suppliers and service providers – particularly where their operations may affect the integrity, authenticity, availability or confidentiality of an organization’s own network and information systems. The implications are extensive, as virtually every entity operates within a supply chain that holds strategic relevance for others.

Regardless of how individual member states implement it, the European Union has issued the corresponding Implementing Regulation 2024/2690 almost simultaneously with the entry into force of the NIS2 Directive. This regulation defines which cybersecurity risk management measures must be implemented as mandatory requirements. It addresses the following entities:

• DNS service providers;
• TLD name registries;
• cloud computing service providers;
• data center service providers;
• content delivery network providers (i.e., providers of decentralized server networks that ensure high availability, accessibility, or fast delivery of digital content and services to internet users);
• managed service providers (i.e., providers of services related to the installation, management, operation, or maintenance of ICT products, networks, infrastructure, applications, or any other network and information systems);
• managed security service providers (i.e., managed service providers that perform or provide support for activities related to cybersecurity risk management);
• providers of online marketplaces;
• providers of online search engines;
• providers of social networking services platforms;
• trust service providers (i.e., providers of services for the generation, verification, and validation of electronic signatures, electronic timestamps, electronic seals, or electronic certificates).

What distinguishes these entities is their clear definition under EU law, eliminating the need for additional national interpretation or specification. This part of the supply chain is therefore obligated to implement the requirements of the implementing regulation directly. The regulation has been in force since October 28, 2024. Since that time, any entity acting as a service provider supplying its own IT services – rather than merely supplying products with digital components then operated by the customer itself – has been subject to compliance with NIS2-specific obligations.

For the entities mentioned, the implementing regulation specifies in detail the mandatory measures to be implemented in the following areas:

• security strategy for network and information systems;
• risk management framework;
• incident response plan;
• business continuity and crisis management;
• supply chain security;
• procurement, development, and maintenance of network and information systems;
• evaluation of the effectiveness of cybersecurity risk management measures;
• cyber hygiene (i.e., cybersecurity measures);
• cybersecurity training;
• cryptographic measures;
• personnel security;
• access control;
• asset and value management; and
• environmental and physical security.

In essence, these requirements align with common standards such as ISO/IEC 27001. However, the implementing regulation introduces detailed criteria for determining when a significant security incident has occurred, which must then be reported without delay. In justified cases, deviations from the requirements are permitted, provided they are properly documented. This creates valuable flexibility that should be used early on to help organizations position themselves effectively with clients. Doing so requires substantial practical experience.

When it comes to supply chain security, obligated entities must pay particular attention to their direct (!) suppliers and service providers. The goal is to minimize the risks these relationships pose to their own network and information systems. Specific obligations must be included in contractual agreements to address this.

As a result, the requirements don’t just apply to the named entities themselves. They also extend directly to their immediate supply chain!

The NIS2 Directive also addresses other entities within the supply chain that have a strong IT focus. Unlike the previously mentioned entities, these are subject to the general NIS2 requirements only:

• internet exchange point providers;
• providers of public electronic communications networks;
• providers of publicly available electronic communications services;
• manufacturers of computer, electronic and optical products (e.g. manufacturers of microprocessors, printers, monitors, sound cards, graphics cards, network cards, desktop computers, laptops, mainframes, PDAs, storage media, servers, scanners, smart card readers, point-of-sale terminals, telecommunication devices, routers, mobile phones, fire alarms, television sets, stereo systems, loudspeakers, microphones, headphones, gaming consoles, time tracking devices, electromedical equipment, and many more).

Especially the fourth category of entities listed above, i.e. the manufacturers, typically provides products with digital elements. These are additionally subject to the requirements of the Cyber Resilience Act, which must be implemented by December 11, 2027. Furthermore, by December 9, 2026, EU member states must transpose the new provisions of the EU Product Liability Directive into national law, making them enforceable from that point onward. For these entities as well, waiting for national implementation laws is not the best strategy. Internal processes will inevitably need to be adapted, and this typically requires time and experience. Organizations should therefore begin preparing early to ensure they are well positioned, especially when working with clients.

The other three categories of entities mentioned above are already subject to similar obligations under telecommunications law. This means that, in this context, manufacturers are the primary target group for the new cybersecurity requirements.

For the financial sector, the requirements concerning the supply chain – referred to here as “ICT third-party service providers” – have been tightened compared to NIS2. In addition to the DORA Regulation itself, numerous delegated and implementing acts at EU level specify what must be implemented:

• for ensuring ICT operational resilience;
• in the procurement, development and maintenance of ICT systems;
• in the contractual terms to be agreed upon;
• in the reporting of serious ICT-related incidents; and
• in the event of a failure of a relevant ICT third-party service provider.

Under DORA, the suppliers and service providers (subcontractors) used by the ICT third-party service provider must be disclosed from commissioned vendor to the principal financial sector entity, including the name of the ultimate parent company. This information must be entered into a dedicated information register, which is subject to targeted review by the financial supervisory authority. If an ICT third-party service provider or one of its subcontractors is considered “critical” for the financial sector, because at least 10 percent of financial entities are served by part of that supply chain, it becomes subject to additional oversight by the supervisory authority itself.

Entities subject to these obligations are:

• service providers involved in ICT project management;
• service providers involved in business analysis, software design, software development, and software testing;
• service providers involved in helpdesk support and first-level support for ICT incidents;
• service providers involved in protection, detection, response, and recovery of ICT security, including incident handling and forensics;
• providers of ICT infrastructure, operating resources, or hosting services;
• providers of digital processing capacity;
• providers of data storage platforms;
• operators of telecommunications systems;
• providers of network infrastructure;
• providers of end-user devices, servers, and data storage equipment;
• providers of locally installed software;
• service providers involved in infrastructure configuration, maintenance, installation, capacity management, business continuity management, and managed service providers;
• providers of know-how or ICT expertise;
• providers of cloud services (IaaS, PaaS, and SaaS); and
• providers of risk control functions.

The number of entities required to comply is therefore significantly higher than under NIS2. And many of them are likely still unaware of their regulatory obligations under this framework.

Information and communication technology now pervades nearly all areas of life and must therefore meet specific cybersecurity requirements. This applies, in effect, to the entire IT-related supply chain. Unfortunately, the full scope of this is often downplayed in current NIS2 implementation plans. The number of entities required to comply is significantly higher.

Over time, the growing number and complexity of security requirements – and the associated time and cost burdens – will increasingly come as a surprise to many. It is therefore advisable to prepare early for this new cybersecurity landscape. We support you in this process. With our NIS2 assessment, we have consolidated the key requirements to help you identify, prioritize, and address actionable gaps. It reflects our practical experience from over 100 KRITIS audits and gives you a clear understanding of what really matters in cybersecurity.