How will NIS2 affect the supply chain security approach?

How will NIS2 affect the supply chain security approach?

Related topics

One of the most important elements of the NIS2 Directive are standards for assessing supply chain security. Will the practical implementation of those standards be problematic? 

Supply chain issues are regulated in the Article 21(2)(d) of the NIS2 Directive. According to this provision, one of the responsibilities of key and important entities will be to put in place appropriate and proportionate technical, operational and organizational measures to ensure supply chain security.

The NIS2 Directive provides three mechanisms to guarantee supply chain security:

  • The first one is a procedure, carried out at EU level, to assess the level of risk of a specific supply chain- this is so called a coordinated risk assessment.  
  • The second procedure is somewhat hidden in the text of the NIS2 Directive, as it includes all the powers of Member States to extend the scope of the directive to entities originally outside its scope. This procedure may be determined as a national risk assessment.
  • The third mechanism is the obligation provided for in the Article 21(2)(d) of the NIS2 Directive, which can be described as an internal risk assessment.

The NIS2 Directive indicates that those covered by NIS2 obligations should consider the vulnerabilities specific to each direct supplier and service provider and the overall quality of their suppliers' and service providers' cybersecurity products and practices, including their secure development procedures. In particular, the obligation to assess/predict how a given product will be developed should be taken into account, as it may be an organizational challenge for entities that do not have sufficient human and technical resources.

Another obligation under the NIS2 Directive is the need to take into account the results of coordinated security risk assessments of critical supply chains carried out in accordance with the Article 22(1) of the NIS2 Directive. The coordinated risk assessment is the most controversial because of the scope of the criteria for this assessment, including the inclusion of non-technical aspects in the assessment.

Coordinated risk assessment

The legal basis for this procedure is stipulated in the Article 22 of the NIS2 Directive. However, the key criteria and conditions for carrying out this procedure are provided for in the recitals of the directive, in particular in recitals (90) and (91). In general, it is a two-stage procedure:

  • The procedure is initiated by the Cooperation Group (the Article 14 of the NIS2 Directive) to mitigate key supply chain risks.
  • After consultation with the ENISA and the Commission, and in some cases stakeholders, a coordinated security risk assessment of critical supply chains is carried out.

First of all, business entities may consider what criteria are behind the selection of a specific supply chain. In this respect, the directive does not provide any information, apart from the reference to the 5G Toolbox as a model procedure for subsequent coordinated risk assessments. At this point, it can be concluded that, given the structure of a body like the Cooperation Group (representatives of Member States, the ENISA and the Commission), this should be a decision based on a broad political consensus. 


The purpose of this procedure is to identify measures, risk mitigation plans and best practices to address critical dependencies, potential single points of failure, threats, vulnerabilities and other supply chain risks. The other purpose it to explore ways to further encourage greater use by key and important stakeholders.



The criteria on which the evaluation part of the procedure will be based, cover five issues and all relate to ICT services, systems and products:

Firstly, the extent of their use and the level of dependence on them.

Secondly, their importance in performing critical or sensitive functions.

Thirdly, the availability of alternatives.

Fourthly, their resilience to disruption throughout their whole life cycle. 

Fifth, their potential future significance.


These criteria can be described as technical factors. In recital (90) of the directive, so called non-technical factors are also indicated. This is, in particular, undue influence by a third country on suppliers and service providers, such as technological lock-in, provider dependency or hidden backdoors.

Implications for businesses of a coordinated supply chain risk assessment

In order to understand the implications for businesses, it is necessary to refer to the Article 21 of the NIS2 Directive, in which the detailed obligations of key and important entities are regulated. According to the section 3 of this provision, when assessing compliance with the NIS2 Directive obligations, Member States must take into account the results of a coordinated risk assessment. This small mention can have important implications for businesses. Indeed, if an entity ensures compliance with the NIS2 Directive, which means, in a nutshell, fulfilling the requirements of the Article 21 of the NIS2 Directive, it may still be considered non-compliant solely because it has not taken into account the results of the aforementioned procedure. This may even entail the imposition of financial penalties under the NIS2 Directive.

It will therefore be crucial for businesses to monitor the ongoing work towards further coordinated risk assessments. Indeed, it may turn out that even the thorough implementation of the NIS2 Directive requirements will not be enough if there is an entity within our supply chain that is deemed to be particularly risky under a coordinated risk assessment.

National risk assessment

This procedure is not mentioned directly in the text of the directive. It is an umbrella term for a number of powers of Member States to extend the personal scope of the NIS2 Directive. These powers are found in the Article 2(2)(b, c, d and e) of the NIS2 Directive, allowing the directive also applies to:


  • Entities that are the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities.
  • Entities providing services the disruption of which could have a significant impact on public safety, public security or public health.
  • Entities providing services the disruption of which could lead to a serious systemic risk, in particular in sectors where such a disruption could have a cross-border impact.
  • Critical entities because of its particular importance at national or regional level for a specific sector or type of service or for other interdependent sectors in a Member State.

Two conclusions are worth drawing from the above. First, that the scope provided for in the directive may be significantly modified in the process of implementing the NIS2 Directive into the national legal order. This continues with the second conclusion that, even after the implementation of the NIS2 Directive, an entity previously not covered by any obligations may be subject to the full scope of those obligations if it fits into any of the conditions enumerated above.

Internal risk assessment

The internal risk assessment constitutes an obligation of key and important entities and is an obligation of a technical nature. In the recitals and provisions of the directive several important indications are indicated as to its implementation.

Firstly, it will be very important to pay attention to the content of national cybersecurity strategies. These strategies should be the source of information about the approach of a given Member State to the enforcement of this obligation. It is also worth paying attention to other documents such as the National Plan for the Protection of Critical Infrastructure. The analysis of a supply chain protection practice in a given Member State must be as holistic as possible.

Secondly, it is worth noting the powers and purpose of the CSIRT network, which, at the request of a key or important entity, can monitor its assets connected to the internet.

And thirdly, and most importantly, attention should be drawn to the content of recital (85) of the directive, which emphasizes the specific role of data storage and processing service providers, cybersecurity management and software editors. The need to assess the level of risk and maturity of third parties in the supply chain is also pointed out.

NIS2 Directive and the UKSC amendment from a supply chain perspective

The draft amendment to the Act on the National Cyber Security System (UKSC, UD68), which is currently under procedure, was adopted by the Standing Committee of the Council of Ministers at the end of April this year. Many of the solutions envisaged in the draft are somewhat controversial, particularly those relating to 5G. From a supply chain perspective, it is worth noting the concept of high-risk vendors (HRVs). While the control mechanism provided for in the NIS2 Directive will operate only in the case of inspections (until then, it is the responsibility of entities covered by the NIS2 Directive to manage the risk), in the solution provided for in the draft amendment to the UKSC, it is the competent minister who will determine which entity will be deemed a high-risk vendor. This solution therefore clearly contradicts the NIS2 Directive.

Conclusions

The risk assessment mechanisms provided for in the NIS2 Directive, are extensive and multi-level. Appropriate solutions, can be used at both international and national level. The obligations imposed on the key and important entities are also of significance. For businesses, it is important to keep in mind the implementation process, which, as the Polish example shows, can be very complicated.

Further developments in both national and EU cybersecurity legislation are worth monitoring. As can be seen from the regulation of supply chain security in the NIS2 Directive, the issues of interest may turn out to be much broader than would appear from a cursory reading of the text of a directive or regulation. 



Summary

The NIS2 Directive was adopted on 28 November 2022 (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022). Its main goal is to raise the overall level of cybersecurity in the EU. One of the most important elements of this directive are standards for assessing supply chain security. Will the practical implementation of the NIS2 Directive objectives be problematic?

Contact


About this article

Contributors

Related articles

Akt w sprawie danych (Data Act) – kolejny krok na drodze do realizacji europejskiej strategii w zakresie danych

Akt w sprawie danych reguluje kwestie związane z dostępem do danych oraz możliwością ich przekazywania w relacji pomiędzy przedsiębiorcami, jak również kwestie związane z uzyskaniem dostępu do danych przez organy sektora publicznego celem rozwiązania istotnych problemów społecznych i politycznych.

Dyrektywa Omnibus – nowe narzędzie do zwiększenia ochrony konsumentów w UE

Dyrektywa Omnibus zwiększy ochronę praw konsumentów w zakresie zakupów w Internecie, ale także wprowadzi szereg nowych wymogów dla podmiotów prowadzących działalność w sieci.