NIS2 impact on the supply chain

Why security regulations are now becoming a burning issue for many SMEs - for technology providers as well as for technology users

The European ICT landscape is currently undergoing profound change. With the impending ratification of the NIS2 Directive by member states, which must be carried out by October 17, 2024, we are witnessing one of the most significant changes in Europe's cybersecurity landscape. Now more than ever, it is essential for technology providers and users operating in international markets to understand the details of this new legislation and its potential impact on the supply chain.

What is NIS2?

The NIS2 Directive, a continuation of the previous NIS Directive, is specifically concerned with improving cybersecurity across the EU. A central element of this guideline are standards for assessing supply chain security, especially for companies with a certain minimum size that are classified as system-critical. However, the practical implementation of these standards could pose challenges, particularly with regard to the supply chain, which is central to international technology exchange. As a result, even smaller companies that are not considered system-critical quickly come under the scope of the NIS2 directive.

Challenges and uncertainties

The NIS2 Directive introduces three mechanisms to ensure supply chain security:

• A coordinated risk assessment process at EU level.
• A national risk assessment process allowing Member States to extend the scope of the Directive.
• An internal risk assessment that assesses specific vulnerabilities and the quality of suppliers and service providers' cybersecurity products and practices.

These mechanisms, particularly coordinated risk assessment, could lead to uncertainties. The criteria for this assessment, including the inclusion of non-technical aspects, could give rise to controversy.

The problem here is not only the uncertainty about the exact criteria of the assessment, but also the possible financial penalties that companies face if they are found to be non-compliant, even if they meet all the other requirements of NIS2.

The supply chain in focus

For companies active in international technology exchange, the supply chain is a central element of their business. NIS2 places particular emphasis on how companies assess their supply chains and ensure they comply with the latest cybersecurity standards.

It will therefore be essential for companies like those in our target group to view the supply chain from a holistic perspective. This means they must assess not only the cybersecurity practices of their direct suppliers and service providers, but also those of their suppliers.

The conclusion: Even international supply chains must not violate national law on the part of the technology user

The NIS2 directive must be ratified nationally - and there is a lot of scope for nation states. NIS2 clearly shows that even in international business within the EU, knowledge of local legislation is essential. Companies need to be aware of the latest developments and requirements in each Member State in which they operate or wish to do business.

Supply chains are increasingly international, and yet must not violate the national law of the technology user. It is therefore important to understand, correctly interpret and orchestrate these two areas of internationality on the one hand and local regulations on the other. Companies that succeed in this will be better positioned to benefit from the benefits of international technology exchange.