nis2 supply chain security

A pragmatic approach to supply chain security under NIS2 – Part 2

Article Cyber Security & Privacy

In the first article of the series, we discussed how risk management and regulatory compliance have become the new pillars in Supply Chain Management (SCM). In this second part, we dive deeper into a specific aspect that is becoming increasingly important: supply chain security in light of the NIS2 Directive. This European directive, implemented in the Netherlands through the Cyber Security Act, aims to strengthen the cyber security of networks and information systems of essential service providers. But how can you practically apply these requirements? In this section, we discuss a pragmatic approach to securing your supply chain while remaining compliant.

Risk management at the heart of NIS2

The NIS2 directive requires companies that are critical to the economy and society, such as energy companies, transportation sectors and financial institutions, to have their cybersecurity in place. We see risk management as the core of this directive because it requires companies to identify, assess and, if necessary, mitigate potential threats. This also applies to supply chain risk management. A pragmatic approach starts with a risk-based approach: identifying all third parties and classifying them according to their importance and risk. This classification forms the basis for the further due diligence process: the higher the risk of the third party, the more extensive the due diligence and the more security measures are required.

It is critical to assign someone within the organization who has ultimate responsibility for the entire supply chain security process.

Use of best practices

But how do you determine which classification a third party belongs to? What questions do you ask during due diligence? And then, how do you evaluate the answers? These are crucial steps in managing supply chain risks that require well thought-out content. A pragmatic approach requires the use of best practices, such as risk classifications and due diligence questionnaires based on international standards such as ISO 27001 or the NIST Cybersecurity Framework. These best practices provide a solid foundation for third-party assessments, which significantly improves the consistency and reliability of risk assessments.

At Eraneos, we go a step further. We optimize these standard questionnaires by enriching them with our practical experiences and insights gained during numerous projects in different sectors. As a result, we provide content that not only meets international standards, but is also practically applicable and tailored to the specific needs of your organization. This makes risk management not only more efficient, but also more effective.

Ownership as the key to success

Another essential element of a pragmatic approach is clearly assigning ownership within the organization, including clear roles and responsibilities. It is critical to assign someone within the organization who has ultimate responsibility for the entire supply chain security process. This ownership is not an administrative formality, but a fundamental prerequisite for success.

Securing the supply chain requires close collaboration between various departments such as risk management, procurement, IT, and legal. For this collaboration to be effective, it is important to have a strong leader above the processes; a heavyweight who has the authority and insight to get all involved on the same page. This person ensures that all noses are in the same direction and that the various departments work together seamlessly. It is also important that each party involved knows exactly what their role and responsibility are within the broader process. Clarity about tasks and expectations prevents misunderstandings and ensures that everyone contributes optimally to securing the supply chain.

Implementation of a uniform framework

A uniform and consistent framework is essential to ensure that all parties involved are on the same page when it comes to security. This framework should include guidelines not only for selecting suppliers, but also for negotiating contracts and managing service delivery. For example, by including a standard security clause in all vendor contracts that explicitly requires vendors to meet NIS2 requirements and be subject to regular audits, you create a clear and enforceable standard for all your partners. This ensures not only uniformity, but also assurance that the supply chain meets the highest security standards. In addition, these guidelines can help streamline internal processes, improving communication and collaboration between departments such as procurement, legal and risk management.

Deploy smart tools

Securing the supply chain can be a complex and time-consuming task. This is where smart tools can play an indispensable role. Many organizations still rely on manual processes, such as tracking due diligence results in Excel and exchanging questionnaires and follow-up actions via email. This approach not only increases the risk of errors, but also makes it difficult to maintain a clear and up-to-date picture of risks and follow-ups.

By using user-friendly tools such as, for example 3rdRisk, organizations can map and manage their supply chain risks in an efficient and structured manner. The advantage of tools such as 3rdRisk is that they not only help in understanding all third parties, but also in classifying them and largely automating the due diligence process. In addition, 3rdRisk provides the ability to continuously monitor third parties using various data sources, which means you are always in control and significantly reduces the workload. These technologies allow you to react faster to potential threats and keep your supply chain dynamic and robust.

Conclusion

Securing the supply chain according to the NIS2 directive can seem challenging, but with a pragmatic approach, it becomes a manageable task. The key to success lies in adopting a risk-based approach supported by a unified and consistent framework. It is also essential to clearly define ownership, clearly define roles and responsibilities, and use technology to automate time-consuming tasks. By bringing these elements together, you can not only meet NIS2 requirements, but also build a robust and resilient supply chain.


This article was written in collaboration with Jelle Groenendaal (jelle@3rdrisk.com) from 3rdRisk.

Stay tuned for part three of this series, where we discuss supply chain security as part of DORA and provide a pragmatic approach to managing risk in the supply chain. If you want to learn more about how you can increase your resilience with NIS2 and what steps your organization needs to take to comply with the new legislation, check out our offering here.

Rico Plomp
By Rico Plomp
Senior Manager – Cyber Security

16 Sep 2024
Knowledge Hub overview