NIS2 Directive on Secure Supply Chains

The NIS2 Directive tightens cybersecurity and supply chain requirements. Find out who is affected and how you can secure your supply chain now.

Cyberattacks on businesses are on the rise worldwide. For many companies, it is no longer a question of whether they will be affected, but when. Particularly critical: attacks are increasingly targeting not just individual organizations, but entire supply chains. And when suppliers, logistics providers, or software vendors are compromised, an attack can quickly spread across multiple companies. Production outages, data loss, or delivery delays are often the result.

The European Union is responding to this very development with the NIS2 Directive (Network and Information Security Directive). It significantly tightens cybersecurity requirements and expands its scope to include many companies.

For procurement, this represents a paradigm shift: cybersecurity is no longer just an IT issue. It is becoming a central component of risk management throughout the entire supply chain.

Why Cyberattacks Are Increasingly Threatening Supply Chains

Modern supply chains are highly interconnected. Companies work with international suppliers, digital platforms, and cloud-based systems. While this interconnectedness boosts efficiency, it also increases the attack surface.

Cybercriminals specifically exploit vulnerabilities at partner companies to infiltrate larger systems. So instead of directly attacking a well-protected company, they often take the detour through less secure suppliers.

Typical attack scenarios include:

• Tampered third-party software updates

• Access via insecure interfaces in supplier portals

• Phishing attacks targeting employees of partner companies

• Compromised cloud services

The consequences are significant: production downtime, delivery delays, and substantial financial losses are often accompanied by lasting damage to reputation. This is precisely why supply chain security is increasingly becoming a focus of regulatory requirements.

What is the NIS2 Directive?

The NIS2 Directive is an EU-wide regulation aimed at strengthening cybersecurity. It replaces the original NIS Directive from 2016 and significantly expands its requirements.

The goal is to establish a uniformly high level of security for network and information systems across the European Union. Companies are expected to be better prepared for cyberattacks, systematically manage risks, and report security incidents more quickly.

With its implementation — which in Germany involves, among other things, amendments to the BSI Act—the new requirements apply to significantly more companies than before.

The main objectives of the directive are:

• Strengthening cybersecurity standards

• Harmonization within the EU

• Increasing the resilience of critical infrastructure and supply chains

By when must the directive be implemented?

The NIS2 Directive is already in force at the EU level and was supposed to have been transposed into national law by October 2024. In Germany, full implementation is currently still in the legislative process.

For the companies affected, however, this does not mean a delay: The requirements are effectively already serving as the standard for cybersecurity today and are increasingly being demanded by authorities and business partners.

Who is affected?

One of the most important questions is whether your company is affected by the NIS2 Directive. The answer is now significantly broader than under previous regulations. This is because, in addition to traditional operators of critical infrastructure, many companies in the industrial, logistics, and digital sectors are now also subject to the new requirements.

The affected sectors include, among others:

• Energy supply

• Transportation and logistics

• Healthcare

• Digital services and cloud providers

• Manufacturers of critical products

• Telecommunications

• Water and waste management

However, it is crucial to note that even companies not classified as critical themselves may be affected. This is because any entity that is part of a security-relevant supply chain automatically falls under the scope of these requirements.

As a result, NIS2 also affects many companies in procurement, production, and international sourcing.

Why the Supply Chain Is a Key Focus of the NIS2 Directive

A key difference from previous regulations is the greater emphasis on the supply chain. Cyber risks often do not originate within a company itself, but rather with external partners.

For example: A company uses third-party software. If this software is compromised, malware can enter internal systems unnoticed. Similar risks arise from insecure IoT devices, external service providers, or digital interfaces.

The NIS2 Directive therefore requires comprehensive risk management throughout the entire supply chain.

Specifically, this means:

• Identifying and assessing risks at suppliers

• Ensuring security standards are met by partners as well

• Making dependencies within the supply chain transparent

6 Key NIS2 Requirements for Businesses

Cybersecurity thus becomes a shared responsibility that extends beyond company boundaries. To this end, the directive defines a series of measures that affected companies must implement. These measures cover both organizational processes and technical security measures.

1. Risk Management in the Supply Chain

Companies must systematically analyze risks to their IT systems and processes and implement appropriate protective measures.

2. Security Measures in the Supply Chain

Supplier security becomes a mandatory component of risk management. Companies must verify that their partners meet appropriate security standards.

3. Reporting Requirements for Cyber Incidents

Security incidents must be reported promptly. As a rule, an initial report must be submitted within 24 hours and a detailed report within 72 hours.

4. Business Continuity and Crisis Management

Companies must ensure that they remain operational even in the event of an attack. This includes backup strategies and emergency plans.

5. Documentation and Evidence

All measures must be documented and verified upon request by authorities.

6. Management Responsibility

Company management bears clear responsibility for implementation. Violations can lead to personal liability risks.

What penalties apply for violations?

With NIS2, the pressure on companies is also increasing significantly. Violations of the directive can have serious consequences.

Critical infrastructure operators face fines of up to 10 million euros or 2 percent of their global annual turnover. Important infrastructure operators can be fined up to 7 million euros or 1.4 percent of their annual turnover.

In addition, personal liability risks may arise for management. In serious cases, the ability to hold management positions may be restricted.

Compliance with the directive is therefore not only a technical necessity but also a strategic and legal one.

How Companies Can Make Their Supply Chains NIS2-Compliant

To meet the requirements of the NIS2 Directive, companies should systematically review and adapt their supply chains.

Analyze Supplier Risks

A first step is to identify potential risks within the supply chain. Which partners have access to sensitive data or systems? Which suppliers play a critical role in production processes?

Establish security requirements in contracts

Companies can stipulate minimum IT security requirements in supplier contracts. These include, for example, security certifications, regular audits, or reporting obligations in the event of security incidents.

Creating transparency in the supply chain

The better companies understand their supply chains, the easier it is to identify risks. Digital tools can help visualize supplier structures and identify risks early on.

Establishing incident management

In addition to prevention, a clear approach to handling security incidents is also important. Companies should define processes for how to respond in the event of a cyberattack and which partners must be notified.

Why Digital Transparency Is Now Critical

The requirements of the NIS2 Directive make it clear that traditional, non-transparent supply chains are reaching their limits.

Companies must be able to track the following at all times:

• which suppliers are involved

• which systems are interconnected

• where potential risks arise

Digital solutions play a central role in this. Supply Chain Dashboards and integrated platforms make it possible to analyze data in real time, identify risks, and make informed decisions.

This transforms reactive problem-solving into proactive risk management and turns fragmented supply chains into a controllable, transparent supply chain.

NIS2 as an Opportunity for More Resilient Supply Chains

Even though the NIS2 Directive may initially seem like an additional regulatory burden, it offers clear advantages to companies.

By making supply chains transparent, identifying risks early on, and establishing security standards, companies can reduce disruptions, costs, and uncertainties in the long term. Especially in global procurement structures, resilience becomes a decisive competitive advantage.

Line Up supports companies in making their supply chains more transparent, efficient, and resilient. From supplier selection to digital supply chain management, clear structures are created that make risks visible and accelerate decision-making. In this way, companies lay the foundation for secure, resilient, and sustainable procurement.