Request a quote
en_GB EN
en_GB EN nl_NL NL de_DE DE

New obligations under NIS2: what do you need to know as a supplier?

The European NIS2 (Network and Information Security 2) directive sets stricter requirements for digital resilience of organisations in vital and essential sectors. But it will also affect suppliers. In this article, you will read about the impact of NIS2 on suppliers and what you can already do to be prepared. 

What is NIS2? 

NIS2 is the successor to the original 2016 NIS directive. Its aim is to increase cybersecurity within the EU. Whereas NIS1 focused on a limited number of vital sectors, NIS2 significantly expands the scope. The directive will soon cover more organisations, stricter requirements and explicit obligations for suppliers. 

The Netherlands is working on a law to transpose NIS2 into national regulations. This law is expected to come into force in 2025. 

When are you involved as a supplier? 

Organisations covered by NIS2 (such as healthcare institutions, drinking water companies, digital service providers, governments and financial parties) must be able to demonstrate that their entire chain is resilient. This means that suppliers providing digital services, IT systems or security solutions will also be scrutinised. 

Once you play a direct or indirect role in the provision of critical services or digital infrastructure, you are also expected to comply with certain information security standards. 

What are the obligations? 

Although suppliers are not always directly covered by NIS2, they may be required to: 

  • demonstrably take information security measures; 
  • perform risk analyses; 
  • report incidents to their principal in a timely manner; 
  • comply with (derived) requirements based on ISO 27001, NEN 7510 or other standards; 
  • cooperate in audits or chain tests; 
  • regularly review and update their security level. 

Contracts will increasingly include provisions formalising these obligations. 

As a supplier, what should you do now? 

  1. Map your customers:
    Do you work for organisations in critical or vital sectors? Then chances are that NIS2 applies indirectly to you. 
  1. Evaluate your own information security:
    Do you have policies, procedures and technical measures in place? And can you demonstrate this? 
  1. Consider certification:
    An independent audit based on, for example, ISO 27001 or the CCV certification scheme can help demonstrate your reliability towards clients. 
  1. Be prepared for contractual requirements:
    Expect stricter agreements on security, reporting obligations and audit rights. Make sure your organisation is set up accordingly. 
  1. Follow developments:
    The national implementation of NIS2 is still evolving. Keep an eye on legislation and industry-specific elaborations. 

How can DigiTrust support? 

DigiTrust conducts independent audits in the field of information security and privacy. We are not involved in implementation or consultancy, making our review objective and reliable. This helps you help your clients comply with NIS2 obligations, without any surprises of your own. 

Want to know which certification schemes or assessment frameworks are relevant to your organisation? Then contact us for more information. 

Read more about

What is the NIS2 Quality Mark?

The NIS2 directive brings stricter digital resilience requirements. But as an organisation, how do you know whether a supplier meets these? That is why the NIS2 Quality Mark has been developed: an independent standard that shows that an organisation is ready

Read more "
Back to the knowledge base
en_GBEN
nl_NLNL de_DEDE en_GBEN