The European directive on cyber security (NIS2) deepens the responsibility to ensure the security of the supply chain. In the Czech Republic, specific tasks will be imposed by the new act on cybersecurity, which is now being drafted by legislators.
The NIS2 directive places a strong emphasis on supply chain security. This is because in the past, it was often the supply and subcontracting companies that caused a cyber incident to occur.
So when choosing a supplier, you will now also have to make decisions based on how they address cyber security. In other words, you only need to work with those who meet the given security criteria.
Tip: ISO 27001 certification is a good guide. It covers about 70% of the requirements set out by NIS2.
What does NIS2 supply chain management mean?
The responsibilities cover the processes for selecting suppliers, setting specific supplier requirements, contracting and ongoing controls.
Companies in “essential” regime
Must set transparent rules for supplier selection that take into account cybersecurity requirements. And continuously monitor their compliance.
They must register significant suppliers and make them aware of this registration.
Significant supplier is the operator of an information or communication system and also any other supplier that is significant in terms of the security of the information and communication system.
Significant suppliers must also carry out a risk assessment related to the performance of the contract before the contract is concluded. The recommended methodologies are set out in a separate document on the national agency (NUKIB) website.
For all suppliers, they must specify in the tender procedure how the supplier in question is to approach security in order to be able to conclude a contract with them. And to set out these rules and mutual obligations in the contract. This means, for example:
- specify the scope of access for individual staff, the methods of communication or the use and transfer of data
- specify the possibilities for customer audits
- ensure that the supplier itself maintains a specified level of security measures
- include the supplier in the crisis plan, if necessary
- describe the safe termination of cooperation in order to ensure continuity of service
- clearly agree on the mutual contractual responsibility for these measures
Supplier chaining is also an absolutely key part of the agreement, which means that any potential subcontractors will also have to comply with the set rules.
Companies in an “important” regime
The rules are of course more concise. The basic principle is to set out in the contract the methods of implementing security measures and the mutual contractual responsibility for their compliance and control.
Specifically, again, it concerns information security (access, permissions, confidentiality, integrity and availability of the service), compliance with minimum security rules, ensuring business continuity, rules for termination of the contractual relationship. Here too, subcontractors will need to be covered.
Risk assessment of suppliers
A controversial innovation that has been included in the draft law is the evaluation of risky suppliers with regard to the security of the Czech Republic and its strategic interests. This will only apply to the most important or largest companies in the “essential” regime, and the security of suppliers will be evaluated by the national cyber security agency (NUKIB).
If a risk is identified, this authority may restrict or completely ban cooperation with certain companies in selected areas. This would apply to companies such as Huawei that are suspected of collaborating with authoritarian regimes.
Enhance the cyber security of your supply chain in peace, before the law imposes it on you. We’ll help you set up processes and standards that you can then easily apply to your tenders, procurements and contracts. Let us know and we’ll get started.