Skip to content


Getting ready for NIS2 compliancy and assessing supply chain security

Getting ready for NIS2 compliancy and assessing supply chain security 

European Parliament approved the new cybersecurity directive NIS2 at the end of 2022. This means that companies have until 16th of October 2024 to become compliant with the new directive. NIS2 has much broader scope than the first NIS-directive and the new directive enforces companies to do more regarding cybersecurity than before.  One of the new aspects in NIS2 is making sure the supply chain of any company that falls under the directive is also compliant with the directive. We see this as a good development direction, since supply chain cyberattacks saw a 62% growth last year according to Anchore. 

In practice the new directive will most likely amount to many more companies and organizations demanding ISO/IEC27001-certificate from their suppliers and partners.  So, this means that getting ISO/IEC27001 is very useful for both companies and organizations falling under NIS2-regulations and to companies that have, or want to in the future, do business with organizations that need to be ready for NIS2. 

It used to be that agreements or general agreements had a clause requiring the supplier to have an ISMS (Information Security Management System) that follows the guidelines of ISO/IEC27001. But it is anticipated that it will become commonplace to require to also have the completed audited ISMS that is utilized. 

So, take these three steps, if NIS2 affects your organization: 


  • Recognize what systems and services fall under NIS2. 
  • Implement security controls and governance based on risk assessments and monitor your cybersecurity. 
  • Document everything you are doing, to ensure you can prove that you were abiding the regulations. 
  • Consider your steps towards an ISO/IEC27001-certificate, if you anticipate that your customers or regulators will demand this from you. 

European Union Data Protection (GDPR) bits and bytes in ripple waving pattern with glowing EU stars. 3D illustration

We offer a tailored GAP-analysis that looks at administrative infosec management, technical architecture, and the practices in software development. This analysis is well complemented with risk assessments of the supply chain. In that we look at what type of suppliers are used and in what capacity. Then we can draw the necessary steps to improve the readiness of your organization. 

It is smart to categorize suppliers in a few different ways. We can for example split the supplier risk analysis to three different areas, that are analyzed separately and together: 


  • You. Our customer. The party responsible for delivering a high quality, working and secure product or service. 
  • You might employ what we call general suppliers. Those that offer similar services to many system- or software suppliers. These can be things like integration management, service center management or user-access management. 
  • Software supplier, that provides certain more specific software to you to your portfolio, that is part of your product or service.

When experts work together with you and your suppliers, risks and possible points of failure can be assessed. It’s then time to work on strengthening your cybersecurity readiness and implementing the best practices all throughout your supply chain. Cybersecurity is not one-and-done, so it’s best to make sure there is constant monitoring and assessment going on regarding potential threats and attack vectors. 

2NS is ready to serve as your partner in cybersecurity for all sorts of needs. 

Read more

By Juho Ranta