NIS2 directive mandates in-scope organizations to enhance supply chain security, involving supplier contract renegotiations and due diligence due to cybersecurity risks. Key compliance steps include creating security policies, risk assessments, contractual flow-downs, and maintaining an up-to-date supplier register. While NIS2 primarily targets direct suppliers, it encourages consideration of their subcontractors. Challenges may arise in contract modifications with large suppliers, and the directive indirectly affects suppliers by increasing compliance expectations and assessments. Overall, NIS2 emphasizes the importance of cybersecurity in supply chains, with further guidance from the Implementing Regulation and ENISA.
