CyberSec Update #18 – The supply chain under NIS2
Suppliers take centre stage – does the scenario cover the supply chain?
The implementation of NIS2/UKSC does not end with internal processes. An organisation should also assess those operating ‘behind the scenes’ — suppliers, subcontractors and technology partners. It is their operational readiness that may determine whether, in the event of an incident, the prepared scenario will work in practice.
Building on the themes from previous editions of CyberSec Update – vulnerability audits, implementation plans and the development of an information security management system – the organisation should simultaneously streamline its relationships with suppliers to ensure proper risk management. The supply chain is no longer merely a logistical issue. Under the NIS2/UKSC regime, it is becoming one of the key areas of cybersecurity risk management.
Where to start in practice?
The starting point should be a review of existing contracts with suppliers and an assessment of whether they contain clauses regarding information security, incident reporting, audit rights, system access rules and minimum business continuity standards. If such provisions are missing, it is worth adding them – not as a formality, but as a real risk control tool.
Contractual provisions alone, however, are not enough. A supplier with access to critical systems, sensitive data or processes essential to business continuity should be treated as a participant in the security ecosystem — with clearly defined responsibilities, tests, communication channels and the possibility of an audit.
A document without implementation is like a play without actors or – as one national poet put it, commenting on the work of another – “like a church without God”*. Theoretical provisions cannot replace well-rehearsed roles, proven communication channels and a shared understanding of responsibilities. Therefore, incident simulations involving suppliers should become part of the preparation for NIS2/UKSC compliance, rather than a one-off exercise ‘for the purposes of an audit’.
Supplier verification – documentation and practice
Vendor verification should cover not only documentation but also operational aspects, such as security policies, penetration test results, business continuity plans and confirmation of the ability to respond to incidents. References and declarations alone are not enough. If a supplier fails to pass such a screening, it is better to have an alternative ready than to improvise in the midst of a crisis.
The role of the board and the action plan
The role of the board does not end with the approval of the implementation project. The board should receive regular reports on the state of the supply chain, identified risks, critical dependencies and the progress of corrective actions — not to analyse technical details, but to make strategic decisions regarding security and business continuity.
The clock is already ticking. Therefore, the action plan should take into account not only the organisation’s internal work, but also the time needed to review contracts, agree on addenda, verify key suppliers and conduct joint tests. In practice, it is the suppliers who may prove to be the most difficult piece of the puzzle – because their readiness does not depend solely on your organisation.
Trusted partners, clearly defined roles and well-rehearsed procedures are the best guarantee that, in the event of an incident, the organisation will respond efficiently and maintain security. It is worth treating the supply chain like a theatre stage: success depends not only on the main actors, but also on those working behind the scenes. If roles are assigned, rehearsals carried out and communication tested – even an unexpected twist need not end in disaster.
*Adam Mickiewicz on the work of Juliusz Słowacki
