Preparing Third-Party Risk Management for the EU’s NIS 2 Directive

Cybersecurity risk in supply chains continues to be a global issue that can greatly impact an organization’s operational resilience. As a result, many countries have established legislation and directives to standardize cybersecurity practices across various industries. The EU has released two notable pieces of legislation: the Digital Operational Resilience Act (DORA) and the updated Network and Information Security (NIS) Directive. While DORA is intended for financial institutions, NIS 2 is much broader in scope and applies to “essential and important entities.” NIS 2 is intended to strengthen cybersecurity efforts across industries such as energy, healthcare, transportation, and digital services.

This blog will cover some of the basic cybersecurity measures of the EU’s NIS 2 Directive. We’ll take a closer look at the incident management guidelines that NIS 2 establishes, although the Directive covers a wide range of topics that may be applicable to your organization. You’ll also learn some practical tips on aligning your third-party risk management program (TPRM) to the Directive’s supply chain cybersecurity goals. 

Note: Excerpts from the NIS 2 Directive are noted in italics.

What the EU’s NIS 2 Directive Is and its Supply Chain Requirements 

According to the Directive, Member States of the EU must have adopted and published compliance measures by October 17, 2024, in areas including supply chain security, incident handling, and business continuity, although there are currently delays as Member States interpret and apply the directive. Unlike DORA, which gives specific requirements for organizations to follow, NIS 2 sets guidelines and directions for how an organization can meet certain goals. Each Member State must determine for itself how to achieve those goals through its own laws and regulations. 

For instance, the Directive requires organizations to implement basic cyber hygiene practices and cybersecurity training. This is a clear goal, yet it doesn’t describe what these practices must include or how the training must be carried out in terms of frequency, testing requirements, and certification. Under Article 21, NIS 2 outlines the following minimum requirements for cybersecurity risk management measures:

(a) policies on risk analysis and information system security;
(b) incident handling;
(c) business continuity, such as backup management and disaster recovery, and crisis management;
(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
(g) basic cyber hygiene practices and cybersecurity training;
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
(i) human resources security, access control policies and asset management;
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

NIS 2 Incident Management Requirements and Third-Party Considerations   

While many of these NIS 2 measures are general cybersecurity practices that Member States will likely expand on, others are supplemented with more detailed articles, particularly on incident management requirements. Organizations will have to report significant incidents, which can include any severe third-party incidents, particularly if the third-party stores, transmits, accesses, or processes your organization’s data. 

NIS 2 defines incident handling as procedures that incorporate methods of prevention, detection, analysis, containment and/or response, and recovery. Article 10 requires each Member State to establish one or more computer security incident response teams (CSIRTs), while Article 23 outlines specific reporting obligations to take after an incident. 

Here are three key requirements of NIS 2 Article 23: 

• Timing – Member States must notify the CSIRT or competent authority within 24 hours after an early warning of a potentially significant incident. If there's an incident notification, the Member State must notify the CSIRT or competent authority within 72 hours. 
• Report details – A final report must be submitted within one month of the initial incident notification. This report should describe the severity and impact of the incident, as well as the type of threat or potential root cause. It should also describe the measures taken to mitigate the incident and whether the impact crossed borders.
• External notification – In some cases, there may be a need to notify external parties about an incident. This can include incidents that impact two or more Member States, or those in which public awareness is necessary to prevent a significant incident or to deal with an ongoing significant incident.

Tips to Align Your Third-Party Risk Management Program to the NIS 2 Directive 

As each Member State develops its own laws and regulations for NIS 2 compliance, organizations will need to re-assess their TPRM programs to identify any gaps within their supply chain management. Fortunately, there are several best practices you can implement now to help prepare for compliance. 

Here are 4 tips for mitigating cybersecurity risks within your supply chain: 

• Conduct security risk assessments – It’s essential to understand where security risks exist within your supply chain so you can determine the appropriate controls for mitigation. A security risk assessment should be performed before signing the supplier contract and periodically after to identify any new or emerging risks that need to be mitigated. This will help your organization identify the supplier’s level of risk and set the oversight frequency for the relationship. 
• Validate the supplier’s security controls – Suppliers that have access to your organization’s data should be thoroughly vetted through risk-based due diligence. This process assesses whether your supplier has robust security controls to protect your data and tracks findings that may require remediation or compensating controls to be implemented within your organization. Some documents your organization may want to review include SOC reports, testing results, and security policies. Having a qualified subject matter expert (SME) review the supplier’s documentation can identify any gaps or weaknesses that should be addressed before an incident occurs. 
• Develop an incident response plan – Make sure your organization has a documented and tested incident response plan that follows the guidelines in NIS 2. This plan should address third-party incidents, in addition to those that originate within your system. Your organization may consider requiring suppliers to notify your organization of a security incident with a certain time frame to meet NIS 2’s requirements. 
• Implement compliance requirements in supplier contracts – One of the most effective tools to manage risk in your supply chain is a well-written supplier contract. Collaborate with your legal and compliance teams to ensure your supplier contracts include strong provisions on required cybersecurity practices and regulatory compliance. This can include a right to audit provision so your organization can continuously monitor the supplier, breach notification requirements, and the safe disposal or return of any data after the relationship ends. 

NIS 2 compliance may look slightly different depending on your jurisdiction and how each Member State interprets the objectives and expectations. Following TPRM best practices and staying informed of applicable laws and regulations is an effective strategy that will prepare your organization for NIS 2 compliance.