More and more organisations are realising that their digital security depends not only on their own security measures, but also on the level of protection of their partners. High-profile incidents in recent years have shown that cybercriminals are increasingly attacking through the supply chain, exploiting weaker links in suppliers or subcontractors to reach their intended target. According to data from the European Network and Information Security Agency (ENISA), between 39% and 62% of companies have experienced an incident caused by a third party, and in 2021, as many as 17% of security breaches began with the compromise of a supplier, compared to less than 1% a year earlier.

At the same time, there is a growing awareness that trust in business partners can be abused, with nearly 40% of organisations reporting real consequences from such incidents and 58% of CEOs rating their partners’ security as weaker than their own. As a result, supply chain security has become a key priority for both companies and regulators. The EU’s NIS2 Directive explicitly emphasises the importance of this area by introducing specific, stringent requirements for cybersecurity management in relation to suppliers and subcontractors.

 

Why has supply chain security become a priority?

Today’s supply chain is often a complex network of connections – from technology and IT service providers, through outsourcing companies, to open-source projects. Each piece of this puzzle can affect the security of the entire organisation. An attack on a software or service provider can result in massive breaches for its customers. A striking example of this was the global SolarWinds incident, in which malicious code in a software update spread to thousands of organisations. Cases of supply chain attacks have also been reported in Poland, e.g. by infecting popular programming libraries used in many systems. The statistics are alarming, as mentioned above, in just one year, the number of supply chain breaches has increased several times over. ENISA reports also indicate that two-thirds of supply chain attacks exploit customer trust in the supplier, and victims are often unaware that their security has been compromised through a partner. Criminals target managed service providers and commonly used components (e.g. open-source repositories) in particular, hoping for a domino effect.

The consequences of such incidents go beyond technical issues and pose a real business risk. Loss of business continuity, customer data leaks or damage to reputation can affect a company just as severely as a direct attack. That is why company management boards are increasingly recognising that their cyber resilience depends on the resilience of their suppliers. In the study cited above, 58% of CEOs admitted that the lower cyber resilience of their business partners would change their approach to security. In other words, organisations must look beyond their own walls and actively manage risk across their entire ecosystem. Legal regulations, including NIS2, are only accelerating this change in approach by requiring companies to take specific measures to secure their supply chains.

 

New requirements for the supply chain and subcontractors under NIS2

The NIS2 Directive is a landmark EU law that shifts the burden of responsibility for cybersecurity to relationships with suppliers and third parties. Organisations covered by the regulation must actively manage risk throughout the supply chain, treating it as a mandatory component of their security system rather than just good practice. Under the NIS2 approach, outsourcing does not exempt companies from responsibility.

The regulations impose an obligation to implement a supply chain security policy, including both the risk assessment of service providers and the adaptation of security requirements to the role of the supplier in the organisation’s infrastructure. It is crucial to establish clear criteria for selecting and evaluating partners, i.e. taking into account their security practices, the compliance of their products/services with our standards, the possibility of replacing them in the event of a threat, and the degree of potential dependency (vendor lock-in).

Continuous monitoring is equally important, as organisations must keep records of key suppliers and regularly update risk assessments, especially in light of new threats or vulnerability information. At the same time, the supply chain policy review should be conducted at least once a year and respond to changes in the security level of partners.

At the EU level, NIS2 provides for coordinated risk assessment mechanisms, particularly for critical ICT technologies, which may lead to restrictions on the use of specific products or suppliers. This shows how important the issue of supply chain security has become in strategic terms.

In summary, NIS2 imposes an obligation on organisations not only to assess but also to actively manage the security of their suppliers. This means formal policies, rigorous selection, continuous monitoring, compliance verification and clear contractual provisions, all under the supervision of senior management.

 

Management responsibility and supervision of subcontractors according to NIS2

One of the most important assumptions of NIS2 is that cybersecurity is a strategic issue and a responsibility of management. Members of management are not only responsible for approving and supervising the implementation of security measures. They must also demonstrate knowledge of cyber risks in relation to suppliers. Outsourcing does not exempt an organisation from its responsibilities; even if services are provided by an external partner, the organisation is accountable to the regulator for their security.

Violations can result in severe sanctions, both financial and personal. Member States are introducing legislation providing for penalties for managers for gross negligence, including disqualification from office, fines or administrative liability. For management boards, this means that they must exercise real, rather than just formal, oversight of supply chain risks.

Regular reports on the security status of suppliers, progress in implementing policies, and detected gaps are key. It is also worth appointing individuals or committees responsible for oversight (e.g. CISO, risk committees). Contracts play a particularly important role, as they must include clauses on security requirements, incident reporting obligations, audit rights, vulnerability management, subcontracting rules (the ‘flow-down’ principle) and rules for terminating cooperation (e.g. data return/deletion).

The management board should therefore ensure that cybersecurity issues are an integral part of relations with partners, from strategy to contractual provisions. This requires cooperation between departments (including procurement, legal, IT, and security) and the establishment of a permanent oversight mechanism. In light of NIS2, third-party risk management is no longer a choice, but a legal obligation and an essential element of corporate governance.

 

Recommendations and practical guidance for organisations to ensure compliance with NIS2

In light of the new regulatory requirements, boards and senior management should implement specific measures to protect the organisation from risk and ensure compliance with NIS2, particularly in terms of supply chain security and subcontractor oversight. Here are the key steps:

1. Develop a formal supply chain security policy

Create a formal document setting out the rules for supplier classification, risk assessment, security requirements, communication and incident response. The policy must be approved by the board and known to all parties involved.

2. Identify and catalogue your suppliers

Identify key partners, especially those with access to systems or data. Assign risk levels (high/medium/low) depending on the impact on your business.

3. Conduct a supplier security assessment

For existing and new critical suppliers, implement a formal process for assessing their cybersecurity (known as cyber due diligence). This includes gathering information on security practices, verifying certifications, and analysing reports or audit results. For key partners, consider commissioning a security audit of the supplier or requiring independent penetration testing of their systems.

4. Include cybersecurity requirements in supplier contracts

Ensure that every contract with a significant supplier includes dedicated security clauses. In light of NIS2, key requirements include, among others, minimum security requirements that the supplier must meet, the requirement for the supplier’s personnel to be trained in security and to have the appropriate qualifications, the obligation to verify key employees of the supplier, the obligation to report security incidents without undue delay, the right to conduct security audits at the supplier’s premises or to receive regular reports from independent audits, the supplier’s obligation to manage vulnerabilities (e.g. to immediately install critical security patches in its products/services), restrictions on the supplier’s subcontractors; if we allow further subcontracting, the supplier must require subcontractors to meet the same security standards as itself, and arrangements in the event of termination of cooperation.

5. Monitor supplier security on an ongoing basis

Establish a process for continuously monitoring key suppliers throughout the duration of the contract. It is becoming common practice to use dedicated IT tools that provide information on the security status of partners (e.g., scoring platforms that track publicly available supplier security indicators such as vulnerabilities in their infrastructure, data leaks, certificates, etc.). Also conduct regular reviews, e.g. quarterly meetings with key suppliers, during which security issues, reported incidents and improvement plans are discussed. Respond to warning signs, such as an increase in the number of incidents or a lack of response to vulnerabilities.

6. Prepare for an incident involving a supplier

Ensure that your incident response plan also covers incidents on the supplier side. Define communication channels, joint action procedures and reporting responsibilities. Practise emergency scenarios involving suppliers.

7. Avoid dependence on a single supplier/technology

Assess your level of dependence on individual suppliers or technologies. Where possible, introduce alternatives, use open standards (e.g., interoperability standards, open data formats), and plan for emergency scenarios.

8. Build a culture of security together with your suppliers

Treat security as a shared value. Support training, knowledge sharing and the development of standards among key partners. Communicate clearly that security is a key evaluation criterion and a condition for cooperation. Also, ensure that internal teams (including IT, procurement, and legal) understand the importance of cybersecurity.

 

These actions constitute the practical implementation of third-party risk management in accordance with NIS2. Although they require commitment, failure to do so may result in real regulatory and operational risks. The first step should be to assess the current situation and then implement a remediation plan tailored to the structure and maturity of the organisation.

 

Summary

Supply chain and subcontractor security is no longer just a buzzword, but has become a hard legal requirement and a key element of business resilience. NIS2 clearly states that every company covered by the directive must actively manage risks in the supply chain, from formal policies and procedures, through contractual provisions, to active oversight by senior management. Neglecting these issues can result in serious sanctions, but above all, it increases the likelihood of a serious incident that will disrupt the company’s operations.

For boards of directors, this means viewing supply chain security not as an additional obligation, but as a strategic element of company management. Organisations that are able to effectively monitor and control their partners are better prepared for disruptions, both technological and operational. What is more, compliance with NIS2 can be seen by customers and contractors as proof of credibility and a competitive advantage.

Implementing security principles in the supply chain requires cross-departmental collaboration and a change in mindset, but the benefits are long-term. As the old saying goes, ‘we are only as secure as our weakest link,’ which is why it is important to ensure that there are no weak links in our ecosystem.