At a glance: NIS2 requires companies to monitor the cybersecurity of their suppliers and service providers and to anchor these requirements contractually.
The NIS2 Directive extends its cybersecurity requirements across the entire supply chain: companies must now also regulate and monitor the security of their suppliers and external service providers.
The Network and Information Security Directive NIS2 closes a security gap that has long existed: Large organizations were required to protect their own IT infrastructure, but had no systematic obligation to address the cybersecurity standards of their suppliers. NIS2 changes this fundamentally.
For compliance officers, this means in practice: they must document their supply chain, identify which suppliers and service providers have access to critical systems or data, and verify their security mechanisms. This applies in particular to cloud providers, software vendors, and managed service providers. The requirements follow a risk-based approach: the more critical the function or the more sensitive the data being processed, the stricter the controls must be.
In practical terms, this is implemented through security clauses in contracts, regular audits and security assessments of suppliers, and the definition of minimum standards (such as patch management or encryption). Companies should also establish escalation processes in case a supplier violates agreed security standards or becomes a victim of a cyberattack itself.
Source: news.google.com · Published June 8, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.