Skip to content

NIS2 Directive: Supply Chain Compliance Mandatory from October

Key Takeaway: NIS2 requires organizations from October to extend cybersecurity requirements to supply chains and include third-party providers in continuous security assessments.

The NIS2 Directive enters into force in October and expands cybersecurity requirements to the supply chain level. CISOs must integrate vendor risk management and third-party controls into their governance.

The EU’s Network and Information Security Directive 2 (NIS2) mandates from October 2024 that organizations incorporate the cybersecurity of their suppliers and partners into the scope of their security governance. This applies not only to critical infrastructures, but also to important digitalization companies and providers of digitalization services in expanded sectors.

Specifically, NIS2 requires affected companies to conduct continuous assessment of third-party risks, maintain documented supply chain security policies, and include contractual provisions on security standards. Suppliers must demonstrably comply with defined minimum requirements such as asset management, access control, cryptography, and incident response. Failure to comply results in fines of up to a maximum of ten million euros or six percent of global annual turnover.

CISOs must create an inventory of critical suppliers, standardize audit processes, and anchor SLAs on security KPIs. Compliance requires close coordination with procurement, risk management, and legal departments, as well as regular reviews of vendor compliance.


Source: news.google.com · Published 29 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: