The recent enforcement of the NIS2 directive heralds a shift in the cybersecurity landscape, emphasizing the need to enhance digital resilience across organizational and supply chain operations. This update to existing regulations is designed to address the vulnerabilities that have become more pronounced with the growth of digital interdependencies. By broadening the scope of responsibility beyond internal processes to include the entire network of interconnected systems, NIS2 aims to mitigate the potential for cascading security failures that can cripple sectors essential to economic stability and public safety. In this article, we take a closer look at the chain responsibilities introduced by NIS2. It is a follow-up to the introduction article and the directors' liability article on NIS2.

This article is written by Cem Adiyaman ([email protected]) who is part of RSM Netherlands Business Consulting services with a focus on Strategy and Technology (law).

Expanding the scope of cybersecurity

NIS2 introduces a comprehensive and robust framework specifically designed to manage chain liability, compelling organizations to extend their cybersecurity measures to every node within their operational network. This directive emerges from the critical understanding that an organization's cybersecurity defenses are only as strong as its most vulnerable external link. A particularly stark example of this vulnerability was highlighted by the case of Blauw, a research firm whose inadequate security protocols led to a major breach. This incident resulted in the exposure of sensitive data belonging to large, well-known corporations such as NS and Vodafone, ultimately affecting millions of individuals. The breach at Blauw illustrates not only the complex and interwoven nature of supply chain vulnerabilities but also their potential to cause extensive damage that can ripple across industries and impact numerous stakeholders. This incident serves as a clear reminder of the pressing need for stringent security measures across all aspects of a company's external operations, underscoring the importance of holistic and proactive cybersecurity strategies under the new NIS2 framework.

Current compliance and awareness gaps

Despite the clear urgency underscored by recent high-profile security breaches, compliance with the new NIS2 standards remains inconsistent across various industries. Recent studies paint a concerning picture, showing that only a slight majority of firms within critical sectors, such as energy, transportation, and banking, are actively aligning with the stringent requirements set forth by NIS2. These findings highlight a stark discrepancy in the level of preparedness among these organizations. Approximately half of these companies have only a basic, superficial understanding of the cybersecurity measures implemented by their chain partners. Even more alarming is that about 16% of these firms are entirely unaware of the security protocols in place at their partner organizations.

This significant gap in compliance and awareness does not only heighten the risk of severe operational disruptions for individual firms but also poses a serious threat to the security integrity of the entire supply chain. Such vulnerabilities can lead to cascading effects that compromise not only the involved companies but also the broader market. Ultimately, these security lapses could erode consumer trust and affect the stability of entire sectors, highlighting the critical need for improved regulatory compliance and greater awareness of cybersecurity practices throughout the supply chain. The uneven adherence to NIS2 requirements calls for enhanced efforts in education, monitoring, and enforcement to ensure that all players in vital industries understand and implement the necessary security measures to protect their operations and sensitive data effectively.

Forward thinking: proactive measures and best practices

NIS2 mandates that organizations take a proactive stance from the outset, integrating security considerations into the procurement and partner selection processes. This involves establishing rigorous criteria for evaluating potential suppliers, prioritizing those who meet high-security standards such as ISO27001 certification, and embedding comprehensive security clauses in contracts. Furthermore, the directive encourages regular performance reviews and audits of suppliers to ensure ongoing compliance and address any emerging vulnerabilities promptly.

Looking ahead, the NIS2 directive requires a paradigm shift towards a more cooperative and proactive approach to cybersecurity. Organizations must now think beyond their boundaries and consider the security health of their entire ecosystem. This means not only compliance with regulatory frameworks but also a commitment to fostering a culture of security that permeates all levels of the supply chain. Through such collaborative efforts, including the sharing of threat intelligence and best practices, businesses can create a more resilient digital infrastructure. By reinforcing every link within the operational chain, companies can protect against the ripple effects of cybersecurity threats, ensuring robust operational continuity and securing the trust of stakeholders and consumers alike in our increasingly interconnected world.