The NIS2 Cybersecurity Act is creating a new reality. When organisations talk about cybersecurity, they often focus on their own systems. According to Roy Sandbergen, CISO at ICT service provider Hallo, that is no longer enough.
NIS2 shifts the focus to the entire digital supply chain.
Most organisations have far more suppliers than they realise
When asked about their suppliers, many companies immediately think of their IT provider.
In reality, however, the digital supply chain consists of many more parties: cloud providers, software vendors, HR platforms, accounting systems, web agencies, hosting providers and managed service providers (MSPs). There are also organisations that depend on machinery containing embedded software.
Every one of these parties represents a potential dependency.
Demonstrability becomes the new standard
Under NIS2, organisations are not only required to implement security measures. They must also be able to demonstrate that they are managing supplier-related risks.
This means:
- Assessing suppliers
- Documenting agreements
- Collecting evidence
- Conducting periodic reviews
According to Sandbergen, documentation is therefore becoming increasingly important:
“If something isn’t documented, it becomes difficult to hold each other accountable.”
Why certification is becoming increasingly important
More and more NIS2 organisations are asking their suppliers to provide demonstrable evidence of cybersecurity measures. A questionnaire alone is no longer sufficient.
NIS2 Supply Chain certification provides an independent audit and clearly demonstrates the level of cybersecurity maturity achieved by a supplier.
Certification is not the finish line
At the same time, Sandbergen warns of an important pitfall. A certificate is valuable, but it should never replace the conversation between a customer and its key suppliers.
“You can have an excellently certified supplier, but if the service provided does not align with your business needs, a risk still exists.”
Certification should therefore be seen as a strong foundation for trust and risk management.
The years ahead
According to Sandbergen, the pressure from NIS2 organisations on their suppliers will only continue to increase.
Customers will increasingly ask:
- What security measures have you implemented?
- Can you demonstrate them?
- Are you certified?
For suppliers, demonstrable cybersecurity is rapidly becoming a prerequisite for doing business.
You cannot fully outsource cybersecurity
According to Sandbergen, ultimate responsibility always remains with the organisation itself.
“Of course, a supplier has responsibilities, but ultimately it is your business operations that are at stake.”
That is why organisations should regularly assess which suppliers are critical, what risks they introduce, what agreements have been made and how evidence is maintained to demonstrate that these activities have actually been carried out.
Don’t wait for an incident
Awareness is growing, but many organisations still do not have the fundamentals fully in place. At the same time, Sandbergen emphasises that cybersecurity is never finished.
“A few years ago, implementing MFA immediately made life much harder for attackers. Today, we see attackers capable of hijacking sessions even after a user has successfully authenticated with MFA. This means additional measures are required. It shows just how quickly the threat landscape evolves.”
His advice is therefore simple:
“Start today. Make sure the basics are in place. But don’t assume that means you’re done.”
