A pragmatic approach for supply chain security under NIS2

In the previous part of our series, we explored how risk management and regulatory compliance have become the new pillars of Supply Chain Management (SCM). In this second part, we delve deeper into a critical aspect that is gaining prominence: securing the supply chain in light of the NIS2 directive. This European directive, implemented in the Netherlands through the Cybersecurity Act, aims to enhance the cybersecurity of networks and information systems of essential service providers. But how can these requirements be practically applied? Here, we discuss a pragmatic approach to securing your supply chain while remaining compliant.

Risk management as the core of NIS2

The NIS2 directive mandates that organisations critical to the economy and society—such as energy companies, transportation sectors, and financial institutions—maintain robust cybersecurity measures. Risk management is at the heart of this directive, requiring businesses to identify, assess, and mitigate potential threats, including supply chain risks.

A practical approach starts with risk-based classification: mapping all third parties and categorising them based on their significance and risk level. This classification serves as the foundation for the due diligence process: the higher the risk associated with a third party, the more extensive the due diligence and the stricter the security requirements.

It is crucial to appoint a dedicated individual within the organisation who takes ultimate responsibility for the entire supply chain security process.

Leveraging best practices

How do you determine the classification of a third party? What questions should be asked during due diligence? And how should the responses be evaluated? These are critical steps in managing supply chain risks that require a structured approach.

A pragmatic approach involves adopting best practices such as risk classification models and due diligence questionnaires based on international standards like ISO 27001 or the NIST Cybersecurity Framework. These frameworks provide a solid foundation for assessing third parties, significantly improving the consistency and reliability of risk assessments.

At Eraneos, we take it a step further. We optimise standard questionnaires by incorporating real-world insights and industry experience gained from diverse projects across sectors. This results in content that not only aligns with global standards but is also practically applicable and tailored to the specific needs of each organisation. This approach enhances both the efficiency and effectiveness of risk management.

Ownership as the key to success

Another essential element of a pragmatic approach is establishing clear ownership within the organisation, including well-defined roles and responsibilities. A dedicated individual must be assigned to oversee the entire supply chain security process. This is not just an administrative role but a fundamental prerequisite for success.

Securing the supply chain requires close collaboration between departments such as risk management, procurement, IT, and legal. To ensure smooth coordination, a strong leader with the authority and expertise to align all stakeholders is vital. This person ensures that all departments work together seamlessly and that each team understands its role and responsibilities. Clearly defined expectations prevent misunderstandings and ensure that everyone contributes effectively to supply chain security.

Implementing a unified framework

A standardised and consistent framework is essential to align all parties involved in supply chain security. This framework should include guidelines for supplier selection, contract negotiations, and service management.

For instance, integrating standard security clauses into all supplier contracts—explicitly requiring compliance with NIS2 requirements and regular audits—establishes a clear and enforceable security baseline for all partners. Not only does this create uniformity, but it also ensures that the supply chain adheres to the highest security standards. Additionally, these guidelines streamline internal processes, improving communication and collaboration between procurement, legal, and risk management teams.

Leveraging smart tools

Securing the supply chain can be complex and time-consuming. Smart tools play a crucial role in making this process more manageable. Many organisations still rely on manual processes, such as tracking due diligence results in spreadsheets and exchanging questionnaires via email. This approach increases the risk of errors and makes it challenging to maintain an up-to-date overview of risks and mitigation efforts.

By using advanced tools like 3rdRisk, organisations can efficiently map and manage their supply chain risks. These platform solutions not only provide a clear overview of all third parties but also streamline classification and automate significant portions of the due diligence process. Additionally, tools like 3rdRisk enable continuous monitoring of third parties using multiple data sources, ensuring real-time control while reducing workload. These technologies allow businesses to respond more swiftly to emerging threats and maintain a dynamic, resilient supply chain.

Conclusion

Ensuring supply chain security in compliance with the NIS2 directive may seem challenging, but with a pragmatic approach, it becomes a manageable task. The key to success lies in adopting a risk-based strategy, supported by a unified and consistent framework.

Defining clear ownership, assigning well-structured roles and responsibilities, and leveraging technology to automate time-consuming tasks are all critical elements. By integrating these components, organisations can not only comply with NIS2 regulations but also build a resilient and secure supply chain for the future.

‍

This blog post has been written with Rico Plomp, Senior Manager Cyber Security at Eraneos Netherlands.