NIS2 is the EU cybersecurity directive for essential and important entities. Supply chain security is part of a broader cybersecurity risk management regime. Because NIS2 is a directive, obligations depend on national transposition and entity classification.
Official sources
What NIS2 is trying to do
NIS2 aims to raise cybersecurity resilience across critical and important sectors. It requires entities in scope to manage cyber risk, handle incidents, strengthen business continuity, and address supply chain security.
What teams need to do
- Determine whether the organization is an essential or important entity under national law.
- Map suppliers, ICT providers, managed services, software, cloud, and operational dependencies.
- Review supply chain security, vulnerability management, incident response, business continuity,
access control, encryption, and risk analysis.
- Preserve incident reporting and remediation evidence.
Evidence to maintain
- Scope and entity classification analysis.
- Cyber risk management policies and controls.
- Supplier and ICT dependency map.
- Incident reporting and business continuity evidence.
- Monitoring, issues, remediation, and management reporting.
Common gaps
- NIS2 is treated as only an incident reporting rule.
- Supplier dependencies are not mapped to essential services.
- National implementation differences are ignored.
- Cyber and third-party teams maintain separate evidence.
How Halbarad helps
Halbarad helps teams map suppliers and ICT providers to services, controls, incidents, remediation, and reporting. It supports evidence for supply chain security and dependency management, while legal scope must be confirmed under national law.
Disclaimer
This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.