The current post is a direct follow-up to the last one, where we described the subjects to which NIS2 will be applied directly. Finally, we mentioned that NIS2 will not only affect them, but also some of their suppliers, so now we will explain this in more detail.
One of the most significant changes in the new cyber law will be access to suppliers and subcontractors of obliged entities. One of the main reasons for this is that a large proportion of cyber attacks in recent years have been through the supply chain. It is often the suppliers who have access to in-house networks for various reasons, and it is through this route that attackers can do considerable damage.
Rating of suppliers
Not only as a preventive measure, obliged entities in both lower and higher obligation regimes should certainly evaluate their suppliers. The new law sets out a lighter and stricter regime of obligations in the evaluation of suppliers. For strategically important companies and organisations, the new rules are even more demanding.
Milder mode
Companies and organisations subject to the lighter regime are required to agree with their suppliers all security measures and mutual responsibility for compliance and control.
More stringent regime
A much higher level of obligations applies to the stricter regime. The choice of suppliers must take into account the cybersecurity requirements under the new law. Not only will these criteria need to be set in the tenders, but the law requires a risk assessment by the NÚKIB before entering into a cooperation.
Strategically important companies and organisations
For these entities, suppliers will also have to undergo an assessment in terms of security and strategic interests of the Czech Republic. Simply put, if such a supplier does not pass the assessment, the NUCIB may prohibit cooperation with it.
As mentioned in the title of this post, this issue is not just for direct suppliers of obligated entities, but for the entire supply chain. As a result, these obligations mean that they also apply to the supplier's subcontractors, i.e. the entire supply chain.
Finally, we have also left a possible advantage for entities that already address, among other things, just cybersecurity within the framework of ISO27001 and 27002, which has been the standard in many industries for years. In this case, meeting the requirements of the new cyber law will be much easier, as they will already have implemented most of the required measures.
Your Safee team