What is supply chain security in NIS 2?

What you didn’t know that you already knew about security in the supply chain from NIS 2 Article 21(2)(d)

If you know about the EU’s NIS 2 Directive, then you may already have wondered (or worried) about the term ‘supply chain security’ in Article 21(2)(d) and what it means for your organization. Among the many terms used in the Directive to describe typical cyber and information security measures, ‘supply chain security’ stands out as unclear and potentially daunting.

Because, how do you make yourself sufficiently secure against risks originating in your supply chain?

It may make you wonder: Do you even know the full supply chain of the external services on which you rely such as construction, facility services, guarding services, utilities, transportation, IT providers, consulting services?

But actually, supply chain security as per NIS 2 is not as difficult as it sounds, but it is communicated in an unfortunate and confusing way by the EU. NIS 2 supply chain security consists of things you most likely already know.

The requirement concerns cybersecurity risks

While ‘supply chain security’ may sound dauntingly complex, it is crucial to understand, that NIS 2 concerns cybersecurity specifically and not all other sorts of security. That is why the Directive’s official name is ‘on measures for a high common level of cybersecurity across the Union’, and that is why ENISA’s (the European Union Agency for Cybersecurity) guide to tackling this requirement is called ‘Good Practices for Supply Chain Cybersecurity’.

If you were worrying, that the requirement concerned all other sorts of risks, you can lay those worries to rest now.

However, cybersecurity is still a big subject. Especially when the Directive is quite explicit in requiring that you apply an ‘all-hazards’ approach’ (Article 21(2)). This means that when considering the various threats and vulnerabilities that give rise to cybersecurity risks, you should not limit yourself to cyberattacks and CVE’s, but include malicious insiders, process weaknesses, physical attacks, environmental factors etc., it is just that all these are only relevant in so far as they have an effect on cybersecurity, which NIS 2 defines with reference to Regulation (EU) 2019/881 Article 2(1) as ‘the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats’.

The requirement concerns IT suppliers

At first glance, ‘supply chain security’ sounds like a requirement to secure yourself from all threats coming from an infinite web of suppliers spanning the globe. However, most of that can be cut out, when we realize that the requirements concerns the provision of IT-related services and products – which EU insists on terming ‘ICT’ to remind us that ‘communication’ is part of IT.

Do we have sources to back that statement?

Certainly.

Preamble 85 of the Directive frames it pretty clearly ‘Addressing risks stemming from an entity’s supply chain and its relationship with its suppliers, such as providers of data storage and processing services or managed security service providers and software editors, is particularly important given the prevalence of incidents where entities have been the victim of cyberattacks and where malicious perpetrators were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third-party products and services.’ (Our emphasis, arba).

And further down, when treating the subject of performing coordinated risk assessments of critical supply chains, preamble 91 specifies ‘To identify the supply chains that should be subject to a coordinated security risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, ICT systems or ICT products (…)’ (Our emphasis, arba).

In article 2, ‘Definitions’, the EU defines 17 different types of services, product and providers which are pertinent to the Directive. All of these are within IT, and not a single non-IT service, product or provider is defined.

If that is the case, why isn’t it stated clearly in the Directive?

Sadly, we don’t know. We would not presume to know all the considerations that went into the final text of the Directive. However, there are several paragraphs that would have been obvious opportunities to link the notion of ‘supply chain security’ to non-IT suppliers, if this had been intention of the lawmakers.

Consider, preamble 53, which mentions the subject of utility services, this preamble does not state that they should be covered by the requirement, it rather addresses the fact that they themselves rely on digital services, i.e. that they have an IT supply chain of their own, and something similar can be said of preamble 88, which mentions the threat of industrial espionage without invoking the notion of supply chain security.

The requirement is meant to protect against ‘supply chain attacks’

Now, you know that the requirement is really to protect network and information systems against threats from your IT supply chain. Can we narrow this requirement down even further? At the very least, we can provide your organization with a focus, that you can apply when prioritizing your efforts, and that priority should be preventing “supply chain attacks”

How do we know?

Preamble 85 is once again instructive, as it provides the context for why supply chain security features in the Directive, and that context is described as: ‘incidents where entities have been the victim of cyberattacks and where malicious perpetrators were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third-party products and services. ‘.

This is a good description of what we in the industry call ‘supply chain attacks’.

While the threat from supply chain attacks is indeed very worrying, the main ways to reduce it are time-honored and well-known controls within cybersecurity such as cybersecurity requirements within supplier contracts, IT sourcing controls, asset management, secure development procedures, vulnerability management and incident response.

The focus on controls such as these aligns well with Article 21(3) which expands on Article 21(2)(d) by adding that ‘Member States shall ensure that, when considering which measures referred to in paragraph 2, point (d), of this Article are appropriate, entities take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.

Finding a narrower focus for your own organization, is even more important when considering the next point: your organization is not alone with this responsibility.

The most critical risks should be addressed at Union level

Finally, Article 21(3) also states that ‘Member States shall also ensure that, when considering which measures referred to in that point are appropriate, entities are required to take into account the results of the coordinated security risk assessments of critical supply chains carried out in accordance with Article 22(1).’

While this is a requirement to the entities, it is more like help than a burden. It states that the entities must use the security risk assessments of critical supply chains carried out by the Cooperation Group, an EU body established at the Union level by the first NIS Directive. Hence, where such assessments apply, EU is close to requiring that entities let the Cooperation Group do its part of the work as opposed to each body trying to make its own complete assessment from scratch.

And this point goes to the heart of NIS 2. NIS 2 is not first and foremost a list of requirements aimed at organizations within various critical and important sectors. It is a Directive that addresses EU cybersecurity by posing requirements to states and EU bodies. The state must then pass certain requirements on to the entities, but they are still accountable for advancing the state of cybersecurity within their nation.

Hence, covered entities are not alone, but rely on states and their national cybersecurity strategies (Article 1), CSIRTs and ENISA and their role in reporting on the state of cybersecurity, sharing threat information, assisting in case of incidents, and coordinating within sectors (Articles 1, 16, 18, 23, 27, 29) to name a few.

These bodies are a help to your organization, and the requirement in Article 21(3) is then to not ignore their help and guidance when implementing measures.

Conclusion

Put briefly, ‘supply chain security’ is mostly what you already know as controls applied to sourcing and selection of IT services and products, asset management, vulnerability management, secure IT development procedures and incident response procedures including information sharing. If you read the Directive thoroughly, you will find support for alleviating fears that it entails the responsibility to secure the supply chain all the way through. The biggest and most critical supply chains will be assessed at the EU level and addressed in national cybersecurity strategies as well as by critical and important entities implementing local compliance with the Directive.

ENISA has provided guidance for this in their publication ‘Good practices for supply chain cybersecurity’ which includes specific examples of useful requirements for your own and supplier organizations.