{"id":25126,"date":"2025-02-11T11:30:21","date_gmt":"2025-02-11T11:30:21","guid":{"rendered":"https:\/\/arba-public-website-wordpress-production.up.railway.app\/?p=25126"},"modified":"2025-02-11T16:43:42","modified_gmt":"2025-02-11T16:43:42","slug":"supply-chain-security-in-nis-2","status":"publish","type":"post","link":"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/","title":{"rendered":"What is supply chain security in NIS 2?"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

What you didn\u2019t know that you already knew about security in the supply chain from NIS 2 Article 21(2)(d)<\/h3>

If you know about the EU\u2019s NIS 2 Directive, then you may already have wondered (or worried) about the term \u2018supply chain security\u2019 in Article 21(2)(d) and what it means for your organization. Among the many terms used in the Directive to describe typical cyber and information security measures, \u2018supply chain security\u2019 stands out as unclear and potentially daunting.<\/p>

Because, how do you make yourself sufficiently secure against risks originating in your supply chain?<\/p>

It may make you wonder: Do you even know the full supply chain of the external services on which you rely such as construction, facility services, guarding services, utilities, transportation, IT providers, consulting services?<\/p>

But actually, supply chain security as per NIS 2 is not as difficult as it sounds, but it is communicated in an unfortunate and confusing way by the EU. NIS 2 supply chain security consists of things you most likely already know.<\/p>

The requirement concerns cybersecurity risks<\/h3>

While \u2018supply chain security\u2019 may sound dauntingly complex, it is crucial to understand, that NIS 2 concerns cybersecurity specifically and not all other sorts of security. That is why the Directive\u2019s official name is \u2018on measures for a high common level of cybersecurity across the Union\u2019, and that is why ENISA\u2019s (the European Union Agency for Cybersecurity) guide to tackling this requirement is called \u2018Good Practices for Supply Chain Cybersecurity<\/strong>\u2019.<\/p>

If you were worrying, that the requirement concerned all other sorts of risks, you can lay those worries to rest now.<\/p>

However, cybersecurity is still a big subject. Especially when the Directive is quite explicit in requiring that you apply an \u2018all-hazards\u2019 approach\u2019 (Article 21(2)<\/strong>). This means that when considering the various threats and vulnerabilities that give rise to cybersecurity risks, you should not limit yourself to cyberattacks and CVE\u2019s, but include malicious insiders, process weaknesses, physical attacks, environmental factors etc., it is just that all these are only relevant in so far as they have an effect on cybersecurity, which NIS 2 defines with reference to Regulation (EU) 2019\/881 Article 2(1)<\/strong> as \u2018the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats\u2019.<\/p>

The requirement concerns IT suppliers<\/h3>

At first glance, \u2018supply chain security\u2019 sounds like a requirement to secure yourself from all threats coming from an infinite web of suppliers spanning the globe. However, most of that can be cut out, when we realize that the requirements concerns the provision of IT-related services and products – which EU insists on terming \u2018ICT\u2019 to remind us that \u2018communication\u2019 is part of IT.<\/p>

Do we have sources to back that statement?<\/em><\/p>

Certainly.<\/p>

Preamble 85<\/strong> of the Directive frames it pretty clearly \u2018Addressing risks stemming from an entity\u2019s supply chain and its relationship with its suppliers, such as providers of data storage and processing services or managed security service providers and software editors<\/strong>, is particularly important given the prevalence of incidents where entities have been the victim of cyberattacks and where malicious perpetrators were able to compromise the security of an entity\u2019s network and information systems by exploiting vulnerabilities affecting third-party products and services.\u2019 (Our emphasis, arba).<\/p>

And further down, when treating the subject of performing coordinated risk assessments of critical supply chains, preamble 91<\/strong> specifies \u2018To identify the supply chains that should be subject to a coordinated security risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, ICT systems or ICT products<\/strong> (\u2026)\u2019 (Our emphasis, arba).<\/p>

In article 2<\/strong>, \u2018Definitions\u2019, the EU defines 17 different types of services, product and providers which are pertinent to the Directive. All of these are within IT, and not a single non-IT service, product or provider is defined.<\/p>

If that is the case, why isn\u2019t it stated clearly in the Directive?<\/em><\/p>

Sadly, we don\u2019t know. We would not presume to know all the considerations that went into the final text of the Directive. However, there are several paragraphs that would have been obvious opportunities to link the notion of \u2018supply chain security\u2019 to non-IT suppliers, if this had been intention of the lawmakers.<\/p>

Consider, preamble 53<\/strong>, which mentions the subject of utility services, this preamble does not state that they should be covered by the requirement, it rather addresses the fact that they themselves rely on digital services, i.e. that they have an IT supply chain of their own, and something similar can be said of preamble 88<\/strong>, which mentions the threat of industrial espionage without invoking the notion of supply chain security.<\/p>

The requirement is meant to protect against ‘supply chain attacks’<\/h3>

Now, you know that the requirement is really to protect network and information systems against threats from your IT supply chain. Can we narrow this requirement down even further? At the very least, we can provide your organization with a focus, that you can apply when prioritizing your efforts, and that priority should be preventing \u201csupply chain attacks\u201d<\/p>

How do we know?<\/em><\/p>

Preamble 85 <\/strong>is once again instructive, as it provides the context for why supply chain security features in the Directive, and that context is described as: \u2018incidents where entities have been the victim of cyberattacks and where malicious perpetrators were able to compromise the security of an entity\u2019s network and information systems by exploiting vulnerabilities affecting third-party products and services. \u2018.<\/p>

This is a good description of what we in the industry call \u2018supply chain attacks\u2019.<\/p>

While the threat from supply chain attacks is indeed very worrying, the main ways to reduce it are time-honored and well-known controls within cybersecurity such as cybersecurity requirements within supplier contracts, IT sourcing controls, asset management, secure development procedures, vulnerability management and incident response.<\/p>

The focus on controls such as these aligns well with Article 21(3)<\/strong> which expands on Article 21(2)(d)<\/strong> by adding that \u2018Member States shall ensure that, when considering which measures referred to in paragraph 2, point (d), of this Article are appropriate, entities take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.<\/p>

Finding a narrower focus for your own organization, is even more important when considering the next point: your organization is not alone with this responsibility.<\/p>

The most critical risks should be addressed at Union level<\/h3>

Finally, Article 21(3)<\/strong> also states that \u2018Member States shall also ensure that, when considering which measures referred to in that point are appropriate, entities are required to take into account the results of the coordinated security risk assessments of critical supply chains carried out in accordance with Article 22(1)<\/strong>.\u2019<\/p>

While this is a requirement to the entities, it is more like help than a burden. It states that the entities must use the security risk assessments of critical supply chains carried out by the Cooperation Group, an EU body established at the Union level by the first NIS Directive. Hence, where such assessments apply, EU is close to requiring that entities let the Cooperation Group do its part of the work as opposed to each body trying to make its own complete assessment from scratch.<\/p>

And this point goes to the heart of NIS 2. NIS 2 is not first and foremost a list of requirements aimed at organizations within various critical and important sectors. It is a Directive that addresses EU cybersecurity by posing requirements to states and EU bodies. The state must then pass certain requirements on to the entities, but they are still accountable for advancing the state of cybersecurity within their nation.<\/p>

Hence, covered entities are not alone, but rely on states and their national cybersecurity strategies (Article 1<\/strong>), CSIRTs and ENISA and their role in reporting on the state of cybersecurity, sharing threat information, assisting in case of incidents, and coordinating within sectors (Articles 1, 16, 18, 23, 27, 29<\/strong>) to name a few.<\/p>

These bodies are a help to your organization, and the requirement in Article 21(3)<\/strong> is then to not ignore their help and guidance when implementing measures.<\/p>

Conclusion<\/h2>

Put briefly, \u2018supply chain security\u2019 is mostly what you already know as controls applied to sourcing and selection of IT services and products, asset management, vulnerability management, secure IT development procedures and incident response procedures including information sharing.<\/strong> If you read the Directive thoroughly, you will find support for alleviating fears that it entails the responsibility to secure the supply chain all the way through. The biggest and most critical supply chains will be assessed at the EU level and addressed in national cybersecurity strategies as well as by critical and important entities implementing local compliance with the Directive.<\/p>

ENISA has provided guidance for this in their publication \u2018Good practices for supply chain cybersecurity<\/strong>\u2019 which includes specific examples of useful requirements for your own and supplier organizations.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t\t\tGet in touch\n\t\t\t\t\t<\/h6>

Ensure NIS2 compliance, reduce risk, and stay ahead<\/h3>\t\t\t\t
\n\t\t\t\t\t

Arba streamlines compliance, automates risk management, and keeps you aligned with regulatory mandates, so you can focus on running your business securely.<\/p>\n\t\t\t\t<\/div>\n\t\t\t<\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t\t\t\n\t\t\t\t<\/i>\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\tBook discovery call<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

What you didn\u2019t know that you already knew about security in the supply chain from NIS 2 Article 21(2)(d) If you know about the EU\u2019s NIS 2 Directive, then you may already have wondered (or worried) about the term \u2018supply chain security\u2019 in Article 21(2)(d) and what it means for your organization. Among the many […]<\/p>\n","protected":false},"author":5,"featured_media":25176,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-25126","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-regulation"],"yoast_head":"\nWhat is supply chain security in NIS 2? - Arba Security<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/\" \/>\n<meta property=\"og:locale\" content=\"da_DK\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What is supply chain security in NIS 2? - Arba Security\" \/>\n<meta property=\"og:description\" content=\"What you didn\u2019t know that you already knew about security in the supply chain from NIS 2 Article 21(2)(d) If you know about the EU\u2019s NIS 2 Directive, then you may already have wondered (or worried) about the term \u2018supply chain security\u2019 in Article 21(2)(d) and what it means for your organization. Among the many […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/\" \/>\n<meta property=\"og:site_name\" content=\"Arba Security\" \/>\n<meta property=\"article:published_time\" content=\"2025-02-11T11:30:21+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-02-11T16:43:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/arbasecurity.com\/wp-content\/uploads\/2025\/02\/what-is-supply-chain-security-in-NIS-2.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2392\" \/>\n\t<meta property=\"og:image:height\" content=\"1344\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Niklas Rendboe\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Skrevet af\" \/>\n\t<meta name=\"twitter:data1\" content=\"Niklas Rendboe\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimeret l\u00e6setid\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutter\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/\"},\"author\":{\"name\":\"Niklas Rendboe\",\"@id\":\"https:\/\/arbasecurity.com\/da\/#\/schema\/person\/2ee4a534499787255fa28da49ff2485b\"},\"headline\":\"What is supply chain security in NIS 2?\",\"datePublished\":\"2025-02-11T11:30:21+00:00\",\"dateModified\":\"2025-02-11T16:43:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/\"},\"wordCount\":1518,\"publisher\":{\"@id\":\"https:\/\/arbasecurity.com\/da\/#organization\"},\"image\":{\"@id\":\"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/arbasecurity.com\/wp-content\/uploads\/2025\/02\/what-is-supply-chain-security-in-NIS-2.jpg\",\"articleSection\":[\"Regulation\"],\"inLanguage\":\"da-DK\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/\",\"url\":\"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/\",\"name\":\"What is supply chain security in NIS 2? - Arba Security\",\"isPartOf\":{\"@id\":\"https:\/\/arbasecurity.com\/da\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/arbasecurity.com\/wp-content\/uploads\/2025\/02\/what-is-supply-chain-security-in-NIS-2.jpg\",\"datePublished\":\"2025-02-11T11:30:21+00:00\",\"dateModified\":\"2025-02-11T16:43:42+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/#breadcrumb\"},\"inLanguage\":\"da-DK\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"da-DK\",\"@id\":\"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/#primaryimage\",\"url\":\"https:\/\/arbasecurity.com\/wp-content\/uploads\/2025\/02\/what-is-supply-chain-security-in-NIS-2.jpg\",\"contentUrl\":\"https:\/\/arbasecurity.com\/wp-content\/uploads\/2025\/02\/what-is-supply-chain-security-in-NIS-2.jpg\",\"width\":2392,\"height\":1344},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/arbasecurity.com\/da\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What is supply chain security in NIS 2?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/arbasecurity.com\/da\/#website\",\"url\":\"https:\/\/arbasecurity.com\/da\/\",\"name\":\"Arba Security\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/arbasecurity.com\/da\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/arbasecurity.com\/da\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"da-DK\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/arbasecurity.com\/da\/#organization\",\"name\":\"Arba Security\",\"url\":\"https:\/\/arbasecurity.com\/da\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"da-DK\",\"@id\":\"https:\/\/arbasecurity.com\/da\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/arbasecurity.com\/wp-content\/uploads\/2023\/11\/site-logo.png\",\"contentUrl\":\"https:\/\/arbasecurity.com\/wp-content\/uploads\/2023\/11\/site-logo.png\",\"width\":350,\"height\":121,\"caption\":\"Arba Security\"},\"image\":{\"@id\":\"https:\/\/arbasecurity.com\/da\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/arbasecurity.com\/da\/#\/schema\/person\/2ee4a534499787255fa28da49ff2485b\",\"name\":\"Niklas Rendboe\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"da-DK\",\"@id\":\"https:\/\/arbasecurity.com\/da\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9f341e932a3424a259e2a7fb559eab62?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9f341e932a3424a259e2a7fb559eab62?s=96&d=mm&r=g\",\"caption\":\"Niklas Rendboe\"},\"description\":\"Niklas Rendboe is an information security expert specializing in governance, risk, and compliance. He serves as the Chief Information Security Officer (CISO) at Arba Security and works as a cybersecurity consultant at Trustworks Cyber Security. Additionally, he is a member of a research group at the Royal Danish Defence College, where he studies Russian military capabilities, and he has served in several advisory roles concerning private actors in security politics. Niklas earned his MSc in International Security & Law from the University of Southern Denmark in 2019 and holds multiple certifications related to information security and risk management.\",\"url\":\"https:\/\/arbasecurity.com\/da\/blog\/author\/niklas-rendboearbasecurity-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What is supply chain security in NIS 2? - Arba Security","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/","og_locale":"da_DK","og_type":"article","og_title":"What is supply chain security in NIS 2? - Arba Security","og_description":"What you didn\u2019t know that you already knew about security in the supply chain from NIS 2 Article 21(2)(d) If you know about the EU\u2019s NIS 2 Directive, then you may already have wondered (or worried) about the term \u2018supply chain security\u2019 in Article 21(2)(d) and what it means for your organization. Among the many […]","og_url":"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/","og_site_name":"Arba Security","article_published_time":"2025-02-11T11:30:21+00:00","article_modified_time":"2025-02-11T16:43:42+00:00","og_image":[{"width":2392,"height":1344,"url":"https:\/\/arbasecurity.com\/wp-content\/uploads\/2025\/02\/what-is-supply-chain-security-in-NIS-2.jpg","type":"image\/jpeg"}],"author":"Niklas Rendboe","twitter_card":"summary_large_image","twitter_misc":{"Skrevet af":"Niklas Rendboe","Estimeret l\u00e6setid":"8 minutter"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/#article","isPartOf":{"@id":"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/"},"author":{"name":"Niklas Rendboe","@id":"https:\/\/arbasecurity.com\/da\/#\/schema\/person\/2ee4a534499787255fa28da49ff2485b"},"headline":"What is supply chain security in NIS 2?","datePublished":"2025-02-11T11:30:21+00:00","dateModified":"2025-02-11T16:43:42+00:00","mainEntityOfPage":{"@id":"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/"},"wordCount":1518,"publisher":{"@id":"https:\/\/arbasecurity.com\/da\/#organization"},"image":{"@id":"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/#primaryimage"},"thumbnailUrl":"https:\/\/arbasecurity.com\/wp-content\/uploads\/2025\/02\/what-is-supply-chain-security-in-NIS-2.jpg","articleSection":["Regulation"],"inLanguage":"da-DK"},{"@type":"WebPage","@id":"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/","url":"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/","name":"What is supply chain security in NIS 2? - Arba Security","isPartOf":{"@id":"https:\/\/arbasecurity.com\/da\/#website"},"primaryImageOfPage":{"@id":"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/#primaryimage"},"image":{"@id":"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/#primaryimage"},"thumbnailUrl":"https:\/\/arbasecurity.com\/wp-content\/uploads\/2025\/02\/what-is-supply-chain-security-in-NIS-2.jpg","datePublished":"2025-02-11T11:30:21+00:00","dateModified":"2025-02-11T16:43:42+00:00","breadcrumb":{"@id":"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/#breadcrumb"},"inLanguage":"da-DK","potentialAction":[{"@type":"ReadAction","target":["https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/"]}]},{"@type":"ImageObject","inLanguage":"da-DK","@id":"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/#primaryimage","url":"https:\/\/arbasecurity.com\/wp-content\/uploads\/2025\/02\/what-is-supply-chain-security-in-NIS-2.jpg","contentUrl":"https:\/\/arbasecurity.com\/wp-content\/uploads\/2025\/02\/what-is-supply-chain-security-in-NIS-2.jpg","width":2392,"height":1344},{"@type":"BreadcrumbList","@id":"https:\/\/arbasecurity.com\/da\/blog\/supply-chain-security-in-nis-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/arbasecurity.com\/da\/"},{"@type":"ListItem","position":2,"name":"What is supply chain security in NIS 2?"}]},{"@type":"WebSite","@id":"https:\/\/arbasecurity.com\/da\/#website","url":"https:\/\/arbasecurity.com\/da\/","name":"Arba Security","description":"","publisher":{"@id":"https:\/\/arbasecurity.com\/da\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/arbasecurity.com\/da\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"da-DK"},{"@type":"Organization","@id":"https:\/\/arbasecurity.com\/da\/#organization","name":"Arba Security","url":"https:\/\/arbasecurity.com\/da\/","logo":{"@type":"ImageObject","inLanguage":"da-DK","@id":"https:\/\/arbasecurity.com\/da\/#\/schema\/logo\/image\/","url":"https:\/\/arbasecurity.com\/wp-content\/uploads\/2023\/11\/site-logo.png","contentUrl":"https:\/\/arbasecurity.com\/wp-content\/uploads\/2023\/11\/site-logo.png","width":350,"height":121,"caption":"Arba Security"},"image":{"@id":"https:\/\/arbasecurity.com\/da\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/arbasecurity.com\/da\/#\/schema\/person\/2ee4a534499787255fa28da49ff2485b","name":"Niklas Rendboe","image":{"@type":"ImageObject","inLanguage":"da-DK","@id":"https:\/\/arbasecurity.com\/da\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/9f341e932a3424a259e2a7fb559eab62?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9f341e932a3424a259e2a7fb559eab62?s=96&d=mm&r=g","caption":"Niklas Rendboe"},"description":"Niklas Rendboe is an information security expert specializing in governance, risk, and compliance. He serves as the Chief Information Security Officer (CISO) at Arba Security and works as a cybersecurity consultant at Trustworks Cyber Security. Additionally, he is a member of a research group at the Royal Danish Defence College, where he studies Russian military capabilities, and he has served in several advisory roles concerning private actors in security politics. Niklas earned his MSc in International Security & Law from the University of Southern Denmark in 2019 and holds multiple certifications related to information security and risk management.","url":"https:\/\/arbasecurity.com\/da\/blog\/author\/niklas-rendboearbasecurity-com\/"}]}},"_links":{"self":[{"href":"https:\/\/arbasecurity.com\/da\/wp-json\/wp\/v2\/posts\/25126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/arbasecurity.com\/da\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/arbasecurity.com\/da\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/arbasecurity.com\/da\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/arbasecurity.com\/da\/wp-json\/wp\/v2\/comments?post=25126"}],"version-history":[{"count":24,"href":"https:\/\/arbasecurity.com\/da\/wp-json\/wp\/v2\/posts\/25126\/revisions"}],"predecessor-version":[{"id":25272,"href":"https:\/\/arbasecurity.com\/da\/wp-json\/wp\/v2\/posts\/25126\/revisions\/25272"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/arbasecurity.com\/da\/wp-json\/wp\/v2\/media\/25176"}],"wp:attachment":[{"href":"https:\/\/arbasecurity.com\/da\/wp-json\/wp\/v2\/media?parent=25126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/arbasecurity.com\/da\/wp-json\/wp\/v2\/categories?post=25126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/arbasecurity.com\/da\/wp-json\/wp\/v2\/tags?post=25126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}