cybersicherheit-nis-2-supplyx

Cybersecurity: New rules for networked supply chains

NIS-2

Networked supply chains create efficiency, but also offer vulnerabilities and risks for cyberattacks. Against this backdrop, the EU’s NIS-2 (Network and Information Security Directive 2) has been tightening the requirements for security and resilience within the supply chain since November 2025. Thus, holistic solutions are required in order to protect the entire supply chain.

New requirements for greater cybersecurity in networked supply chains

Supply chains have long been much more than linear, closed systems – they are widely diversified networks of service providers, suppliers, and logistics partners. This evolution creates many advantages, and yet it also increases the risk of cyberattacks. After all, every interface, every supplier, and every networked system can potentially become a weak spot with consequences for the entire supply chain if comprehensive protective measures are not taken.

To prevent cybercrime and minimize risks, the legal and regulatory requirements for companies in nine officially designated critical sectors (including energy, health, transport and traffic) are being tightened. With the implementation of the NIS-2 Directive, many companies will thus need to meet specific cybersecurity requirements in the future. However, not every company is affected to the same extent: those who have already established an information management system (ISMS) in accordance with ISO 27001 in their organization already meet many of the information security requirements under NIS-2 and are well prepared.

Important requirements for companies under NIS-2

  • Reporting: Identification of vulnerabilities and reporting of the latter at the Federal Office for Information Security (BSI) 
  • Risk management and ISMS: Introduction of risk management, documentation of all risk management measures, and introduction of state-of-the-art technical and organizational measures (e.g., multi-factor authentication)
  • Business continuity and crisis management (BCM): Set-up of a business continuity management system (BCMS) including crisis management, development of emergency plans, conduction of regular exercises/tests of these plans, and establishing governance structures for BCM.
  • Mandatory reporting of security incidents: Immediate reporting of security incidents to BSI within 24 hours of becoming aware of them, follow-up reports and, if necessary, informing customers or the public.
  • Documentation requirements and audits: Regular documentation of the implementation of security measures – for example, BSI audit every three years for operators of critical infrastructures (KRITIS). KRITIS operators are operators of critical infrastructures from one of the officially defined sectors.
  • Governance and accountability: Involvement of management/executive management in accountability, training and awareness-raising for employees in the area of cybersecurity
  • Standards and mapping: Application of security standards (e.g., ISO 27001) to implement NIS-2 requirements.

Why cybersecurity must be considered holistically

The aim of the NIS-2 Directive is to strengthen the cyber resilience of critical sectors. Responsibility for cyber security and resilience does not end at a company’s own firewall, but must extend to the entire supply chain and its partners. In future, companies will need to prove that not only the companies themselves but also their partners, such as logistics service providers, freight forwarders, and transport platforms, have taken appropriate protective measures. This applies to companies of almost any size: even companies with 50 employees or €10 million in revenue may be affected by the NIS-2 regulation, which will therefore also have an impact on a significant number of small and medium-sized enterprises (SMEs). Overall, NIS-2 thus covers large parts of the German economy and is expected to affect approximately 30,000 companies from various sectors.

Important: There are no transition periods. Once the national implementation of the NIS-2 Directive comes into force, the requirements will apply immediately. Affected companies must therefore actively demonstrate that appropriate security measures are being implemented, otherwise they face sanctions.

Strengthening resilience with NIS-2

 Building a resilient supply chain should therefore have a priority for German businesses. It requires a holistic approach with a clear strategy, transparent processes, modern technology, and reliable partners. The most important areas of action:

  1. Creating transparency: End-to-end visibility across all suppliers, subcontractors, and their access points is essential. Only those who know every link in their chain can protect themselves.
  1. Assessing cyber risks: Regular risk analyses create security – not only internally, but also with partners such as suppliers and subcontractors.
  1. Securing security standards contractually: Supply contracts and service agreements must contain security clauses and require proof of measures and certifications.
  1. Technical protective measures: Network segmentation, monitoring, access controls, and backups are the cornerstones of modern supply chain security.
  1. Planning emergency management: Developing clear recovery plans to enable a rapid response in an emergency is essential for critical supply processes.
  1. Prevention through regular testing: Continuous audits, training and adjustments to new threat situations create long-term security and resilience. This means preventive protection against attacks and through the ability to identify risks early, respond in a timely manner and maintain or quickly restore operations.

Reliable partnerships for secure and resilient supply chains

After all, it all comes down to the network: As a company specializing in digital and networked supply chains, SupplyX offers various solution modules that enable stable and secure supply chains. With the SCM platform VIEW. By SupplyX, you receive all relevant information about your supply chain – transparently and in real time – through the intelligent consolidation and evaluation of various data sources. Thus, your company is empowered to react quickly to changing conditions and identify risks at an early stage. With AHEAD. By SupplyX, SupplyX even looks after the entire supply chain, allowing your company to focus on its core business.

Conclusion: Protecting supply chains and making them future-proof with NIS-2

The NIS-2 directive provides clarity: protecting networked and digital supply chains is no longer an option, but it is increasingly becoming an obligation. The combination of transparency, risk management, technological solutions and reliable partnerships forms the core strategy. Addressing these issues today will strengthen your security and competitiveness. With a well-thought-out concept, your company can make its digital supply chain secure and future-proof.

Cybersecurity is a shared responsibility between companies, partners, and technology providers. SupplyX GmbH connects these levels in a resilient, data-driven supply chain.

Related Posts