Ensure NIS2 compliance for third-party management

Following the October 2024 deadline for transposing NIS2 into national legislative frameworks, state cybersecurity agencies have begun publishing their expectations and “acceptable means of compliance” for Articles 20 and 21 of the directive.

The guidelines for ecosystem management are now clearer and can be summarized as follows:

• Defining a mapping of third parties that allows for the identification of the risk associated with each third party.

• Ensuring the compliance of these third parties with NIS2 requirements.

This first requires the implementation of contractual clauses that mandate adherence to the security requirements proposed by NIS2 and also impose a right to audit and reporting obligations concerning incidents. Contractual commitment must be followed by verification. In the event of non-compliance, continuous monitoring must be implemented to ensure the improvement of the third parties in question.

The question of verification then arises, in a context where each country independently defines what it considers to be acceptable means of compliance. To meet this challenge, CyberVadis is already working on defining a common foundation of acceptable means of compliance and will also enable its clients to collect information on the posture of their third parties regarding specific requirements in certain countries.

The CyberVadis solution becomes a central player in compliance concerning the management of the ecosystem by enabling:

• Identification of service providers that fall within the scope of NIS2.

• Verification of these providers’ compliance with NIS2 requirements through an evidence-based assessment.

• Definition, prioritization, and management of a remediation plan to ensure compliance with the directive’s requirements.

Reach out to CyberVadis today to discuss how we can help you manage your supply chain’s NIS2 compliance.