Cybersecurity in the supply chain: NIS2, pressing challenges, and strategic priorities

Cybersecurity is no longer just an IT concern. It a necessity for maintaining a healthy and competitive business.

In a digitized economy like today, organizations face challenges such as increasingly sophisticated cyberattacks and a shortage of qualified cybersecurity professionals.

On top of this supply chain security is more critical than ever to protecting data and maintaining operations, demanding both strategic oversight and operational resilience.

Add to this the arrival of the NIS2 directive, which requires business leaders to actively consider and take responsibility for cybersecurity measures, including business continuity and risk management.

In total, an effective cybersecurity strategy today means having a comprehensive security policy, a robust risk management framework and a mindset of continuous improvement to safeguard long-term business success.

While the topic may seem daunting, it is manageable. So let’s take a step back and clarify the broader context of cybersecurity in the supply chain.

Let’s start with NIS2, today a central challenge that – for a wide range of companies – inevitably should be part of your cybersecurity strategy.

In short NIS2 is designed to improve cybersecurity across the EU by ensuring that all member states have a consistent approach to cybersecurity.

NIS2 requires business leaders to take responsibility for overseeing, training and approving cybersecurity measures.

The directive focuses on several key areas that are essential to maintaining a high standard of security:

• Business continuity: Businesses must have system recovery, emergency procedures and crisis response plans in place to ensure they can continue operations during and after a cyber incident. This is essential to minimize downtime and ensure critical business functions can be maintained.
• Cybersecurity risk management: It is necessary to implement technical, operational, and organizational measures to manage and minimize risks associated with network and information systems. This includes everything from access control and encryption to regular security testing and vulnerability assessments.
• Reporting obligations: Significant incidents must be reported to national authorities without undue delay to ensure a quick and effective response. This helps to coordinate efforts and minimize the damage from cyberattacks

With NIS2, cybersecurity is no longer just a technical concern. It’s a leadership imperative. Under NIS2, business leaders must take ownership of security strategy, ensuring it’s embedded in boardroom decisions and organizational culture. 

This raises the key question: where should the strategic priorities begin?

In a digitized supply chain, every vendor, system, and process is a potential vulnerability – so where to start?

Because with growing threats and rising expectations, cybersecurity can’t be left to chance.

An effective cybersecurity strategy involves having a clear and comprehensive plan that covers all aspects of cybersecurity, from policies and procedures to technological solutions and employee training.

Key elements of such a strategy include:

• Security policy: Establishing and maintaining a comprehensive security policy that covers all aspects of company operations. This includes clear guidelines and procedures for security management.
• Risk management framework: Implementing a risk identification and mitigation framework that ensures a systematic approach to security. This helps to identify potential threats and vulnerabilities and take appropriate action.
• Continuous improvement: Continuously improving security measures based on lessons learned and emerging threats is essential to maintaining a strong security posture. This requires a culture of learning and adaptation.
• Incident management: Developing security incident management procedures that ensure a fast and effective response to threats. This includes clear roles and responsibilities as well as regular training and exercises.

A good place to begin is by prioritizing a targeted selection of areas that address both technological and organizational measures.

This includes focusing on improving security posture, ensuring compliance with relevant laws and standards, and maintaining trust among stakeholders:

• Improving security posture: Protecting data and maintaining operations is essential to avoid financial and reputational damage. This means having robust security measures and a clear plan for handling security incidents.
• Regulatory compliance: Ensuring compliance with relevant laws and standards is essential to avoid sanctions and maintain trust. This requires continuous monitoring and adaptation of security measures.
• Strengthening trust: Maintaining stakeholder trust is critical to the long-term success and reputation of the organization. This can be achieved by demonstrating a strong security posture and a proactive approach to cybersecurity

Managing cybersecurity across complex multi-vendor environments demands strategic coordination, technological resilience, and continuous oversight. 

For businesses this means that effective risk management is more than compliance – it requires a proactive framework that integrates business continuity, incident response, and continuous improvement to safeguard operations and reputation.