5.1 Supply chain security policy
5.1.1. For the purpose of Article 21(2), point (d) of Directive (EU) 2022/2555, the relevant entities shall establish, implement and apply a supply chain security policy which governs the relations with their direct suppliers and service providers in order to mitigate the identified risks to the security of network and information systems. In the supply chain security policy, the relevant entities shall identify their role in the supply chain and communicate it to their direct suppliers and service providers.
5.1.2. As part of the supply chain security policy referred to in point 5.1.1, the relevant entities shall lay down criteria to select and contract suppliers and service providers.
Those criteria shall include the following:
(a) the cybersecurity practices of the suppliers and service providers, including their secure development procedures;
(b) the ability of the suppliers and service providers to meet cybersecurity specifications set by the entities;
(c) the overall quality and resilience of ICT products and ICT services and the cybersecurity risk-management measures embedded in them, including the risks and classification level of the ICT products and ICT services;
(d) the ability of the relevant entities to diversify sources of supply and limit vendor lock-in.
5.1.3. When establishing their supply chain security policy, relevant entities shall take into account the results of the coordinated security risk assessments of critical supply chains carried out in accordance with Article 22(1) of Directive (EU) 2022/2555, where applicable.
5.1.4. Based on the supply chain security policy and taking into account the results of the risk assessment carried out in accordance with point 2.1. of this Annex, the relevant entities shall ensure that their contracts with the suppliers and service providers specify, where appropriate through service level agreements, specify the following, where appropriate:
(a) cybersecurity requirements for the suppliers or service providers, including requirements as regards the security in acquisition of ICT services or ICT products set out in point 6.1.;
(b) requirements regarding skills and training, and where appropriate certifications, required from the suppliers’ or service providers’ employees;
(c) requirements regarding background checks of the suppliers’ and service providers’ employees pursuant to point 10.2.;
(d) an obligation on suppliers and service providers to notify, without undue delay, the relevant entities of incidents that present a risk to the security of the network and information systems of those entities;
(e) provisions on repair times;
(f) the right to audit or right to receive audit reports; (g) an obligation on suppliers and service providers to handle vulnerabilities that present a risk to the security of the network and information systems of the relevant entities;
(h) requirements regarding subcontracting and, where the relevant entities allow subcontracting, cybersecurity requirements for subcontractors in accordance with the cybersecurity requirements referred to in point (a);
(i) obligations on the suppliers and service providers at the termination of the contract, such as retrieval and disposal of the information obtained by the suppliers and service providers in the exercise of their tasks.
5.1.5. The relevant entities shall take into account the elements referred to in point 5.1.2 and 5.1.3. as part of the selection process of new suppliers and service providers, as well as part of the procurement process referred to in point 6.1.
5.1.6. The relevant entities shall review the supply chain security policy, and monitor, evaluate and, where necessary, act upon changes in the cybersecurity practices of suppliers and service providers, at planned intervals and when significant changes to operations or risks or significant incidents related to the provision of ICT services or having impact on the security of the ICT product from suppliers and service providers occur.
5.1.7. For the purpose of point 5.1.5., the relevant entities shall:
(a) regularly monitor reports on the implementation of the service level agreements, where applicable;
(b) review incidents related to ICT products and ICT services from suppliers and service providers;
(c) assess the need for unscheduled reviews and document the findings in a comprehensible manner;
(d) analyse the risks presented by changes related to ICT products and ICT services from suppliers and service providers and, where appropriate, take mitigating measures in a timely manner.
Navigieren Sie sicher durch die NIS2-Richtlinie!
Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!