Many companies now fall under scope of the Network and Information Security 2 (NIS2) Directive. Security teams are explicitly required to manage third-party and supply chain cyber risk as part of their overall security posture.

This means maintaining up-to-date visibility into who you’re connected to, how exposed those connections are, and what impact a breach could have across your operations. Accountability reaches all the way to executive leadership and the board.

Here's why this is critically important for security leaders like us:

1. Broad scope of application: NIS2 impacts organisations across many sectors, including digital providers, waste management, and food production. Many were previously unaffected by the original NIS directive, but now fall under its purview, necessitating a comprehensive review of our supply chain security.

2. Enhanced security requirements: The directive introduces more stringent cybersecurity risk management measures. This isn't just about technical controls; it mandates robust policies on risk analysis, incident handling, supply chain security, access control, and more. Security leaders must ensure these are not just documented, but effectively implemented and regularly tested.

3. Stricter incident reporting: NIS2 slashes incident reporting timelines significantly. Organizations will need robust detection capabilities and well-practiced incident response plans to meet the new 24-hour initial notification and 72-hour final report deadlines for significant incidents. This demands real-time visibility and rapid response.

4. Increased accountability for management: Crucially, NIS2 places direct liability on senior management for non-compliance. This elevates cybersecurity from a technical concern to a boardroom imperative, requiring security leaders to effectively communicate risks and compliance efforts to executive teams.

5. Heftier penalties: The financial penalties for non-compliance are substantial, ranging up to €10 million or 2% of total worldwide annual turnover, whichever is higher. This punitive measure underscores the seriousness with which EU member states will enforce the directive.

6. Strengthening supply chain security: NIS2 demands that organisations assess the cybersecurity practices of their suppliers and service providers. This requires security leaders to implement rigorous vendor risk management programs.
   ‍

Supporting NIS2 compliance requirements

At ThingsRecon, we focus on Supply Chain Discovery and Attack Surface Management, mapping digitally connected assets from both your organisation and your supply chain. More than an inventory or list of vulnerabilities, our platform provides context, proximity & prioritisation of cyber risk with an enhanced discovery capability.

Here’s how our capabilities support compliance with NIS2 requirements:

• Discovering your digitally connected assets at scale, with context and proximity details

• Providing actionable remediation steps for you to clearly communicate your security posture and that or your supplier ecosystem to senior leadership

• Enhancing your supply chain security assessments and verification of responses.

By understanding and proactively addressing NIS2 compliance, you will significantly uplift your overall security resilience, protecting your organisation and its stakeholders from evolving cyber threats.

Reach out to discuss how can collectively prepare your organisation for NIS2 and leverage compliance as a competitive advantage.