The NIS2 directive applies to thousands of “essential and important” businesses in a wide range of sectors across the EU. These firms will impose NIS2 requirements on their suppliers—including IT service providers—to meet the regulation’s strict supply chain risk management demands.

As a result, many US-based IT suppliers will need to align with NIS2 to stay competitive and keep their EU customers. This includes small or “micro” enterprises with fewer than 50 employees and/or an annual income below EUR 10 million that might otherwise slip below NIS2’s size threshold.

NIS2 also applies directly to IT suppliers with critical “digital infrastructure” offerings like cloud services, data center services, managed/outsourced IT and cybersecurity services, operational technology (OT) support, critical infrastructure support, medical device manufacturing, digital providers (e.g., marketplaces and social networks) and more.

How might NIS2 impact your IT services business? This article overviews the main considerations and concerns.

What are NIS2’s cybersecurity requirements for supply chain partners?

As hackers target supply chain partners as weak points in critical entities’ cybersecurity postures, NIS2 puts a laser focus on assessing and managing third-party risks. Mega-breaches like Solarwinds demonstrate how compromising one IT vendor can open doors to multiple customers’ sensitive data.

According to ENISA, critical suppliers harbored 38% of identified supply chain vulnerabilities within NIS2 covered environments in 2024. This research underscores the importance of vendor risk management and cooperative cybersecurity in maintaining service resilience, access to sensitive data and systems, and continuous compliance monitoring.

Yet many “essential and important” organizations lack adequate visibility into their vendors’ cybersecurity programs.  This is why NIS2 extends significant cybersecurity obligations to covered entities’ supply chain partners.

These are some of the key responsibilities and considerations that IT service providers serving essential or important EU organizations need to be aware of:

• Suppliers should prepare for regular customer risk assessments to judge their cybersecurity controls, incident response capabilities, and operational resilience.
• Besides risk assessments, many IT service providers will need to undergo customer audits and cybersecurity assessments.
• Suppliers should prepare for new or amended contract language that clarifies cybersecurity responsibilities, services levels, key performance measurements, and compliance reporting obligations.
• IT service providers and other partners to NIS2 covered businesses must comply with NIS2’s strict incident reporting requirements, which include initial reporting within 24 hours and full incident disclosure with 72 hours.
• IT service providers and other supply chain partners will need to demonstrate comprehensive cybersecurity risk management practices, as well as implementation and operation of essential controls like network segmentation, multifactor authentication, end-to-end encryption for sensitive data, best-practice identity management and access controls, and a secure software development lifecycle/DevOps pipeline.

How could NIS2 impact IT service providers?

Cybersecurity and business continuity enhancements that can increase an IT supplier’s compliance burden and costs include:

• Establishing routine risk assessments and risk management.
• Enhanced incident response capabilities, potentially including threat hunting and other proactive approaches.
• Developing comprehensive documentation and administration of policies, procedures, and compliance records.
• Hiring staff with specific cybersecurity and/or compliance skills.
• Covering new legal costs to cover NIS2 compliance guidance.
• Investing in governance and compliance tools and automation.
• Implementing stronger internal cybersecurity (e.g., achieving ISO 27001 compliance).
• Ensuring senior management’s engagement and accountability around cybersecurity.
• Conducting regular cybersecurity awareness education and training for employees.
• Assessing and managing their own vendor and supplier risks.

What’s next?

For more guidance on this topic, listen to Episode 154 of The Virtual CISO Podcast with guest Dejan Kosutic, CEO at Advisera.