These criteria can be described as technical factors. In recital (90) of the directive, so called non-technical factors are also indicated. This is, in particular, undue influence by a third country on suppliers and service providers, such as technological lock-in, provider dependency or hidden backdoors.
Implications for businesses of a coordinated supply chain risk assessment
In order to understand the implications for businesses, it is necessary to refer to the Article 21 of the NIS2 Directive, in which the detailed obligations of key and important entities are regulated. According to the section 3 of this provision, when assessing compliance with the NIS2 Directive obligations, Member States must take into account the results of a coordinated risk assessment. This small mention can have important implications for businesses. Indeed, if an entity ensures compliance with the NIS2 Directive, which means, in a nutshell, fulfilling the requirements of the Article 21 of the NIS2 Directive, it may still be considered non-compliant solely because it has not taken into account the results of the aforementioned procedure. This may even entail the imposition of financial penalties under the NIS2 Directive.
It will therefore be crucial for businesses to monitor the ongoing work towards further coordinated risk assessments. Indeed, it may turn out that even the thorough implementation of the NIS2 Directive requirements will not be enough if there is an entity within our supply chain that is deemed to be particularly risky under a coordinated risk assessment.
National risk assessment
This procedure is not mentioned directly in the text of the directive. It is an umbrella term for a number of powers of Member States to extend the personal scope of the NIS2 Directive. These powers are found in the Article 2(2)(b, c, d and e) of the NIS2 Directive, allowing the directive also applies to:
Two conclusions are worth drawing from the above. First, that the scope provided for in the directive may be significantly modified in the process of implementing the NIS2 Directive into the national legal order. This continues with the second conclusion that, even after the implementation of the NIS2 Directive, an entity previously not covered by any obligations may be subject to the full scope of those obligations if it fits into any of the conditions enumerated above.
Internal risk assessment
The internal risk assessment constitutes an obligation of key and important entities and is an obligation of a technical nature. In the recitals and provisions of the directive several important indications are indicated as to its implementation.
Firstly, it will be very important to pay attention to the content of national cybersecurity strategies. These strategies should be the source of information about the approach of a given Member State to the enforcement of this obligation. It is also worth paying attention to other documents such as the National Plan for the Protection of Critical Infrastructure. The analysis of a supply chain protection practice in a given Member State must be as holistic as possible.
Secondly, it is worth noting the powers and purpose of the CSIRT network, which, at the request of a key or important entity, can monitor its assets connected to the internet.
And thirdly, and most importantly, attention should be drawn to the content of recital (85) of the directive, which emphasizes the specific role of data storage and processing service providers, cybersecurity management and software editors. The need to assess the level of risk and maturity of third parties in the supply chain is also pointed out.
NIS2 Directive and the UKSC amendment from a supply chain perspective
The draft amendment to the Act on the National Cyber Security System (UKSC, UD68), which is currently under procedure, was adopted by the Standing Committee of the Council of Ministers at the end of April this year. Many of the solutions envisaged in the draft are somewhat controversial, particularly those relating to 5G. From a supply chain perspective, it is worth noting the concept of high-risk vendors (HRVs). While the control mechanism provided for in the NIS2 Directive will operate only in the case of inspections (until then, it is the responsibility of entities covered by the NIS2 Directive to manage the risk), in the solution provided for in the draft amendment to the UKSC, it is the competent minister who will determine which entity will be deemed a high-risk vendor. This solution therefore clearly contradicts the NIS2 Directive.
Conclusions
The risk assessment mechanisms provided for in the NIS2 Directive, are extensive and multi-level. Appropriate solutions, can be used at both international and national level. The obligations imposed on the key and important entities are also of significance. For businesses, it is important to keep in mind the implementation process, which, as the Polish example shows, can be very complicated.
Further developments in both national and EU cybersecurity legislation are worth monitoring. As can be seen from the regulation of supply chain security in the NIS2 Directive, the issues of interest may turn out to be much broader than would appear from a cursory reading of the text of a directive or regulation.
Summary
The NIS2 Directive was adopted on 28 November 2022 (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022). Its main goal is to raise the overall level of cybersecurity in the EU. One of the most important elements of this directive are standards for assessing supply chain security. Will the practical implementation of the NIS2 Directive objectives be problematic?
How EY can help
Digital law
Digitalization is transforming the relationships between businesses, individuals and governments.
Read moreService leader
EY Polska, EY Law, Intellectual Property, Technologies and Personal Data, Partner, Attorney-at-law
