How to implement KSC / NIS2 – supply chain

From regular reviews of supplier registers through risk analysis in contracts to the classification of service criticality – every element of this puzzle matters. Find out what steps to take both to meet KSC / NIS2 requirements and to build your organisation’s resilience to contemporary challenges. In this article, we discuss best practices and tools that will help you keep your supply chain under full control.

Requirements of the supply chain security policy

Essential and important entities should develop, implement and apply a supply chain security policy governing relations with direct suppliers and service providers. The purpose of this policy is to reduce identified risks related to the security of network and information systems. The policy should also define the entity’s role in the supply chain and clearly communicate it to suppliers and service providers.

Guidelines for developing a supply chain security policy

Developing a supply chain security policy requires consideration of well-known standards and good practices. A key element is clearly defining the organisation’s role in the supply chain. It may perform one or more of the following functions:

• information and communications technology (ICT) supplier,
• manufacturer,
• software supplier,
• hardware supplier,
• managed services provider (MSP),
• managed security services provider (MSSP),
• user.

Defining the role in the supply chain makes it possible to better manage contacts with suppliers and minimise the risks arising from improper security management in business relationships.

To demonstrate the implementation of the supply chain security policy, organisations should have appropriate documentation at their disposal.

Examples of evidence of implementing the supply chain security policy

• Formally developed supply chain security policy.
• Confirmation that the policy complies with adopted standards and best practices.
• Evidence of communicating the entity’s role in the supply chain, such as e-mails, contracts, announcements or other forms of documentation.

Supplier selection criteria in the supply chain security policy

In accordance with the NIS2 requirements set out in the KSC, as part of the supply chain security policy, organisations are required to define clear criteria for selecting and concluding contracts with suppliers and service providers. These criteria should take into account the aspects described below.

Key supplier selection criteria

1. Cybersecurity practices of suppliers and service providers
   
   Verification of the secure development procedures used by suppliers and review of their approach to information security management.
2. Suppliers’ ability to meet cybersecurity requirements
   
   Ensuring that suppliers are capable of meeting the specified security requirements and specifications established by the contracting entity.

3. Overall quality and resilience of ICT products and services
   
   Assessment of the quality of ICT products and services and their ability to cope with threats, as well as an assessment of the implemented cybersecurity risk management mechanisms, including the identification of the risk level and classification of ICT products and services.

Possibility of diversifying supply sources

An effort to avoid excessive dependence on a single supplier. In this way, the organisation reduces the risk of becoming dependent on individual commercial partners (so-called vendor lock-in).

Example of evidence of compliance with the requirement to define supplier selection criteria

• Supply chain security policy.

Taking the results of risk assessment into account in the supply chain security policy

When developing a supply chain security policy, organisations are required to take into account the results of coordinated risk assessments of critical supply chains, carried out pursuant to Article 22(1) of Directive (EU) 2022/2555, where applicable.

Documentation as evidence of compliance

To confirm compliance with the regulations, the organisation should have evidence that it has taken into account, in its supply chain security policy, the results of risk assessments and the recommendations of the NIS Cooperation Group. Such evidence may include documents indicating the integration of specific scenarios and guidelines into the organisation’s business objectives.

Requirements for agreements with suppliers and service providers in the supply chain security policy

Organisations developing a supply chain security policy are required to define detailed requirements for agreements with suppliers and service providers. These agreements should include provisions concerning strategic areas related to network and information systems security, identified on the basis of the risk assessment results.

Key requirements for agreements with suppliers and service providers

1. Cybersecurity requirements
   
   The agreements should specify cybersecurity standards, including rules for the procurement of ICT products and services.
2. Training and certifications
   
   Organisations should require suppliers and their employees to have appropriate training, skills and certifications in the area of security.
3. Personnel vetting
   
   It is necessary to ensure procedures for background checks of suppliers’ and service providers’ employees, particularly in the context of their access to critical systems.
4. Incident reporting
   
   Vendors are required to report without delay any incidents that may affect the security of networks and information systems.
5. Audit and security reports
   
   Contracts should guarantee the right to audit as well as access to security-related reports.
6. Subcontractor management
   
   If a vendor uses subcontractors, their compliance with cybersecurity requirements must be ensured.
7. Contract termination and data deletion
   
   Contracts must regulate matters related to the end of cooperation, including procedures for recovering and deleting data obtained during the performance of tasks.

Guidance for smaller entities

Organizations with limited negotiating capacity are advised to:

• negotiate jointly within purchasing groups,
• use representation by industry organizations,
• seek legal advice when entering into agreements,
• negotiate protective clauses, such as contract termination rules or service levels.

Examples of evidence of contractual compliance with requirements

• Contracts incorporating all necessary elements.
• Comparison of contract content with tender documentation, in particular with regard to compliance with ICT product procurement rules.
• Vendor reports on vulnerability reporting and remediation activities.

Risk assessment as a key element of the vendor and service provider selection process

The Act on the National Cybersecurity System requires, in line with the NIS2 Directive, that the process of selecting new vendors and service providers within an organization takes into account key elements related to cybersecurity and risk management. It is important to examine vendors' practices in detail, the quality of the services offered, and the potential threats to the organization's networks and information systems. A fundamental stage of this process is carrying out a detailed risk analysis before signing the contract, in order to ensure the security of cooperation and minimize potential risks..

Guidelines for risk analysis

Before signing contracts with vendors or service providers, it is necessary to:

• conduct a risk analysis,
• identify potential threats arising from cooperation with a given entity and assess their impact on the security of the organization’s networks and information systems.

Examples of evidence of compliance with the supplier and service provider selection process

• Documentation of contracts and tender guidelines – confirming that the provisions take into account the requirements of the Cybersecurity Act / NIS2.
• Comparison of the content of contracts and tenders – to verify whether the procurement of ICT systems and services meets security requirements.
• Risk analysis reports – prepared on the basis of the assessment of suppliers and service providers, containing identification of threats and recommendations for corrective actions.

Periodic assessment of the supply chain security policy

In a dynamic business environment in which cybersecurity threats are constantly evolving, it is necessary to carry out regular assessments and updates of the supply chain security policy. Organizations should monitor, assess and, where necessary, introduce modifications in response to changes in suppliers’ practices, security incidents or other significant events affecting the security of ICT services and products.

The importance of regular assessment of the supply chain security policy

Changing risks and market requirements mean that the supply chain security policy cannot be treated as a static document. Regular assessment enables organizations to:

• identify gaps in current procedures,
• align the policy with evolving cybersecurity standards,
• respond to new threats arising from incidents or changes in suppliers’ operations.

A practical approach to monitoring and assessing the supply chain security policy

Organizations should:

• review the policy at least once a year – a regular review schedule makes it possible to update the policy systematically,
• monitor suppliers throughout the entire cooperation cycle – continuous analysis of suppliers’ practices and actions makes it possible to identify potential threats on an ongoing basis,
• take into account significant changes or incidents – any material security incident or any change in the activities of suppliers should prompt a review of the policy.

Examples of evidence of compliance with monitoring requirements

• Plans and schedules for security policy reviews.
• Records of previous reviews and implemented changes.
• Lists of supplier-related incidents.
• Reports assessing suppliers and their products in terms of cybersecurity.

Monitoring service levels and risk management in the ICT supply chain

In order to ensure the security of ICT products and services, organisations should regularly monitor the level of services provided, analyse incidents involving suppliers, and take remedial action in response to changing risks.

Key actions in building resilience to threats and maintaining operational stability

1. Regular monitoring of SLA agreements
   
   Organisations should oversee the implementation of the provisions arising from Service Level Agreements (SLAs) to ensure compliance with the agreed standards.
2. Review of security incidents
   
   Analysing incidents related to ICT products and services provided by suppliers is essential for identifying threats and implementing appropriate remedial measures.
3. Assessment of risks arising from changes in ICT products and services
   
   Where changes are introduced to ICT products or services, organisations must conduct a risk analysis and take action to minimise potential threats.
4. Planning additional reviews
   
   If necessary, organizations should consider the possibility of conducting reviews outside the regular schedule, particularly in response to significant changes or incidents.

Examples of evidence of compliance with service level monitoring and risk management principles

• Documentation of service level monitoring in accordance with SLA agreements.
• Reports from the analysis of security incidents and the corrective actions implemented.
• Evidence confirming that signed agreements with vendors include security-related requirements, including provisions concerning roles, responsibilities and reporting.
• Documents relating to vendor disengagement management, including the transfer of services and data, and access to resources.
• A list of security incidents arising from cooperation with vendors.

Register of vendors and service providers – a management and control tool in the supply chain

Maintaining an up-to-date register of vendors and service providers is fundamental to supply chain security management in any organization. Such a register makes it possible not only to monitor cooperation with business partners effectively, but also to respond promptly to changes that may affect the security of ICT systems.

Required elements of the register of vendors and service providers

The register of vendors and service providers should include:

• contact details of each vendor and service provider,
• a detailed list of ICT products, ICT services and ICT processes provided by each vendor or service provider.

Regular reviews and updates of the register of vendors and service providers

To ensure the accuracy and currency of the information, the register of suppliers and service providers should be reviewed at least twice a year or after any material change concerning suppliers. This approach makes it possible to identify potential risks on an ongoing basis and implement appropriate preventive measures.

Classification of suppliers and service providers

Suppliers and service providers may be classified according to various criteria, such as:

• the sensitivity of the assets provided by a given supplier,
• purchase volume,
• service availability requirements,
• applicable legal regulations,
• the level of risk and measures to mitigate it.

On the basis of these criteria, suppliers may be assigned to three categories:

• critical – suppliers having a key impact on the organisation's operations,
• strategic – high-value suppliers that support the information infrastructure, e.g. cloud or software providers,
• routine – suppliers with minimal impact on the organisation's activities.

Examples of evidence of compliance with the register of suppliers and service providers

• A list of contracts and SLAs that are in line with the supply chain policy.
• Documentation of the categories assigned to suppliers and the rules for supplier management based on those categories.
• Descriptions of risk assessment processes for each supplier and the corresponding actions tailored to their classification.