NIS2: Understanding the Obligations of Critical Suppliers

The NIS2 Directive redefines cybersecurity requirements for critical entities and their third-party governance across Europe. With over 1.8 million companies indirectly affected via their supply chains (NIS2 Quality Mark – 2025), identifying critical third parties is now a strategic imperative for key sectors like construction and public services.

This regulation mandates a dynamic mapping of partners based on their operational impact, combined with collaborative monitoring of security measures. Unlike traditional approaches focused solely on internal protection, NIS2 emphasizes continuous assessment aligned with European standards such as EUCS v2.0.

What is the NIS2 Directive?

The NIS2 Directive redefines cyber risk management for external service providers in critical sectors across Europe, expanding its scope from 19 to 35 regulated sectors, now including postal services, waste management, and agri-food. It introduces two categories:

• Essential Entities (e.g., energy, health, transport)
• Important Entities (e.g., construction, manufacturing, retail)

This classification determines the level of collaborative governance requirements, especially for:

• Dynamic mapping of operational dependencies
• Continuous security assessment of third parties
• Centralized incident notification within 24 hours

In the public sector, this means local authorities must verify the EUCS v2.0 certification of their cloud providers—a new standard for critical digital services. Penalties reach up to €10M or 2% of global revenue for essential entities, and €7M for important ones.

Why Are Critical Third Parties Strategic?

According to the ENISA 2024 report, critical suppliers account for 38% of identified vulnerabilities in supply chains now regulated under NIS2, highlighting the need for shared oversight. Their significance stems from their impact on:

• Continuity of essential services (e.g., subcontractors on SEVESO construction sites)
• Access to sensitive systems (e.g., cloud providers in the public sector)
• Compliance with cross-cutting legal requirements (e.g., suppliers of retail marketplaces)

In industry, lack of EUCS certification for a critical component supplier can paralyze production lines.

Collaborative Compliance Methodology

The NIS2 Directive mandates proactive management based on three pillars:

1. Dynamic Mapping

• Identification of operational dependencies using sectoral grids (e.g., construction = tier-2+ subcontractors)
• Prioritization based on business impact and certification level

2. Continuous Monitoring

• Tracking of key indicators:
  • Security updates
  • Reported incidents (within 24h per ANSSI)
  • Certification status updates

3. Sectoral Action Plans

• Construction: joint audits on ICPE sites
• Retail: automated verification of marketplace clauses

Penalties can reach 2% of global revenue for essential entities.

What Are the Guiding Principles of the Obligations?

The NIS2 Directive imposes harmonized requirements to ensure compliance across all third parties involved in regulated domains. Organizations must adopt a proactive collaborative assessment strategy, including:

• Systematic risk identification for each partner
• Ongoing updates to security measures
• Prompt incident reporting and traceability of corrective actions

Specific contractual clauses, critical partner registries, and continuous monitoring are now mandatory.

In retail, NIS2 compliance requires regular audits of e-commerce platforms and associated logistics risk management.

What Does Supplier Mapping Mean?

Mapping critical suppliers involves creating a comprehensive inventory of partners involved in essential processes. This relies on sector-specific qualification:

• In construction, this means ranking subcontractors by their impact on project continuity and certification status.
• The process enables ongoing collaborative monitoring and prioritization of compliance efforts while strengthening organizational robustness.

This inventory helps anticipate risks and meet supervisory authority expectations swiftly.

Practical Guide for Third Parties: Strategic First Steps

The NIS2 Directive calls for a collaborative approach to compliance across the value chain, combining proactive assessments and sectoral tools.

1. Initial Diagnostic

• Map critical dependencies (e.g., ICPE component suppliers in industry)
• Prioritize third parties based on business continuity impact

2. Regulatory Alignment

• Include NIS2-specific contractual clauses (e.g., 24h incident notification for public sector)
• Set up certification verification processes:
  • Industry: ICPE certification for high-risk industrial sites
  • Retail: PCI DSS certification for e-commerce payment platforms
  • Construction: Pro HSE Level 3 for subcontractors on critical sites

Key Steps for Successful Third-Party Governance

Mandatory Requirements Checklist for Critical Suppliers

Third parties working with critical entities must meet the following minimum requirements to ensure NIS2 compliance.

1. Mandatory Documentation

• Registry of technical and organizational cybersecurity measures
• Incident response policy with 24h notification procedures
• Proof of sectoral certification (ICPE for industry, PCI DSS for retail, Pro HSE Level 3 for construction)

2. Minimum Technical Measures

• Encryption of sensitive data in transit and at rest
• Strong authentication for all access to critical systems
• Network segmentation and isolation of sensitive environments

3. Governance Processes

• Appoint a NIS2 officer with direct reporting to clients
• Documented continuous cyber risk assessment process
• Annually tested business continuity plan

4. Reporting and Transparency

• Capability to produce 24h incident reports
• Contractual commitments on remediation timelines
• Participation in crisis simulations with key actors

This checklist, based on ANSSI recommendations, sets the minimum standard for any supplier in regulated supply chains.

Sectoral Impact: Strategic Preparedness

With the expansion to 35 regulated sectors, NIS2 directly addresses ENISA’s alarming statistics, which show 38% of vulnerabilities stem from third parties, particularly in newly regulated sectors like retail and industry.

That said, NIS2’s impact varies across domains, with requirements proportional to operational criticality. Essential entities (energy, healthcare) must:

• Map their full third-party ecosystem
• Document collaborative resilience measures
• Share sectoral best practices

In construction, this requires systematic HSE certification checks for subcontractors on SEVESO sites.

Critical Infrastructure: A Vital Priority

Critical infrastructures refer to systems whose failure could jeopardize national security or public health. NIS2 enhances their protection through:

1. European Coordination

• Establishment of EU-CyCLONe for crisis management
• Deployment of sectoral CSIRT teams

2. Pooled Monitoring

• Public sector: monitoring health data flows between local authorities and cloud providers
• Industry: sharing REACH/ICPE alerts

An ENISA 2024 study reveals that 62% of major incidents stem from unassessed third-party failures.

Strategic Roles of Critical Entities

Strategic structures (e.g., energy, healthcare) and their key suppliers form an interdependent ecosystem with reinforced obligations:

• Shared responsibility: coordinated business continuity plans
• Regulatory transparency: sharing cyber alerts with national authorities
• Sectoral standardization: adoption of common certifications (e.g., ISO 27001/27701 for public sector digital providers)

In construction, project owners must verify the HSE Pro certification of subcontractors on SEVESO sites.

Preparing for the Future: Emerging Challenges

The NIS2 Directive is expected to evolve with:

1. Scope expansion: gradual inclusion of strategic SMEs
2. EU-wide harmonization: centralized incident registry
3. Disruptive tech risks: assessment of generative AI risks in marketplaces

ENISA forecasts a 40% increase in collaborative audits by 2026 (Prospective Study 2025). Organizations must:

• Digitize third-party assessment processes
• Pool sectoral best practices
• Anticipate regulatory convergence (e.g., NIS2 + CSDDD)

Building Future-Proof Third-Party Governance with Aprovall360

The NIS2 Directive fundamentally transforms the management of critical third-party suppliers, mandating dynamic mapping and collaborative oversight for key sectors. Key takeaways include:

• Differentiated obligations based on entity criticality (essential/important)
• Sector-specific approaches (construction, public, industry)
• Significant penalties up to 2% of global revenue

Organizations must now rely on proactive governance tools, combining:

• Ongoing certification assessments (ICPE, PCI DSS, Pro HSE Level 3)
• Collaborative action plans with suppliers
• Pooled sectoral benchmarking

Aprovall360 supports this transition through its integrated platform, enabling:

• Simplified inventory of critical suppliers
• Automated key indicator monitoring
• Easier multi-regulatory compliance

Faced with NIS2’s growing demands, organizations must adopt a structured and collaborative approach to ensure the operational resilience of their third-party ecosystems—while staying ahead of the 2027 regulatory curve.