NIS-2 supply chain verification can get complicated

Today’s supply chain is extremely diverse. It seems that as digitalization progresses, it is becoming easier and easier to outsource a certain activity to another company’s tool, creating a very complex web of dependencies. Every web portal of a large multinational company hides a handy “partnerships” box that can find hundreds, if not thousands, of partners using a search engine. And the reverse is also true; almost every smaller company has a glittering list of partners and applications in the footer of its website, without which its operations would stop.

These are not unknown facts, we simply live in a connected world, but it is the context from which we can view the new directive, and specifically the supply chain verification point. Unlike other requirements, this does not apply to all companies, but only to strategic service providers, of which there are over 150. Within these providers, it applies to security-relevant supply (in Czech: bezpečnostně významná dodávka) – that is, fulfilling their own obligations within a critical part of the defined scope. This somewhat cryptic term covers services that are critical to the functioning of the state and includes the following: public administration, energy (electricity, oil, gas), air and rail transport and digital infrastructure. 

Safety critical supplies are directed to a part of the system that the providers themselves identify as critical (assets with critical or high service impact) and/or to a system function that the Authority identifies as non-negotiable. 

In other words, these sectors must perform the duties of providing, developing, manufacturing, assembling, managing, operating or servicing the assets. Interestingly, to get back to supply chains, these obligations also fall on subcontractors of these critical infrastructure components. However, only those subcontractors or potential subcontractors that have an impact on the final product will be reviewed. It’s easy to imagine how much the complex IT supply chain gets tangled up at this point. For example, operators rely on a wide range of subcontractors, from cloud services to data analytics tools. In such a scenario, it will be necessary to exercise the company’s ability to define what all falls within a security-relevant supply, or in the words of the NCIS: 

Within those providers [of critically important services], a security-significant supply refers to a supply that is directed to: a part of the system that the providers themselves determine to be critical (assets with a critical or high service impact); and/or/and to a function of the system that the Authority determines to be non-negotiable.