My favourites

Chapter IV – Cybersecurity risk-management measures and reporting obligations (Art. 20-25)

Art. 20 NIS2 - Governance arrow_right_alt

Art. 21 NIS2 - Cybersecurity risk-management measures arrow_right_alt

Art. 22 NIS2 - Union level coordinated security risk assessments of critical supply chains arrow_right_alt

  1. The Cooperation Group, in cooperation with the Commission and ENISA, may carry out coordinated security risk assessments of specific critical ICT services, ICT systems or ICT products supply chains, taking into account technical and, where relevant, non-technical risk factors.
  2. The Commission, after consulting the Cooperation Group and ENISA, and, where necessary, relevant stakeholders, shall identify the specific critical ICT services, ICT systems or ICT products that may be subject to the coordinated security risk assessment referred to in paragraph 1.
Related
Close tabsclose
  • 90
  • 91

Recital 90

To further address key supply chain risks and assist essential and important entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related risks, the Cooperation Group, in cooperation with the Commission and ENISA, and where appropriate after consulting relevant stakeholders including from the industry, should carry out coordinated security risk assessments of critical supply chains, as carried out for 5G networks following Commission Recommendation (EU) 2019/534 (1), with the aim of identifying, per sector, the critical ICT services, ICT systems or ICT products, relevant threats and vulnerabilities. Such coordinated security risk assessments should identify measures, mitigation plans and best practices to counter critical dependencies, potential single points of failure, threats, vulnerabilities and other risks associated with the supply chain and should explore ways to further encourage their wider adoption by essential and important entities. Potential non-technical risk factors, such as undue influence by a third country on suppliers and service providers, in particular in the case of alternative models of governance, include concealed vulnerabilities or backdoors and potential systemic supply disruptions, in particular in the case of technological lock-in or provider dependency.


(1) Commission Recommendation (EU) 2019/534 of 26 March 2019 – Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).

Recital 91

The coordinated security risk assessments of critical supply chains, in light of the features of the sector concerned, should take into account both technical and, where relevant, non-technical factors including those defined in Recommendation (EU) 2019/534, in the EU coordinated risk assessment of the cybersecurity of 5G networks and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated security risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, ICT systems or ICT products; (ii) the relevance of specific critical ICT services, ICT systems or ICT products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, ICT systems or ICT products; (iv) the resilience of the overall supply chain of ICT services, ICT systems or ICT products throughout their lifecycle against disruptive events; and (v) for emerging ICT services, ICT systems or ICT products, their potential future significance for the entities’ activities. Furthermore, particular emphasis should be placed on ICT services, ICT systems or ICT products that are subject to specific requirements stemming from third countries.

Art. 23 NIS2 - Reporting obligations arrow_right_alt

Art. 24 NIS2 - Use of European cybersecurity certification schemes arrow_right_alt

Art. 25 NIS2 - Standardisation arrow_right_alt