← Back to all briefings

Policy · Credibility 50/100 · · 2 min read

Policy Briefing — September 6, 2025

With NIS2 fully transposed, essential and important entities must now evidence supplier security integration ahead of autumn regulator reviews across the EU.

Executive briefing: The Network and Information Security Directive (EU) 2022/2555 (NIS2) became applicable to covered sectors on October 18, 2024. By September 2025, national authorities across the European Union are requesting proof that essential and important entities have embedded supply-chain cybersecurity into their risk management programs. Article 21 requires policies addressing vulnerabilities in each supplier relationship, and Article 23 mandates reporting of significant incidents—including those originating from third parties—within 24 hours of awareness. Organizations must demonstrate contractual controls, technical validation, and crisis response capabilities as supervisory inspections begin.

Key compliance checkpoints

  • Third-party risk governance. Maintain an up-to-date inventory of ICT suppliers, critical dependencies, and assigned risk owners, with supporting documentation for diligence, onboarding, and continuous monitoring.
  • Incident workflows. Ensure playbooks cover 24-hour early warnings and 72-hour incident notifications to competent authorities, including joint reporting procedures with key vendors.
  • Testing evidence. Gather penetration test, vulnerability management, and resilience exercise results that include supplier participation or validation of controls protecting shared assets.

Operational priorities

  • Contract uplift. Update master service agreements to require adherence to NIS2 security measures, breach notification timelines, and audit rights.
  • Cross-border coordination. Harmonize reporting obligations across Member States where the organization operates, mapping competent authorities, languages, and submission portals.
  • Board oversight. Prepare board briefings documenting risk management program maturity and remediation plans for any gaps regulators may identify.

Enablement moves

  • Deploy continuous controls monitoring to track supplier compliance with MFA, patching cadence, and segregation requirements.
  • Run joint incident simulations with key vendors to validate escalation chains and evidence readiness for regulator spot checks.

Sources

Zeph Tech maps NIS2 supplier obligations, maintains incident reporting dossiers, and surfaces remediation tasks for EU supervisors.

  • Cybersecurity regulation
  • Third-party risk
  • Incident response
Back to curated briefings