NIS2 and the new Swedish Cybersecurity Act mean that your supply chain becomes just as important as your own IT environment – maybe even more important.
The NIS2 Directive and the upcoming Swedish Cybersecurity Act mean that organisations can no longer be satisfied with “having their own house in order”. The supply chain – all third-party suppliers and subcontractors – becomes an integrated part of your security level: legally, technically and practically. The new Cybersecurity Act implements NIS2 in Swedish law and is proposed to enter into force on 15 January 2026.
In this article, we explain what the NIS2 supply chain means in practice: how NIS2 is connected to the Cybersecurity Act, why the supply chain is a central risk, which concrete requirements are imposed on suppliers and a step-by-step model for third-party risk management under NIS2.
Why the supply chain is a key risk in NIS2
In short: NIS2 views the supply chain as one of the largest sources of cyber risk – a weak link at a supplier can bring your operations down.
In a modern digital organisation, the IT environment is almost always built from:
- Cloud services (SaaS, PaaS, IaaS)
- Hosting providers and system integrators
- Sub-suppliers that process data, logs, payments or customer information
NIS2 states that risk management must cover the entire ecosystem, not just your internal IT.
From internal security to supply chain security
The focus is shifting from “how secure are our own systems?” to “how robust is our total supply chain?”.
Previously, organisations could say: “Our systems are patched, we use MFA and we have good firewalls – we are secure.”
With NIS2 and a modern threat landscape, that is no longer enough. The supply chain can include:
- Third-party suppliers that manage core systems (ERP, CRM, EHR and other line-of-business systems)
- Sub-suppliers to your suppliers (e.g. hosting providers, support centres, development partners)
- Specialised niche suppliers (logging, monitoring, identity and access solutions)
If a critical supplier is hit by ransomware, a data breach or a long-lasting outage, this will affect:
- Your ability to provide essential services
- Your incident reporting obligations under the Cybersecurity Act
- Your legal responsibility and potential risk of sanctions
NIS2 therefore explicitly highlights supply chain security as its own risk area.
Exempel: incident hos leverantör som får NIS2-konsekvenser
An incident at a SaaS provider can trigger your incident reporting – even if your own systems are working.
Imagine the following scenario:
- You use a cloud-based hosting provider for a critical business system.
- The provider is hit by a cyberattack that encrypts their environment.
- Your service is down for 36 hours. Customer data might not be leaked, but your service is unavailable.
Consequences from a NIS2 perspective:
- The availability of an essential service is severely affected.
- You may have to report the incident under the Cybersecurity Act (within specified time limits).
- The supervisory authority can request information about:
- Your risk analysis of the supplier
- Which contractual requirements you have imposed
- How you have conducted follow-up and audits
If the supplier relationship turns out to be poorly governed, you can be criticised – even if the technical attack took place at the supplier.
NIS2 requirements on suppliers and third-party risk
NIS2 requires you to assess, regulate and follow up your suppliers – from contracts to ongoing control and incident reporting.
The Directive and the upcoming Cybersecurity Act emphasise that NIS2 requirements on suppliers are both technical and organisational. Organisations must have processes for NIS2 third-party risk, including due diligence, contractual requirements, compliance checks and follow-up.
Risk analysis and classification of suppliers
You must know which suppliers are critical and what risks they pose – you cannot treat them all the same.
Key elements:
- Inventory all suppliers that are connected to your network and information systems.
- Classify suppliers based on:
- Criticality for your service (“critical suppliers”)
- Type of information they process (e.g. sensitive personal data, logs, business-critical data)
- Technical dependency (“single point of failure”)
- Perform risk analysis per category:
- Threats and vulnerabilities (e.g. SaaS with weak authentication, poor logging)
- Legal risks (e.g. third-country transfers, insufficient data protection agreements)
- Operational risks (e.g. low maturity, lack of resources, extensive incident history)
The result should be a clear risk picture for the supply chain, where critical suppliers are subject to stricter requirements and more extensive follow-up.
Contracts, security appendices and due diligence
Contracts must contain clear security requirements, and you need to be able to show that you have carried out reasonable due diligence – both before and after signing.
NIS2 and modern third-party risk management mean that you should have:
Contractual requirements concerning:
- Information security and technical controls
- Access control and identity management
- Logging, monitoring and incident management
- Requirements on sub-suppliers (flow-down clauses)
Security appendices where you specify:
- Minimum security levels (e.g. encryption, MFA, backup, patch management routines)
- Requirements for incident reporting to you (time limits, contact channels, content)
- Right to audit or third-party assessments
Due diligence processes:
- Before signing – assess the supplier’s security maturity (policies, certificates, audits, track record).
- During the contract period – follow up that security requirements are in fact complied with (reports, audits, tests).
This is the core of third-party risk management under NIS2 – NIS2 third-party risk cannot be handled without structured contractual requirements and follow-up.
Consequences of an incident at a NIS2-supplier
A weakness at a supplier can lead to outages, regulatory measures and reputational damage – even if the fault is not in your own IT environment.
Possible consequences:
Operational consequences
- Interruptions in essential or important services.
- Delays, production stops, data unavailability.
Legal consequences
- The supervisory authority may initiate an investigation into compliance with the Cybersecurity Act.
- If the supply chain is poorly governed, sanctions can become relevant (administrative fines under the NIS2 framework).
Reputational risk
- Loss of trust among customers, users and the general public.
- Negative media coverage, especially when there is an impact on society.
In investigations after a major incident, authorities will often not only look at what happened, but also at how you have worked with risk management, contracts, due diligence and follow-up of suppliers. That is where your structure for NIS2 third-party risk becomes crucial.
FAQ on NIS2, the supply chain and third-party risk
| How are NIS2 and the Cybersecurity Act connected when it comes to suppliers? | NIS2 sets the EU-level requirements and the Cybersecurity Act makes them binding in Sweden – also for the supply chain. NIS2 defines a number of minimum requirements, including on supply chain security and the management of third-party risks. The Swedish Cybersecurity Act implements these requirements in national law, with supervision, sanction mechanisms and detailed rules on security measures and incident reporting. |
| Do all suppliers need to be subject to the same NIS2 requirements? | No – the requirements must be risk-based and proportionate. NIS2 is built on risk management, which means you should focus primarily on critical suppliers. Small, non-critical suppliers can be subject to lighter controls, while suppliers that are business- or mission-critical require deeper risk analysis, clearer contractual requirements and more extensive follow-up. |
| How detailed do our supplier contracts need to be? | Detailed enough for you to be able to demonstrate compliance with NIS2 – especially for critical suppliers. For critical and important suppliers, contracts should include: 1. Clear descriptions of security level and technical/organisational controls. 2. Regulation of incident reporting, time limits and information sharing. 3. A right for you to access audits or third-party reports. For less critical suppliers the requirements can be more high-level, but it should still be clear that they are expected to comply with relevant security requirements. |
| What counts as a NIS2-relevant incident at a supplier? | An incident at a supplier becomes NIS2-relevant if it seriously affects your ability to provide essential or important services. Examples of NIS2-relevant incidents: 1. Long-lasting outage in a critical system delivered by a SaaS provider. 2. Cyberattack at a supplier leading to extensive unavailability or loss of integrity. 3. Incidents that require long-term manual fallback procedures and affect many users. Your organisation must assess whether the incident reaches the threshold for reporting under the Cybersecurity Act, but that assessment has to include suppliers. |
| How often should we follow up and audit our suppliers? | In short: At least annually for critical suppliers – and more often if the risk picture changes or serious incidents occur. A common structure is: 1. Annual review of all critical and important suppliers. 2. In-depth audit every two or three years (or when major changes occur). 3. Ad hoc follow-up after major incidents, changes in ownership, platform changes or other significant changes in the service. The exact intervals are less important than having a documented, risk-based plan for follow-up. |
