The introduction of the Cybersecurity Act (Cbw), the Dutch implementation of NIS2, brings new responsibilities for organizations in the manufacturing industry. Recent results from the NIS2 Quickscan by the Dutch Rijksinspectie Digitale Infrastructuur (RDI) indicate that many organizations still consider themselves insufficiently prepared for several key components of the law. Managing risks in the supply chain, in particular, remains a point of concern.
For many manufacturing companies, this is not surprising. Modern production processes depend on suppliers of software, machinery, components, logistics services, and cloud solutions. A vulnerability at a single supplier can have direct consequences for the continuity of the organization itself.
What does the RDI say about the manufacturing industry?
The RDI analyzed 356 fully completed NIS2 Quickscans from the manufacturing sector. These self-assessments show that organizations rate themselves lowest on three topics:
- Reducing risks in the supply chain.
- Establishing a reporting procedure for significant incidents.
- Training executives in the field of cyber risks and governance.
At the same time, organizations indicate that they score relatively well on:
- Multi-factor authentication and secured communication systems.
- Incident handling and registration of security incidents.
- Reporting cyber threats to relevant stakeholders.
The results align with a broader trend that the RDI also observes in other sectors. Supplier management and executive responsibility are among the greatest challenges in preparing for NIS2 almost everywhere.
Why supplier risks are so important under NIS2
NIS2 explicitly places more responsibility on organizations to also manage risks within their chain. An organization must not only secure its own systems but also have insight into the digital risks of suppliers and service providers.
For manufacturing companies, this can be a challenge:
- Hundreds to thousands of suppliers.
- Limited capacity to manually assess suppliers.
- Lack of up-to-date information regarding cyber incidents at suppliers.
- Difficulty gaining insight into which suppliers are critical to production processes.
Traditionally, supplier management is often conducted via questionnaires and audits. This approach is labor-intensive, snapshots quickly become outdated, and answers are not always objective.
How RiskStudio helps with NIS2 compliance
RiskStudio supports organizations in fulfilling their duty of care regarding suppliers and supply chain risks.
1. Continuous monitoring of suppliers
Many organizations assess their suppliers annually with a questionnaire or audit. The disadvantage of this approach is that a supplier’s situation can change significantly between two assessments. RiskStudio therefore offers continuous monitoring of suppliers. The platform tracks data breaches, ransomware incidents, known vulnerabilities, changes in the digital footprint, and the general cyber resilience of organizations. This ensures companies always have up-to-date information and can respond faster when a supplier’s risk profile changes.
2. Insight into critical dependencies
Not every supplier poses the same risk. NIS2 therefore requires organizations to assess risks based on their impact on business operations. RiskStudio provides insight into which suppliers are linked to critical processes, business units, or other important assets within the organization. By documenting these dependencies, a clear overview is created of which suppliers are essential for the organization’s continuity. This helps to set priorities and direct available time and resources toward the suppliers that pose the greatest risk.
3. Substantiation for governance and management
Under NIS2, executives are given explicit responsibility for cyber risk management. They must not only supervise but also be demonstrably involved in managing cyber risks. The results of the RDI Quickscan show that this specific topic still poses a challenge for many organizations in the manufacturing industry. RiskStudio supports executives and management teams with clear management information that translates technical risks into business impact. This creates better insight into risks, dependencies, and necessary measures, which helps in making well-founded decisions.
4. Early detection of incidents
When a major supplier falls victim to a cyber incident, it can have direct consequences for the organization itself. Therefore, it is essential to detect incidents as early as possible. RiskStudio continuously collects information from public sources, news reports, and other digital signals to detect relevant developments at suppliers. This allows organizations to quickly determine the impact of an incident, take appropriate measures, and comply with notification or reporting obligations where necessary. This way, an organization is not surprised by problems in the chain but is given the opportunity to act proactively.
From compliance to resilience
The RDI results show that many organizations in the manufacturing industry have already taken steps in the area of technical security. However, the greatest challenge is shifting toward governance and supply chain security.
NIS2 is not just about meeting legislative requirements. The goal is to increase the digital resilience of organizations and their ecosystems. Organizations that invest today in insight, monitoring, and risk management within their supply chain are not only building compliance but also a stronger and more resilient organization.
Conclusion
The RDI’s NIS2 Quickscan shows that organizations in the manufacturing industry primarily face challenges regarding supplier risks, incident reporting, and executive responsibility. Managing risks in the supply chain, in particular, requires a structural approach.
With RiskStudio, organizations can continuously monitor suppliers, gain insight into dependencies, track cyber incidents, and provide executives with up-to-date risk information. This makes NIS2 not just a compliance exercise, but a practical step toward a more secure and resilient supply chain.