Imagine you have 60 minutes to make your organization compliant with the NIS2 supply chain requirements. How far could you get?
This experiment is based on the idea of reversing the compliance approach. So, not by first designing the necessary processes based on guidelines and then embedding them in your organization, but by implementing a solution based on the NIS2 objective of “digital resilience” and then checking if you meet all guidelines.
We tried it out with RiskStudio. Cliffhanger: Time is tight, but it shows promise.
Introduction
Recently, much attention has been paid to the European NIS2 directives, where for many, the measures surrounding the security of your supply chain are a new aspect. In this article, we will not delve into the specific legislation, but rather aim to provide guidance on how you can quickly and practically get started with this.
The directive states that you must take proportionate technical, operational, and organizational measures regarding the security of network and information systems within your own organization, as well as your supply chain. Loosely translated, you are able to start small and then grow towards maturity.
Introducing RiskStudio
RiskStudio is a cyber intelligence platform for visibility, monitoring, and smarter risk decisions across every supply chain. This is made possible by capturing dependencies between companies, departments, and crown jewels, combined with automated collection of cyber intelligence, to check individual organizations for their security, vulnerabilities, and threats.
Starting small with NIS2.
Start with your own organization and your 10 most important suppliers
This is a process that takes only a few minutes with RiskStudio once you know the names of these companies. A list of millions of organizations is available, from which you can select the correct one after typing the initial letters.
After selection, RiskStudio will start profiling each company online and then assessing them based on key cyber characteristics, including cloud usage and cyber hygiene. It also checks whether a company has been involved in security incidents or other significant events. As a user, you don’t have to do anything for this, and generally, all data is available within half an hour.
Then grow further
It is important that, as part of your PDCA (Plan Do Check Act) cycle, you can grow in maturity. For this, you can, of course, quantitatively expand the scope from 10 to, for example, 20 suppliers, but RiskStudio also offers possibilities to refine your supply chain per department or per crown jewel, or to deepen it with shadow suppliers, i.e., suppliers behind the suppliers.
Since we only have 60 minutes for this experiment, we will keep this expansion outside the initial scope. The possibility of continuous improvement is, in any case, available and supports the NIS2 directive.
30 minutes later
As indicated, after 30 minutes, all data is ready for use. For NIS2, your organization must be able to operationalize the following:
- Risk assessment
- Incident management
- Continuity monitoring and crisis management
- Determining dependencies and supply chain security
- Security of network and information systems
- Assessing the effectiveness of measures
- Testing basic cyber hygiene practices
- Testing cryptography and encryption
Is all of this possible now? Not entirely; RiskStudio does offer all the functions described above, but for the operationalization of NIS2, these processes must be assigned and documented.
Assigning responsibility and documenting processes
For the experiment, we have 30 minutes left, and we need to keep up the pace now.
Starting small means assigning responsibility to one person, for example, the CISO. We assume that this person is found immediately and agrees, so we can add them as a user to RiskStudio. For the NIS2 documentation, we can then document the process for each article of the directive with the following rule: “This process is carried out using RiskStudio and is assigned to
Conclusion
What this experiment shows is that with just 60 minutes, you can take a concrete and defensible first step towards NIS2 compliance for your supply chain. By not starting with guidelines and policies, but with the goal of digital resilience, speed and focus are achieved.
With RiskStudio, it is possible within a short time to make your organization and key suppliers visible, assess risks, and identify dependencies. This already fulfills a large part of the substantive NIS2 requirements within 30 minutes. The remaining time is sufficient to assign responsibilities and pragmatically document processes.
The core message is that NIS2 is not an all-or-nothing task. The directive explicitly provides room to start small and grow in a controlled manner. With the right tooling and a goal-oriented approach, you can go from zero to demonstrable progress in one hour. This makes NIS2 feasible and manageable.
