With the advent of the Cybersecurity Act, supply chain security is explicitly becoming part of the statutory duty of care. The National Inspectorate for Digital Infrastructure (RDI), designated as the future supervisor, leaves no doubt about this: organizations must demonstrably gain control over their digital chain.
Cybersecurity does not stop at your own IT environment. Anyone who depends on suppliers, service providers and technology partners also depends on their level of security. The RDI explicitly mentions precisely that point — and it forms a core component of future supervision.
What does the RDI explicitly say about supply chain security?
The RDI makes it clear that organizations that fall under the Cybersecurity Act remain responsible for risks that enter through their chain. In concrete terms, this means that organizations:
- must have insight into their suppliers and service providers
- must identify and assess risks in the chain
- must take appropriate measures to manage those risks
- must be able to demonstrably prove all of this to the supervisor
The message is clear: no insight means no control and no control means not complying with the duty of care.
Supply chain security is an administrative responsibility
An important point that the RDI emphatically emphasizes is that supply chain security is not a purely IT issue. The responsibility lies explicitly with the board and management. They must make choices about which risks are acceptable, determine which suppliers are critical to the organization and ensure that responsibilities are clearly assigned. After all, the supply chain directly affects the continuity of the organization, the social impact of disruptions and compliance with laws and regulations. This makes supply chain security an integral part of governance and integral risk management.
From paper policy to demonstrable implementation
The RDI makes it clear that policy alone is not enough. Organizations must be able to demonstrate in practice how they manage their chain. This means having insight into which suppliers are involved, what role they play in critical processes, what risks are associated with this and how these risks are actively monitored. A one-off inventory is not sufficient. Threats, vulnerabilities and dependencies are constantly changing, and the RDI’s supervision moves with this dynamic.
RiskStudio connects directly to this. The platform helps organizations to structurally map, organize and continuously monitor suppliers for digital risks. This does not happen via questionnaires or snapshots, but on the basis of objective and up-to-date cyber information.
Monitoring becomes indispensable under supervision
The RDI explicitly states that organizations must not only assess their supply chain, but also continue to monitor it. New vulnerabilities at suppliers, major cyber incidents in the chain and changes in digital exposure can quickly increase the risks. Without continuous monitoring, it is impossible to adjust in time and to demonstrate to the supervisor that the duty of care is being taken seriously.
This is exactly where RiskStudio supports. With 24/7 monitoring, incident detection and up-to-date cyber ratings, organizations continuously gain insight into the risks in their chain, including the option of benchmarking suppliers against each other.
Suppliers will also notice this
The RDI makes it clear that the obligations do not stop with the primary organization. Suppliers will also notice the consequences of the Cybersecurity Act. They will be asked more often about their digital resilience, must take into account stricter requirements from customers and are expected to be more transparent about incidents. Structural monitoring is therefore increasingly becoming part of the collaboration. Cyber resilience is thus developing into a hard prerequisite for continuing to do business.
Conclusion: RDI makes supply chain security enforceable
The RDI’s message is clear and guiding: organizations are responsible for their digital chain and must demonstrably have this under control.
Supply chain security is no longer a future ambition, but a concrete part of supervision under the Cybersecurity Act. Organizations that start now with insight, structure and monitoring will not be behind the facts, but ahead of supervision.
Source: https://www.rdi.nl/onderwerpen/cyberveiligheid/cyberbeveiligingswet/toeleveringsketen
