The Regulation of Supply Chain Cybersecurity in the NIS2 Directive in the Context of the Internet of Things


  • Mattis van 't Schip Radboud University


An increasing number of actors design, develop and produce modern ICT products in a collaborative network: a supply chain. From a cybersecurity perspective, each actor brings new vulnerabilities for the entire chain and, in turn, the ICT product created by the chain. This problem should be addressed by supply chain cybersecurity, a type of cybersecurity policy that aims to prevent disruption of a supply chain’s digital assets by internal or external actors. The EU Network and Information Systems (NIS2) Directive, which was adopted in 2023, introduces rules on supply chain cybersecurity for the network and information systems (e.g., Internet of Things devices) of entities in critical sectors (e.g., energy providers, hospitals). This article shows that the NIS2 Directive aligns closely with established risk management guidelines. Thus, the Directive, at first glance, offers a proper response to supply chain cybersecurity problems. However, the supply chain cybersecurity provisions are a missed opportunity: the provisions build on a flawed and limited understanding of the intricacies of supply chain cybersecurity in practice.






Refereed Articles