NIS2 and Its Impact on Companies Ordering Tech Products

As technology use continues to grow across all industries, cybersecurity is more important than ever. The EU introduced the Network and Information Security Directive 2 (NIS2), officially enacted on 18 October 2024, to improve tech security across member states.

This significant update to cybersecurity legislation builds on its predecessor, the original NIS Directive. It aims to bolster the cybersecurity measures of essential and important entities across critical sectors, ensuring greater resilience against cyber threats.

While the deadline for member states to implement NIS2 through national law has passed, compliance is an ongoing responsibility for affected organisations. For companies acquiring tech products, NIS2 influences various aspects of the procurement process. Understanding the key provisions and taking proactive measures to ensure compliance in this area is essential for mitigating risks and safeguarding operations.

This article explores the core aspects of NIS2, its impact on tech procurement, key considerations for ordering tech products, and how to balance innovation with compliance.

Key provisions of NIS2

NIS2 introduces several essential requirements designed to improve cybersecurity across critical sectors. They include:

Cybersecurity Risk Management

Companies must adopt measures proportionate to the relevant risks. These measures include technical controls (e.g., firewalls, encryption), operational practices (e.g., regular risk assessments, security audits), and organisational measures (e.g., employee training and cybersecurity policy implementation).

Reporting Obligations

Companies must report cybersecurity incidents promptly:

• Initial Notification: Within 24 hours of becoming aware of an incident.
• Detailed Report: Within 72 hours, providing additional formal insights.
• Final Report: Within one month, detailing the response and mitigation measures.

Management Accountability

Senior management must oversee cybersecurity measures and can be held liable for non-compliance. Member states must ensure companies provide adequate training.

Authority Cooperation

NIS2 requires companies to communicate openly with cybersecurity authorities and collaborate across industries to develop proactive solutions to potential threats.

How will NIS2 impact tech procurement?

NIS2 introduces significant changes affecting purchasing strategies and risk assessments for companies acquiring tech products. This includes:

• Stricter supplier requirements

Companies can no longer rely solely on internal cybersecurity practices; the Directive states that suppliers must also adhere to the new security standards. Therefore, organisations must vet suppliers more rigorously and ensure they can demonstrate compliance with recognised cybersecurity frameworks (such as ISO 27001 or NIST standards).

These requirements mean more time and resources allocated to due diligence, and organisations may have to avoid suppliers who cannot provide evidence of compliance. These higher standards could limit companies’ options or lead to higher procurement costs, particularly as third-party suppliers adapt to the new regulations.

• Extended liability

Organisations securing new tech are responsible for cybersecurity breaches throughout the supply chain. If a cybersecurity incident occurs due to vulnerabilities in a tech product supplied by a third party, the purchasing party could still be liable.

This added liability reiterates the importance of companies choosing suppliers that prioritise security and maintain complete records demonstrating compliance.

• Amending procurement policies

Companies must revisit their procurement policies to incorporate NIS2’s stricter requirements. This includes reviewing compliance checklists for procurement processes, mandating regular security audits, and ensuring certifications are valid.

Organisations ordering tech will likely need to provide procurement teams with additional training so they understand the new requirements and can readily implement the necessary, updated practices.

• Ongoing compliance checks

Entities purchasing tech must establish processes to verify suppliers’ cybersecurity measures on an ongoing basis, as one-off compliance checks are no longer sufficient. Companies should monitor supplier practices throughout the contract duration to ensure they remain aligned with NIS2 standards.

• Higher costs and resource allocation

Due to detailed supplier vetting and ongoing compliance monitoring, adherence to NIS2 in tech procurement will likely increase costs. Companies may need to allocate additional resources to manage these processes effectively, which could be particularly challenging for smaller organisations with limited budgets and fewer in-house experts.

• Impact on vendor relationships

Many companies have long-term relationships with tech vendors, which they may need to reconsider if those suppliers don’t meet NIS2 standards. Terminating agreements and transitioning to compliant suppliers could temporarily disrupt operations, requiring careful planning and communication to minimise impact. Alternatively, they may need to renegotiate supplier relationships to reflect new cybersecurity regulations, resulting in added delay and costs.

Key considerations for ordering tech products

Companies can take the following steps to mitigate risks and align with NIS2 when procuring tech products:

1. Supplier vetting

Organisations should conduct thorough due diligence, including detailed assessments of potential suppliers’ cybersecurity practices. They should evaluate the provider’s history of security incidents and the strength of their security measures.

To ensure added security, companies should prioritise suppliers holding certifications such as ISO 27001 or NIST. These certifications demonstrate that the supplier follows best practices. Assessing the suppliers’ financial stability and reputation is also essential to ensure they are reliable long-term partners.

2. Contractual clauses and agreements

Comprehensive cybersecurity and compliance clauses in supplier contracts are vital. Agreements must specify the supplier’s obligations regarding risk management, incident reporting, and data protection.

They should also include provisions allowing regular security audits and compliance checks so entities can verify suppliers’ adherence to NIS2 over time. Prompt reporting and effective incident management are two significant aspects of NIS2, so contracts should identify clear incident response and notification protocols.

3. Supply chain transparency

With the Directive imposing increased liability on entities, it’s crucial to maintain transparency throughout the supply chain. Suppliers must disclose information about their subcontractors and cybersecurity measures and provide necessary updates throughout the contract’s duration.

Companies are responsible for performing regular risk assessments to highlight potential vulnerabilities in the supply chain so they can address these proactively.

4. Training and awareness

Procurement teams must understand the relevant requirements of NIS2 to carry out the appropriate checks and balances when investigating a new product. Relevant entities must provide up-to-date staff training on the Directive’s requirements and how to implement the appropriate measures.

Teams must prepare to thoroughly evaluate suppliers’ compliance and be able to identify relevant issues in procurement documents. Raising awareness of NIS2’s stringent rules will also help entities encourage suppliers to adopt compliant practices.

5. Documentation and records

Maintaining comprehensive records of supplier evaluations, compliance checks, and contracts is vital. Entities could be asked to provide evidence of compliance at any time, and maintaining complete documents is crucial for demonstrating due diligence in the event of an audit or cybersecurity incident.

Balancing innovation with compliance

The new Directive poses a challenge for companies wanting to drive innovation and stay ahead of the curve. While organisations may be more limited by NIS2’s stricter requirements, maintaining compliance is just as important as staying competitive. So, how can entities innovate whilst adhering to the new regulations?

• Take a risk-based approach

Companies can categorise suppliers and technologies based on their risk levels. For lower-risk tools, organisations may have greater flexibility to work with startups or adopt emerging tech. For high-risk systems, entities should prioritise using established providers with stricter compliance measures, allowing for strategic innovation while managing compliance risks.

• Early supplier engagement

Involving potential suppliers early in the procurement process can help streamline compliance checks. Collaborating with suppliers during the initial stages of product selection allows companies to ensure security requirements are built in from the outset, reducing the need for costly and time-consuming adjustments later.

• Utilise innovation sandboxes

Creating controlled environments where organisations can test new technologies allows companies to experiment with new solutions without immediately adopting them across critical systems. Sandboxes provide an opportunity to evaluate security and compliance before full-scale implementation, helping to identify risks in advance.

• Invest in compliant tools

While they can be more expensive, companies can focus on working with suppliers that already adhere to cybersecurity best practices. Some tools are designed with security-by-default measures and adopt standardised protocols, helping reduce the tension between innovation and regulation.

• Promote a culture of cybersecurity innovation

It is essential to encourage a company culture where cybersecurity and innovation can coexist. Collaboration between IT security, procurement, and innovation teams can ensure that organisations integrate compliance measures into the innovation process.

• Review regulatory developments

Keeping up to date with NIS2 and other cybersecurity regulations helps companies anticipate compliance requirements and adjust their procurement strategies accordingly. By understanding future regulatory trends, companies can invest in tech and suppliers that will likely remain compliant in the long term.

Conclusion

NIS2 will significantly impact companies ordering tech products, redefining their approach to procurement, supplier relationships, and cybersecurity. The Directive emphasises cybersecurity as a critical element of tech procurement by imposing stricter requirements and extending liability throughout supply chains.

While higher standards and enhanced due diligence may increase costs and limit supplier options, there’s also the opportunity to adopt more secure and resilient technologies. Organisations adapting their procurement processes to align with NIS2 can reduce risks, improve operations, and build stronger supplier relationships.

At the same time, balancing innovation with compliance is essential to staying competitive. By taking a strategic, risk-based approach, companies can embrace emerging tech without compromising their regulatory obligations.