Consequences for vendors to customers affected by the new Cybersecurity act

The NIS2 Directive has been incorporated into the Cybersecurity Act (Cyberbeveiligingswet, Cbw) and sent to the Dutch House of Representatives. The new law imposes a stricter duty of care on approximately 8,000 organizations in so-called vital industries regarding their digital security. 

Much clarity has already been provided about the measures that organizations covered by this law must take. For the thousands of companies that provide hardware and services to these organizations, however, the impact of the law is still unclear, as last year's flash poll by the Digital Trust Center shows.

“The law does not impose any obligations on vendors to these 'Cbw organizations.' Nevertheless, the law does have an impact on vendors, because it is likely that Cbw organizations will impose additional requirements on their vendors to secure the chain,” Jacco van der Kolk of the Digital Trust Center said.

The new law requires that organisations that fall under the scope of the Cbw ("Cbw organizations") ensure that their supply chain is secure (Art. 21, paragraph 3, sub d). Cbw organizations can require their vendors, to be defined in more detail below, to take measures based on a risk-based approach. This new cyber law may therefore have an indirect impact on vendors.

Suppose there is a risk to the network and information systems of the Cbw organization via a direct vendor or service provider. In that case, the Cbw organization must take measures (or have measures taken). Vendors to vendors are therefore outside the scope of this law.

Organizations that fall under the scope of the new law must identify risks in their supply chain to protect the network, information systems, and the physical environment of those systems against incidents. In this risk assessment, the legislator requires an "all-hazards approach": all risks to the network and information systems must be considered. Apart from digital security, the physical security of the location where these systems are located is crucial.

Which vendors may experience an indirect impact? The criteria are not explicitly stated in the law. Still, if one of the three following statements applies to a vendor's relationship with a Cbw organization, this vendor might be included in a risk assessment of the chain:

• A vendor that provides services or products related to the network and information systems of a customer
• A vendor of an ICT component of the network or information systems of a customer
• A provider with access to the network and information systems of a customer

If a vendor has one of the above chain relationships with a Cbw organization, this customer may require that the vendor take mitigating measures to control the existing risks.

If a vendor poses a risk to the network and information systems of a Cbw organization, this vendor may be required to take technical, operational, or organizational measures. Not every measure can be required. The law stipulates that Cbw organizations must take "appropriate and proportionate" measures.

Whether the measures are appropriate and proportionate is something that a supervisory authority can determine when the Cbw organization is audited for its chain security duty of care. Vendors are never subject to supervision and are not accountable to a supervisory authority. However, their customer may request proof that the measures have been taken, so that this can be shown to the supervisory authority upon request.

No quality labels or certificates exist that prove compliance with the Cbw provisions specifically. After all, the measures that need to be taken depend entirely on the company-specific risk analysis. Furthermore, complying with the Cbw's duty of care is not a one-off event, but an ongoing activity and responsibility. This also applies to vendors' efforts to ensure chain security. 

Some suppliers demonstrate their level of digital resilience through a cybersecurity certificate or quality label. This is voluntary; there is no law or Cbw organization that can compel a supplier to do so.