New supply chain requirements: How does NIS2 affect your online services?

The national cybersecurity law, which came into effect in April 2025 and implemented the NIS2 directive, significantly changed how organizations must take care of their data security and supply chains.

The NIS2 law defines obligations for cybersecurity risk management and incident reporting for several different sectors to ensure an adequate level of data security across the EU. Key requirements of the law include the implementation of a risk management model, continuous monitoring, physical security management, personnel training, and the reporting of significant cybersecurity incidents.

Many people think that NIS2 only applies to “major critical infrastructure” operators, such as electricity grids, healthcare, or logistics. In reality, its effects extend much more widely – also to online services and their providers.

If your organization falls within the scope of NIS2, your partners for websites and digital services are also part of fulfilling the obligations.

What does this mean in practice?

1. Supplier evaluation

Organizations must identify which suppliers are used, what they have access to, and what risks this entails. In practice, this means that:

• suppliers’ data security will be evaluated more thoroughly,
• contracts will include additional terms regarding response times, personnel training, and reporting,
• proactive data security management is expected, not just reaction.

2. Management of cybersecurity incidents

If a cybersecurity incident occurs in an online service, the reporting is subject to strict deadlines:

• 24h preliminary notification,
• 72h initial report,
• Within 1 month, a thorough analysis of what happened and the actions taken.

This may mean that extended service hours are required from the supplier to ensure that reporting can be done on time.

3. Technical solutions

With NIS2, the need for new technical solutions may arise for online services as well. The directive specifically mentions, for example, multi-factor authentication (MFA) and Single Sign-On (SSO), which in practice become mandatory. DDoS protection, log monitoring, and continuous surveillance are also becoming more frequent topics of discussion.

Other technical solutions include, for example:

• Data encryption
• Event monitoring and detection of anomalies in log data
• Backup and recovery from error situations
• Considering data security as part of lifecycle management
• Access control

4. Contracts and responsibilities

NIS2 does not allow for a complete outsourcing of responsibility, but contracts can ensure that different parties in the supply chain operate in a coordinated manner. This means now is a good time to review existing contracts and update them as needed to meet NIS2 requirements.

Why is this important?

NIS2 is not just a data security issue – it’s also a business risk. Supply chain vulnerabilities can affect your reputation, customer experience, and even business continuity.

When your online service partner can demonstrate that data security is under control, response models are clear, and contracts support the requirements, you can focus on your own core business.

NIS2 introduces new requirements for managing online services and supply chains. From the customer’s perspective, this means that:

• suppliers’ data security must be evaluated more thoroughly,
• contracts should include clear terms for response times and responsibilities,
• technical solutions, such as MFA and SSO, are the new normal.

When these matters are in order, the supply chain remains secure and NIS2 obligations are met – without any unpleasant surprises.