The legal regulations on cyber security in the digital supply chain set high requirements for the protection of data and information systems. This article provides you with an overview of the current status with regard to GDPR, NIS2, DORA and CRA.
GDPR, NIS2, DORA etc. require companies to implement and continuously monitor comprehensive security measures. The regulations aim to strengthen digital resilience, ensure data protection and minimize risks in the supply chain.
Legal regulation
The GDPR is a regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. It is binding in all its parts and applies directly in all member states.
Destination
Protecting the personal data of EU citizens from improper use and processing.
Facilities affected:
Companies based in the EU: if they process personal data, regardless of where the actual data processing takes place.
Organizations based outside the EU: e.g. if they offer products or services to individuals in the EU or monitor their behavior.
Requirements
The regulation obliges data processing companies to take appropriate technical and organizational measures to ensure data security. This also includes the management of third parties in the supply chain. With regard to Article 28 GDPR, it makes sense to check commissioned processors in the supply chain for the proper protection of personal data and compliance with data protection laws. Not least in order to be able to provide proof in the event of an incident. Good to know: Clients who can prove that they are satisfied that a processor works in compliance with the GDPR can often avoid liability in the event of a breach by the processor.
Validity: Since May 25, 2018
Legal regulation
NIS 2 is a directive on cyber security in the EU. The member states must transpose the measures required to comply with the directive into national law within a certain period of time.
Destination
NIS 2 aims to harmonize and improve the level of security in the EU Member States.
Facilities affected
Public and private organizations that provide their services in the EU. A distinction is made between two categories, which give rise to different obligations.
1) Particularly important facilities - §28 (1)
Large companies in the following sectors: energy, transportation, finance, healthcare, water/wastewater, digital infrastructure, space and special cases regardless of their size.
2) Important facilities - §28 (2)
Large and medium-sized companies in numerous sectors.
Requirements
Facilities that fall under the requirements of the NIS 2 Regulation are obliged, among other things, to take measures to secure their supply chain. Conversely, this also means protecting themselves against threats that could come from other parts of the supply chain. Affected companies are required to take a close look at their business partner and supplier relationships and review them with regard to IT security requirements.
Validity:
In force since January 16, 2023 and now to be transposed into national law by the member states.
The law is available in Germany as Draft bill NIS2UmsuCG (June 2024) and must pass through legislation at federal level by October 2024. The contribution information is as of July 2024, but is subject to change. It is expected that the requirement will be applied in Germany in spring 2025.
Legal regulation
DORA is a regulation on digital operational resilience in the financial sector. It is binding in all its parts and applies directly in all member states.
Destination
DORA creates a uniform framework for comprehensive cybersecurity and ICT risk management in the EU financial sector. The aim of the regulation is to improve the digital resilience and security of financial institutions operating in the EU. This includes strengthening the information and communication technology (ICT) of financial companies as well as third-party risk management.
Facilities affected
DORA applies to all financial institutions operating in the EU, including banks, payment service providers, investment firms, insurance companies, trading venues and providers of data transmission services. The regulation also covers companies that provide services to the financial industry, such as software providers, managed IT services, hardware-as-a-service providers, cloud computing service providers and data centers.
Requirements
With regard to the management of ICT third-party risk, financial institutions are required, among other things, to carry out a risk analysis and due diligence with the respective ICT third-party service provider before concluding the contract. During the course of the business relationship, IT and GDPR compliance and the effectiveness of the security measures must be continuously tested. The management of ICT third-party risk is carried out by DORA in chapter 5 regulated.
Validity:
DORA has been in force since January 2023 with an implementation period of two years. This means that the requirements must be met from January 2025.
More on the Topic DORA Digital Operational Resilience Act
Legal regulation
The Cyber Resilience Act (CRA) is a draft regulation. It will apply automatically and uniformly in all EU countries when it comes into force.
Target:
The Cyber Resilience Act is a new EU regulation that obliges manufacturers and retailers to protect digital products from unauthorized access and manipulation throughout their entire life cycle. The primary aim is to strengthen cyber security in the EU by creating a standardized legal framework for these products.
Facilities affected
All manufacturers, importers and distributors of hardware and software products (devices, solutions and components) from the consumer or industrial sector active in the EU.
Requirements:
Under the new regulations, manufacturers and distributors must carry out regular risk assessments and keep detailed records of the safety features and functions of their products and services. It is expected that around 90 percent of products available on the European market will fall into the standard category.
Validity:
The regulation has not yet entered into force; the final decision by the EU Parliament is expected by June 2024, followed by a transitional period of up to two years.
LocateRisk uses automated IT risk analyses and digital questionnaires to help you fulfill your due diligence obligations in the supply chain. This ensures the necessary transparency and speeds up your security process.
More on the Topic Supplier risk management for complex supply chains - made easy
Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.
English 
Deutsch 
Français