Cybersecurity in the supply chain: regulations for companies in the EU and Germany
As of July 2026 · Legal regulations on cybersecurity in the digital supply chain impose strict requirements for the protection of data and information systems. This article provides an overview of the current status regarding the GDPR, NIS2, DORA, and CRA.
The new rights for cybersecurity in the EU: Consistent implementation is essential to protect the integrity and security of the digital infrastructure and to maintain the trust of users and consumers.
Legislation with an impact on the supply chain
GDPR, NIS2, DORA etc. require companies to implement and continuously monitor comprehensive security measures. The regulations aim to strengthen digital resilience, ensure data protection and minimize risks in the supply chain.
GDPR - General Data Protection Regulation - DSGVO - General Data Protection Regulation
Legal regulation The GDPR is a regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. It is binding in all its parts and applies directly in all member states.
Destination Protecting the personal data of EU citizens from improper use and processing.
Facilities affected: Companies based in the EU: if they process personal data, regardless of where the actual data processing takes place. Organizations based outside the EU: e.g. if they offer products or services to individuals in the EU or monitor their behavior.
Requirements The regulation obliges data processing companies to take appropriate technical and organizational measures to ensure data security. This also includes the management of third parties in the supply chain. With regard to Article 28 GDPR, it makes sense to check commissioned processors in the supply chain for the proper protection of personal data and compliance with data protection laws. Not least in order to be able to provide proof in the event of an incident. Good to know: Clients who can prove that they are satisfied that a processor works in compliance with the GDPR can often avoid liability in the event of a breach by the processor.
Validity: Since May 25, 2018
NIS 2 - EU Directive on the security of network and information systems
Legal regulation NIS 2 is a directive on cyber security in the EU. The member states must transpose the measures required to comply with the directive into national law within a certain period of time.
Destination NIS 2 aims to harmonize and improve the level of security in the EU Member States.
Facilities affected Public and private organizations that provide their services in the EU. A distinction is made between two categories, which give rise to different obligations.
1) Particularly important facilities - §28 (1) Large companies in the following sectors: energy, transportation, finance, healthcare, water/wastewater, digital infrastructure, space and special cases regardless of their size.
Large companies (250 employees or more or an annual turnover of over EUR 50 million and a balance sheet of over EUR 43 million)
Special cases (regardless of company size): qTSP (qualified trust service provider) TLD (top-level domain) provider DNS provider TC providers (telecommunications providers - including medium-sized companies) Operators of critical systems Central government (ministries and the Federal Chancellery)
2) Important facilities - §28 (2) Large and medium-sized companies in numerous sectors.
Medium-sized companies (from 50 employees or an annual turnover and balance sheet of more than EUR 10 million) in the sectors: Energy, transportation/transport, finance, health, water/wastewater, digital infrastructure, space
Large companies and medium-sized companies in the sectors: Post/courier, municipal waste disposal, chemicals, food, manufacturing, digital services, research
Regardless of company size: trust services
Requirements Facilities that fall under the requirements of the NIS 2 Regulation are obliged, among other things, to take measures to secure their supply chain. Conversely, this also means protecting themselves against threats that could come from other parts of the supply chain. Affected companies are required to take a close look at their business partner and supplier relationships and review them with regard to IT security requirements.
Validity: The NIS 2 Directive has been in effect at the EU level since January 16, 2023. In Germany, it was implemented through the NIS 2 Implementation Act (NIS2UmsuCG), which came into effect on December 6, 2025 came into effect. Since then, the new requirements have applied to approximately 29,500 affected companies; the deadline for registering with the BSI was on March 6, 2026 . Violations may result in fines of up to 10 million euros, or 2 % of global annual revenue.
DORA - Digital Operational Resilience Act
Legal regulation DORA is a regulation on digital operational resilience in the financial sector. It is binding in all its parts and applies directly in all member states.
Destination DORA creates a uniform framework for comprehensive cybersecurity and ICT risk management in the EU financial sector. The aim of the regulation is to improve the digital resilience and security of financial institutions operating in the EU. This includes strengthening the information and communication technology (ICT) of financial companies as well as third-party risk management.
Facilities affected DORA applies to all financial institutions operating in the EU, including banks, payment service providers, investment firms, insurance companies, trading venues and providers of data transmission services. The regulation also covers companies that provide services to the financial industry, such as software providers, managed IT services, hardware-as-a-service providers, cloud computing service providers and data centers.
Requirements With regard to the management of ICT third-party risk, financial institutions are required, among other things, to carry out a risk analysis and due diligence with the respective ICT third-party service provider before concluding the contract. During the course of the business relationship, IT and GDPR compliance and the effectiveness of the security measures must be continuously tested. The management of ICT third-party risk is carried out by DORA in chapter 5 regulated.
Validity: DORA took effect on January 16, 2023, and has been in effect since then January 17, 2025 binding on all affected financial institutions and their third-party ICT service providers in all 27 EU member states.
Legal regulation The Cyber Resilience Act (CRA) is an EU regulation. It applies automatically and uniformly in all EU countries. Target: The Cyber Resilience Act is a new EU regulation that obliges manufacturers and retailers to protect digital products from unauthorized access and manipulation throughout their entire life cycle. The primary aim is to strengthen cyber security in the EU by creating a standardized legal framework for these products.
Facilities affected All manufacturers, importers and distributors of hardware and software products (devices, solutions and components) from the consumer or industrial sector active in the EU.
Requirements: Under the new regulations, manufacturers and distributors must carry out regular risk assessments and keep detailed records of the safety features and functions of their products and services. It is expected that around 90 percent of products available on the European market will fall into the standard category.
Validity: The CRA is on December 10, 2024 took effect. The requirements will be phased in: the reporting requirements for actively exploited vulnerabilities and serious incidents will apply starting on September 11, 2026, the remaining key obligations (including basic cybersecurity requirements prior to placing the product on the market and vulnerability management throughout the entire product lifecycle) as of December 11, 2027.
Business partner risk management - made simple
LocateRisk uses automated IT risk analyses and digital questionnaires to help you fulfill your due diligence obligations in the supply chain. This ensures the necessary transparency and speeds up your security process.
Review of the current IT risk of suppliers and service providers in the shortest possible time
Monitoring at selectable intervals: annually, quarterly, monthly
Notifications in the event of supplier risk changes
Role-based access control and individual user accounts
Functions for obtaining scanning permission speed up communication
Dashboard, filters and sorting functions for easy management
Digital questionnaires for upload: multilingual, automated notifications and much more.
Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.
Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.