Explore the essential steps to identify and manage critical suppliers within the NIS 2 framework, ensuring your organization's resilience and compliance.
The concept of critical suppliers within the context of the D.lgs. 138/2026 often leads to common misconceptions. The focus should not be on merely listing suppliers but on understanding the risk structure that supports essential services.
The Agenzia per la Cybersicurezza Nazionale (Acn)particularly through its recent operational determinations and FAQs, emphasizes this perspective.
The key is not to identify ‘who the suppliers are’ but to understand who truly sustains the delivery of essential services and how these dependencies are managed.
The Foundation of Identifying Critical Suppliers
The process of identifying critical suppliers begins with a non-negotiable starting point: essential services.
The sequence is clear: first, identify the essential services, then determine the systems and resources that make them possible. Only then do the dependencies, including those on suppliers, become apparent.
This approach aligns with the GV.OC-04 subcategory of the National Framework for Cybersecurity and data protection, which requires the identification of systems supporting critical services.
Without this step, discussions about critical suppliers remain superficial.
Operationally, the Acn’s requirements mandate that these dependencies be tracked, documented, and kept up-to-date. This is not a static snapshot but a dynamic representation that evolves with the organization.
Managing Risk Associated with Critical Suppliers
While the Acn’s determinations and the National Framework do not explicitly mandate a dynamic mapping of dependencies, reading between the lines reveals a clear expectation: dependencies must reflect the organization’s current state, be updated over time, and be actionable for decision-making.
The GV.OC-04 subcategory requires the identification of systems and resources supporting essential services. This makes sense only if it accurately reflects the organization’s current configuration. Therefore, any changes in services, architectures, or supporting resources must be reflected in this representation.
This logic extends to the supply chain, where GV.SC-01 places suppliers within the cybersecurity risk management of the supply chain, and GV.SC-04 focuses on managing and monitoring suppliers throughout the supply chain. The emphasis on monitoring underscores the need for an evolving, not static, understanding of these dependencies.
The determination of April 13, 2026, further clarifies that information about relevant suppliers must be accurate, up-to-date, and reviewed for any changes. While there is no explicit requirement for a ‘dynamic’ representation, the cumulative requirements effectively necessitate that information about services, dependencies, and suppliers remains aligned with operational reality over time.
The Criteria for Critical Supplier Classification
A supplier is deemed critical when their provision falls under the activities or services listed in Annex I, points 8 and 9, of the NIS decree (ICT supply), or when their unavailability directly impairs the delivery of an essential service.
More specifically, as clarified by FAQ FRN.2, a supplier becomes critical when the interruption or compromise of their supply significantly impacts the NIS subject’s ability to deliver activities or services within the NIS decree’s scope, particularly in the absence of available alternative suppliers.
The criticality of suppliers is rooted in risk assessment. It is not an inherent quality but a result of evaluating the impact on services, the likelihood of interruption, and the possibility of substitution. The Acn’s operational requirements for the supply chain-related subcategories (GV.SC-01, 02, 04, 05, and 07) reinforce this approach.
These requirements go beyond formal supplier classification, demanding that the assessment be justified and traceable. Organizations must demonstrate how they evaluate risk and the basis for their decisions. Therefore, merely stating that a supplier is critical is insufficient. The reasoning behind this conclusion, linking impacts, risk scenarios, and substitution capabilities, must be transparent.
In this context, Business Continuity plays a crucial role. It does not identify critical suppliers but measures the organization’s ability to continue operating when a critical supplier is no longer available. This highlights the difference between formal classification and actual operational resilience.
Live now
Upcoming matches
Canada
Bosnia-H.
USA
Paraguay
Qatar
Switzerland
Brazil
MoroccoResults
Korea Republic
Czechia
Mexico
South Africa