With the NIS 2 Directive, responsibility for cybersecurity is noticeably shifting to industrial purchasing. Production systems are now closely networked, external service providers access via remote maintenance, software updates come from third parties. This makes supply chains not only logistically relevant, but safety-critical. The new requirements of the European Union make visible what has long been a reality in practice. Whoever selects suppliers plays a role in determining the stability of production, quality and delivery capacity.

Industrial supply chains as a gateway
Heterogeneous safety levels among machine manufacturers, system integrators and maintenance services meet highly critical production processes. Attacks via compromised service providers or manipulated updates can paralyze entire lines. NIS 2 This is why a risk-based assessment along the entire supply chain is required. For purchasing, this means that safety relevance is becoming a fixed decision criterion in addition to price, quality and delivery time.

Procurement as a control body for resilience
Purchasing determines who has access to systems, which technologies are used and how dependencies are designed. NIS2 makes these decisions relevant from a regulatory point of view. In the future, there will be a need for transparency as to which partners are production-critical, which services intervene deeply in control processes and where dependencies become dangerous in the event of an accident. Certificates alone are no longer enough; a differentiated, risk-based approach is required.

Treaties as a protective mechanism
Safety requirements must be contractually binding. This includes access rights, reporting requirements in case of incidents and coordinated processes in the event of a crisis. Responsibility cannot be outsourced. Purchasing ensures that safety standards are not only recommended, but effectively agreed, without bureaucracy slowing down operations.

Operational reality and conflicting objectives
Long-term supplier relationships, increased system access and automated updates make it difficult to reassess risks. At the same time, production pressure is high and safety requirements often hinder everyday life. NIS2 rotates this perspective. Security is becoming a prerequisite for economic stability. Purchasing balances efficiency and resilience and makes risks visible at an early stage.

How a 1-creditor model helps to implement NIS2 pragmatically
This is where it goes 1-creditor model from Pedlar to. Long-tail and unstructured requirements in particular result in many external accesses, special processes and new supplier relationships. A central processing channel with a creditor reduces operational complexity, creates transparency about access and services and facilitates the risk-based evaluation of external partners. In this way, control remains in purchasing, while processes become standardized and auditable. This relieves teams and supports NIS2 requirements without additional tool overhead.

Collaboration across departmental boundaries

NIS2 requires integrated decisions from purchasing, IT, production and maintenance. Purchasing doesn't have to take on an IT expert role, but it has to ask the right questions and translate risks into decisions. Supply chains are thus becoming a strategic competitive factor and procurement a pillar of industrial resilience.

Read the original article here.

‍