Why IT service providers are so important under NIS2

IT service providers are being NICHE 2 considered “essential or important entities”, depending on their role, risk and size. They get extra attention because:

• They have direct access to customer systems and data.
• An incident at the IT supplier can cause major chain damage.
• Cyber attackers are increasingly focusing on supply chain attacks.

Examples like Kaseya, SolarWinds, and MOVEit show how one hack can affect thousands of organizations. NIS2 is precisely there to reduce these types of chain risks and therefore places extra emphasis on supplier management and chain responsibility compared to ISO 27001.

What is often underestimated is that NIS2 explicitly draws information security into the boardroom. Directors and directors can be held personally liable if security and compliance are not in order. Shifting to 'the IT department' is no longer legally an option. In fact, NIS2 requires directors to have demonstrable knowledge of cyber risks and to follow appropriate training.

What does chain responsibility mean to you?

In short: you are not only responsible for your own security, but also for that of your direct suppliers and the services you provide to customers. For IT service providers, that means three things:

1. Know the risks of your IT services

Every service you provide may involve risks. Think of services such as:

• Remote Management of Systems → Risk of Abuse of Administrator Accounts
• Hosting or cloud storage → risk of data leaks or downtime
• Monitoring services → risk of not detecting attacks
• Identity & access management → risk of unauthorised access
• Backup & restore services → risk of backups not working or being encrypted

If a service fails or is misused, it affects not one organization, but an entire chain.

2. Prove that your services are secure

Trust alone is not enough. You must be able to clearly show what measures you have taken. Documentation is important here: procedures, policies, technical descriptions, patch management, MFA, network segmentation, encryption, monitoring and incident detection. Audits, pen tests and periodic checks are also part of that demonstrability.

3. Get ready for critical customer questions

What is still a security questionnaire will soon become a legal obligation. Questions like: “What security measures do you take?” , “Is MFA mandatory everywhere?” or “What certifications do you have?” become standard. One ISO 27001 whether NIS2 Supply Chain Certificate (formerly NIS2 Quality Mark) can provide proof here.

Supplier Management Roadmap: What to do?

NIS2 requires IT service providers to assess, monitor and record their suppliers and subcontractors. At least these are the following five steps:

1. Inventory of suppliers

Make an overview of all suppliers, what services they provide, what access they have, what data they process and how critical they are to your services.

2. Risk analysis by supplier

Not every supplier poses the same risk. Determine for each supplier the security level, the impact of a hack or failure, the single point of failure and processing of personal or critical data. For example, an MSP that relies on a single “Remote Monitoring and Management” tool (RMM tool - software that allows IT teams to remotely monitor, manage, and maintain computers, servers, networks, and other devices without having to be physically present) must assess how the chain will be affected if that tool is misused (such as Kaseya).

3. Contractually define security requirements

Think of MFA, patching, reporting obligations, data retention, encryption, logging and exit agreements. Substantiate the measures with ISO 27001, SOC2 or other standards.

4. Periodic Audits and Assessment

Demonstrate that suppliers remain compliant. Annual self-assessments, audit reports, or verification interviews do this.

5. Documentation, documentation, documentation

Keep track of everything: supplier lists, risk analyses, contracts, evaluations, measures and audit reports. Without proof, there is no compliance within NIS2, because you have to be able to prove everything.

NIS2 case studies

Chain responsibility: An MSP manages systems for 120 customers. If the RMM tool is misused and ransomware is installed, the MSP must be able to demonstrate how access was secured, whether MFA was mandatory, how logging and segmentation were set up, and that no negligence was taken.

Supplier Management: An IT service provider uses an external data center. Under NIS2, he must assess whether the data center is ISO 27001 certified, require incidents to be reported within 24 hours, document what data is there and check annually whether everything is still compliant.

Why this matters to thousands of companies

In the Netherlands, it is estimated that more than 10,000 organizations fall under NIS2. They need to assess their entire supply chain. This means that tens of thousands of suppliers — including many IT service providers — will be checked for cyber security. Without demonstrable security or chain control, you run the risk of disappearing from the chain.

Achievable Certifications: ISO 27001 & NIS2 Supply Chain

ISO 27001 is a recognized proof of good cybersecurity, but can be difficult and expensive for smaller IT companies. That is why there is also the NIS2 Supply Chain Certificate (NIS2 SC): a more practical and affordable alternative designed specifically for NIS2 compliance without a full ISO scope.

For customers, it's especially important that you can demonstrate that you meet the NIS2 requirements. ISO 27001 or NIS2QM can prove that. NIS2QM is often a realistic first step for smaller organizations.

In summary: NIS2 impacts IT service providers

For IT service providers, NIS2 means a structural change. You will be a critical link in the digital chain and must be able to demonstrate that. Chain responsibility and strict supplier management are key.

Start today by gaining insight into your risks, putting documentation in order and making measures demonstrable. This way, you remain a reliable link for your customers and prevent problems in the chain. Want to know more? Schedule an informal and free consultation with us below!

‍