Suppliers in focus: NIS2 Directive also applies indirectly
Suppliers and service providers must be NIS2 compliant in order to continue to serve their NIS2-compliant customers.
First things first
NIS2 explained: What you need to know about the new regulation as a service provider
Even if you are not directly affected by the NIS2 Directive, companies subject to NIS2 must request evidence from their suppliers and service providers. This evidence is intended to ensure that your cybersecurity meets the high standards of the NIS2 Directive. You must be able to show that you have implemented appropriate security measures .
There are usually contracts that specify which cybersecurity measures you must adhere to. These contracts can include regular security checks and audits. It is therefore important that you manage risks well and keep your supply chain secure. Supply chain certificates are also important (eg: Cyber Trust Austria).
2
Cyber Risk Rating Vergabestellen in Österreich
15,000
indirekt durch NIS2 betroffene österreichische Unternehmen
5 months
The average Cyber Risk Rating implementation takes...
€6,428.12
sind die durchschnittlichen Implementierungskosten
Did you know?
The NIS2 directive in Austria sets new standards in cybersecurity and strengthens trust in our infrastructures. By complying with this directive, we not only secure our systems, but also the future of our digital economy.
NIS2 Compliance: Your Options as a Supplier and Service Provider
Find out what you can do as a supplier and service provider to become NIS2 compliant and avoid losing customers or partners .
Cyber Trust Austria / Europe
Cyber Trust Austria is a government-supported organization that helps companies make their IT security measures transparent and verifiable. It is based on the KSÖ scheme and thus fulfills the requirements of the NIS2 law for suppliers – a clear advantage for companies that need to demonstrate their compliance. (Also directly applicable to companies subject to NIS2 regulations)
The assessment is carried out by independent auditors and is based on a standardized questionnaire . The audit process is structured and practical. The result is an official certificate: the "Cyber Trust Austria" seal of approval (in its respective version), which fosters trust and serves as qualified proof in accordance with the NIS2 law .
A particularly positive aspect is that there is also a European version of the model , which is recognized across borders. This means that Cyber Trust Austria / Europe is suitable not only for Austrian organizations, but also for internationally active companies that want to demonstrate their security standards throughout Europe.
Kreditschutzverband (KSV)
The KSV Cyber Risk Rating is offered by the Austrian Credit Protection Association (KSV) and combines financial creditworthiness data with an assessment of IT security. It is primarily aimed at companies that want to document their digital trustworthiness to business partners or customers – for example, in the context of supply chains or tenders. It is very similar to the rating provided by Cyber Trust Austria.
The assessment is based on a standardized questionnaire and publicly available information, equivalent to that of Cyber Trust. This model also uses the KSÖ scheme and is therefore considered qualified proof within the meaning of the NIS2 law.
One aspect that companies should consider when using the KSV Cyber Risk Rating is its limited transparency: The associated supplier database is not publicly accessible, which makes independent verification by third parties difficult. Furthermore, the model has so far only received limited recognition within Europe, which can restrict its use in international contexts.
NIS2 certification: What steps do I need to take?
1. Define goals
Companies should first clarify what the Cyber Risk Rating is needed for: to comply with legal requirements (e.g. NIS2), for tenders, to strengthen customer trust, or as internal proof of maturity.
2. Select a suitable provider
Now the appropriate model should be chosen. Cyber Trust offers the advantage of a publicly accessible supplier database and, thanks to the Europe Label, is also more easily recognized internationally. The KSV CyberRisk Rating, on the other hand, is primarily used nationally and is hardly noticed outside of Austria – it is often associated more with credit checks than with IT security. Both models are based on the KSÖ scheme and are considered qualified proof under the NIS2 law.
3. Seek external advice
Especially during the initial assessment, it can be beneficial to consult an external advisor or IT security expert. They can assist with preparation, selecting appropriate measures, and structured implementation – particularly helpful with complex requirements or limited internal resources. It's important to verify the qualifications of the potential partners.
4. Selbsteinschätzung vorbereiten
Both models begin with a structured questionnaire. Companies should have relevant documents such as security policies, IT documentation, or training certificates readily available to ensure an efficient process.
5. Prüfung durchführen lassen
Both Cyber Trust Austria and the KSV CyberRisk Rating use the same audit scheme developed by KSÖ. The audit processes are identical in content and based on a standardized questionnaire that assesses the implementation of technical and organizational security measures. The main difference lies in the presentation and visibility of the results – not in the depth of the audit.
6. Obtain and keep the result up to date
The result is either a seal of approval (Cyber Trust) or a CyberRisk Score with a traffic light rating (KSV). Both are considered qualified proof within the meaning of the NIS2 regulation. Companies should update the rating regularly – especially in the event of technical changes or new regulatory requirements.
NIS2 Directive: What consequences do I face as a service provider & supplier?
If you are contractually obligated to meet certain security standards and fail to do so, you may be subject to contractual penalties . These penalties can put a strain on your finances and damage business relationships. In the worst case, they can lead to contract termination.
contractual penalties
Customers who need to comply with safety standards may switch to another supplier that has the necessary certifications . This can lead to you losing many customers and suffering financial losses.
loss of customers
Without security certification as a secure supplier, customers could lose confidence in your competence . This can damage your reputation in the long term. It will also be more difficult to acquire new customers or maintain existing relationships.
loss of trust
TOGETHER FOR NIS2 COMPLIANCE
Tell us about your situation and together we will find tailor-made solutions that suit you. Whether it is a NIS2 certification or a GAP analysis, we are the partner of your choice.
CyberSecurity with Perspective
