SECTION 06 Regulatory Accountability:

The Law Holds You Responsible for Your Suppliers

No Longer Optional: Supplier Security Under the European Regime

The preceding chapters showed ransomware reaching European organisations through their suppliers. The point of this section is that managing that exposure is no longer a matter of good practice. Across a connected set of instruments, European law now treats the security of an organisation's suppliers as that organisation's own responsibility.

Read only through the third-party lens, the regime regulates risk at three layers:

The entities that run essential services
The financial sector's dependence on ICT providers
The products that move through the supply chain

At the entity layer sits the NIS2 Directive. It applies to essential and important entities across sectors that include energy, transport, health, digital infrastructure, and public administration.

NIS2: Your Article 21 Duty Does Not Stop at the Supplier's Border

NIS2 is a directive, which means it does not apply on its own. Each member state has to write it into national law, and that process has run unevenly: several states are still finalizing secondary legislation and the designation of competent authorities, and others remain in a pre-transposition stage.

What is consistent wherever the directive is in force is the duty itself. NIS2 makes supply-chain security one of the Article 21 risk-management measures that every essential and important entity must take, so the obligation to assess and oversee suppliers is part of the harmonized core, not an optional extra. What is not yet consistent is everything that determines how that duty operates in a given country: A supplier's supply-chain obligations, in other words, can sit in force and be supervised in one country and exist only on paper in another.

Whatever a supplier's own national position, the buyer's Article 21 duty stands. It requires an in-scope entity to take into account the specific vulnerabilities and the cybersecurity practices of each of its direct suppliers, and to keep doing so.

That is a standing requirement for visibility into the supply base, and it is the requirement Black Kite is built to serve.

How Black Kite Helps You Deliver on the Article 21 Obligation

Assess Without Questionnaires

AI-Powered Cyber Risk Assessments give an externally observable, evidence-based reading of a supplier's security posture, drawn from the supplier's own attack surface rather than from a questionnaire it completes or the enforcement regime of the country it sits in.

Stay Current as Exposure Changes

Continuous monitoring keeps that reading current, so a supplier's record reflects its exposure today rather than its condition at onboarding, and FocusTags® identify which suppliers in a portfolio are affected when a specific vulnerability or active campaign emerges, the vulnerabilities specific to each direct supplier that Article 21 names.

Close the Gap With Suppliers

Where a finding needs to be acted on, The Bridge™ supports the engagement with the supplier to confirm and remediate it. Together these give an in-scope entity the ongoing visibility the obligation assumes and the documented basis for showing it has assessed and overseen the suppliers behind it, regardless of where those suppliers are established or whether their national authority is yet enforcing.

CER: When a Supplier Outage Becomes a Continuity Failure

NIS2's companion, the Critical Entities Resilience Directive, approaches the same problem from the other side. Where NIS2 governs the security of network and information systems, CER governs the continuity of the essential services those systems support, on an all-hazards basis that covers physical and man-made disruption alongside cyber.

It applies to critical entities across eleven sectors, below you can find the sectors and their scope within the CER Directive:

Sector	Scope within the directive
Energy	Electricity, district heating and cooling, oil, gas, hydrogen
Transport	Air, rail, water, road, public transport
Banking	Credit institutions
Financial market infrastructure	Trading venues, central counterparties
Health	Healthcare providers, EU reference laboratories, medicinal product R&D and manufacturing, manufacturers of critical medical devices
Drinking water	Suppliers and distributors of water intended for human consumption
Wastewater	Collection, disposal and treatment of urban, domestic and industrial wastewater
Digital infrastructure	Internet exchange points, DNS providers, TLD registries, cloud and data centre services, content delivery networks, trust service providers, electronic communications networks and services
Public administration	Central government public administration entities
Space	Operators of ground-based infrastructure supporting space-based services
Production, processing and distribution of food	Large-scale industrial food production and processing, food supply chain storage and logistics, and food wholesale distribution

When a supplier is compromised, NIS2 frames it as a security and data question; CER frames it as a continuity question.

CER puts responsibility for that continuity on the critical entity, so a vendor's ransomware exposure becomes a resilience risk to the service the entity must keep running.

A supplier that is likely to be hit by ransomware is exactly such a risk, and this is where Black Kite's Ransomware Susceptibility Index® (RSI™) applies directly.

How RSI Identifies Your Highest-Risk Dependencies

The Ransomware Susceptibility Index® (RSI™) is a value from 0.0 to 1.0 that estimates how likely an organisation is to suffer a ransomware attack, combining technical exposure such as exploitable vulnerabilities, exposed remote access and leaked credentials with intrinsic factors such as industry, location, size and prior exposure, and it is informed by data on thousands of confirmed ransomware victims.

RSI identifies, in advance, which of the dependencies behind an essential service are most likely to fail, so the entity can prioritize those suppliers, press for remediation, and build its continuity arrangements around the dependencies that actually warrant them.

A vendor scoring below 0.2 carries baseline risk. At 0.2–0.4, likelihood is 2.5 times higher than that baseline. At 0.4–0.6, it rises to 11.6 times higher. At 0.6–0.8, it reaches 17.6 times higher. A vendor scoring above 0.8 is 96 times more likely to suffer a ransomware attack than one below 0.2, making RSI the clearest signal of which suppliers in your portfolio need immediate attention.

The Operational Pain Behind the Compliance Pressure

Compliance is easier to describe than deliver. For most European organisations, the regulatory obligations are now reasonably clear. The harder question is whether they can meet them with the people, budget and visibility they actually have.

Three frictions stand between knowing the obligation and meeting it.

1. Uneven NIS2 Transposition Across Member States

With member states enacting it at different speeds and in varying detail, an organisation operating across several jurisdictions confronts genuine uncertainty about whether it falls in scope and what each regime demands, leaving little stable ground to plan against.

2. DORA's Continuous Questionnaire Burden

The cadence of DORA in financial services, where the obligation to assess ICT third parties has hardened into a continuous flow of vendor questionnaires that burdens the institutions issuing them and the suppliers fielding them in equal measure.

3. Capacity Gaps in Supplier Oversight

Continuous oversight of the supplier base is now the expectation, yet most teams are asked to deliver it on the headcount and budget of an annual review.

By assessing each supplier's posture from the outside and keeping that view updated, Black Kite covers the capacity problem a manual annual programme cannot, without adding headcount. The same external view eases the questionnaire burden, since much of what DORA expects an institution to verify can be observed directly rather than requested from every vendor in turn. Lastly because the whole supplier base is monitored on one consistent basis, an organisation stays ready whichever way each jurisdiction's transposition lands.

What Each Regime Requires, and What It Costs to Ignore

NIS2, DORA and CER come at supplier risk from different angles, yet each lands on the same point, that an organisation is accountable for the security and continuity of the vendors it depends on, and the table below sets out who enforces each, the provisions that reach third parties, what they mean in practice, and what non-compliance costs.

	NIS2	DORA	CER
Regulation	NIS2 Directive (EU) 2022/2555	DORA, Regulation (EU) 2022/2554	CER Directive (EU) 2022/2557
Who enforces it	National competent authorities and CSIRTs in each member state	National financial regulators, coordinated by the European Supervisory Authorities (EBA, ESMA, EIOPA)	National competent authorities designated by each member state
Third-party monitoring article(s)	Article 21, especially 21(2)(d) and 21(3), the supply-chain security duty, with Article 20 placing accountability on the management body	Article 28, especially 28(6), ongoing monitoring of ICT providers through the life of the contract, with Article 30(3)(e) requiring the contract to secure the right to monitor continually	Articles 12 and 13: A critical entity must assess the risks to its essential service, including its dependence on suppliers, and maintain resilience measures so that a supplier's failure does not interrupt the service.
In plain terms	Manage and keep checking the cybersecurity of your direct suppliers, and the board answers for it	Watch your ICT providers throughout the relationship, not only at onboarding	As a critical entity, assess the risks to your essential service, including reliance on suppliers, and stay able to operate when one fails
If you do not comply	Essential entities up to €10M or 2% of global annual turnover, whichever is higher; important entities up to €7M or 1.4%	Each national authority sets its own fine, so amounts vary; Germany's BaFin, for instance, can impose up to €5 million, or twice the benefit gained, on a financial entity.	Penalties set by each member state, required to be effective, proportionate and dissuasive; amounts vary by country

CASE STUDY

Case Study: Collins Aerospace, Ransomware at the Scale of an Essential Service

In September 2025, a ransomware attack on Collins Aerospace's MUSE platform, the shared check-in and boarding system that many airlines use across European airports, forced Heathrow, Brussels, Berlin, Dublin and Cork into manual processing for days.

ENISA confirmed the incident as ransomware, and the Everest group claimed responsibility. Because MUSE is shared infrastructure rather than each airport's own, a single supplier's compromise was enough to disrupt air travel across several countries at once.

The relevant point is the shape of the harm. None of the airports was itself breached, yet all of them lost the service they exist to provide. Under NIS2, those airports are essential entities, and Article 21 holds them accountable for the security of the suppliers they depend on, regardless of where the supplier sits.

Under CER, the same event reads as a continuity failure in a critical sector, the risk the directive places on the critical entity rather than on the supplier. The immediate response, reverting to manual check-in, is the kind of continuity arrangement CER expects to be planned in advance rather than improvised during an incident.

Because the MUSE incident is a ransomware attack, it is a perfect example of the fact that a supplier's ransomware exposure threatens both the data security and the continuity of the services that depend on it.

A dependency as concentrated as MUSE is exactly the kind a critical entity should be watching, and a forward signal of ransomware likelihood, such as Black Kite's RSI™, is what turns "a vendor was hit" into a risk the entity saw coming and prepared for.

Next: The regulatory obligation is clear. The harder question is how to meet it.

Demonstrable, ongoing oversight of your supplier base is what the law now requires. See how Black Kite is built to deliver it.